Simulated Hack To Test US Government Response

superapecommando writes "Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets. The Bipartisan Policy Center, a Washington-based non-profit established in 2007 by several lawmakers, will host a simulated nation-wide cyber-attack next Tuesday for a group of former administration and national security officials, who will be playing the roles of Cabinet members."

Use it as cover!

[Anonymous Coward]

So when a real hack happens at the same time, we don't react?

Re:Use it as cover!

[poetmatt]

not only that, but knowing a hack is coming is not exactly realistic.

I'm sure the results will say "we're well prepared for a hack" even though reality proves otherwise.

Re:

[interactive_civilian]

not only that, but knowing a hack is coming is not exactly realistic.

Indeed. They should launch the simulation without warning on Sunday or Monday and see how prepared they really are. ;)

Re:Use it as cover!

[HungryHobo]

From reading TFA I'm fairly sure no pen-testing will be involved.
By the look of it it's going to be a beurocratic drill rather than a technical one.
No actuall hacking, just a load of suits in a room being given fictional reports of the progress of the "cyber attack" against them.
They pretend to know anything at all about it, they make fictional descisions and then some consultants go over it all afterwards with them and try to guess which chocies wouldn't have been good ones had it been a real situation.

Re:

[srpape]

Sounds about right. I picture a guy running into a room of suits yelling "The internet is DOWN!!" and everyone panics.

Re:Use it as cover!

[SeekerDarksteel]

"The internet is DOWN!!"

Which one? [penny-arcade.com]

Re:

[jandoedel]

The IT Crowd - This is the internet http://www.youtube.com/watch?v=iRmxXp62O8g [youtube.com]

Re:

[brasscount]

Sounds like a policy brainstorm to me.

When you don't know what to do put a bunch of people in a aroom that might be responsible, come up with a scenario, and ask the question, "Who does what?"

Re:

[david_thornley]

7:30 AM on a Sunday would be a good time. It should be followed, after a few hours, by a statement from the crackers that they're considering an attack. Keep with tradition here.

Neither the attack nor the response is realistic

[BhaKi]

I'm sure the "attack" will be successful enough to give credibility to all the recent hacking-related stories. And the "response" will be successful enough to justify future funding for "Cyber Control Force", "Strategic CyberWar command", etc.

Re:

[aaptel]

Shall we play a game?

Re:

[BhaKi]

Love to. How about Global Hacker War?

Re:Use it as cover!

[Lumpy]

yes and no.

I did a simulated data disaster at Comcast a decade ago. but I informed only one important key person that I was going to cause a very real data loss event in the billing system. I would back thing up myself, but the backups that IT were running I would silently fail for a WEEK before the event.

at the event horizon I deleted the SQL database, the SQL team yawned and went to restore the database.... Oh crap nothing to restore but week old backups....

They shit themselves and we let them panick for a good hour before we walked in and asked...

What do you mean? you check your backups of critical data daily dont you? how about vertifying the validity of those backups? when was the last time you did a test restore on a backup server to make sure it was right?

I knew they were not backing it up or testing, I used that to my advantage to scare the hell out of them in hopes of getting what I have been telling them for a year through their skulls.

It also proved my point to the IT director that his "teams" were NOT ready for this.

I'll bet you $1000.00 they STILL dont test the backups, and rarely check to see if they are running.

Re:

[sh00z]

Thanks, Dwight [wikipedia.org]

Re:

[Finite9]

wow. cool test! Working as an Oracle DBA managing thousands of instances, I know that even if our level 0 backups exist, all it takes is one missing archive log backup to freak us all out if we have to do a restore. We log all backups and monitor all backup logs for errors, and create incident reports automatically if we get an error. I think we have a pretty good system, but it's never going to be fool proof. One thing we don't currently do is validate the backups on the VTL. Even if the team you tes

Re:

[Lumpy]

Nope I DISABLED their backup by changing what it backed up. they NEVER CHECKED IT. which is the problem.

If you dont audit your backup systems regularly then you fail. If it's critical data like Accounting, then it's audited WEEKLY or even more frequent. In Fact it's a Sarbanes Oxley requirement, they were putting down that they were checking, (Even looking at the backup size would have tipped them off) when they were not.

I would have failed if they were doing their job. They were not and that is what I w

Re:

[hesaigo999ca]

I agree, also the fact is, they would have to duplicate exactly the variables included in the study that would HAVE been from the cabinet ministers websites, compared to what they set up on their own to mimic.
Sometimes being behind NSA run firewalls, mkaes a difference compared to godaddy hosting that they might use to host the supposed mimic websites

Takes one to know one.

[tqk]

So when a real hack happens at the same time, we don't react?

You're not a genius, dude. You don't actually think of shit nobody else considered.

Pot, kettle, black. You're an insulting jerk.

Case in point, no computers participating in this simulated attack would have any confidential information, because the testers would be a vulnerability. This is essentially a drill, allowing people to learn what decisions to take in case of a serious attack. If somebody else takes this time to hack real systems, beli

Simulated?

[ircmaxell]

A "Simulated" attack? So basically people wandering around pretending that power just went out? I understand that holding fire drills is good and all, but why not try lighting a controlled fire and seeing how everyone reacts? And never announce a drill. Otherwise, it's simply not real enough to give you useful information about the response...

Re:

[Idiomatick]

Everyone runs planned drills and they are important. Perhaps after running regular planned drills for a little bit it would be useful to run some unwarned ones. As it I'm pretty sure they simply aren't prepared to handle one without warning very well.

Re:

[ircmaxell]

Yes, during training, you run "planned drills"... Something exercise a specific skill or scenario. But a planned drill does nothing but test that specific skill. Unplanned drills test the entire system... Basically, a planed drill teaches people how to react. An unplanned drill shows how "prepared" you are, and where you need to focus training. Without the baseline provided by an unplanned drill, how do you know how to focus the planned ones? For something like firefighting, you have past experience

Re:

[clone53421]

For something like firefighting, you have past experience (both from the organizers, and from others) to tell you how to do a drill and what it should focus on. But for this, there's no past experience...

Writing out a strategy to react to an unprecedented event is better than having no plan at all.

Re:

[solafide]

So this is why the government felt it necessary to fly planes into various gov't offices: they were creating controlled, limited-scope emergencies to test their ability to remain functional. Clearly the president was warned beforehand, but not many other people, and clearly it's really helped us shape up our response to such an attack. </sarcasm>

Re:

[hey!]

That's kind of an extreme position, don't you think?

Just because an unannounced drill is useful, doesn't mean announced drills aren't useful. For one thing, you *can't* do realistic drills of some scenarios. Some reactions to emergencies kill people. Clog the roads with emergency vehicles and panicking people and rush most of your EMTs and ambulances to the "disaster" site and people who need to ride in an ambulance for real suffer. Shutdown the airport for a few hours and somebody might not get his hear

Re:

[ircmaxell]

I'm not saying not to tell people that it's a drill. I'm saying not to tell them beforehand. If you tell them beforehand, they get to "study" and mentally prepare for what (they think) is going to happen. While this is good for appearances, it's not good for determining real preparedness. You tell them that it's a drill when the drill actually starts. This is what we used to do at the fire department where I was a member. Every so often (around twice per year, or so), we would get dispatched to an una

Re:

[hey!]

It sounds like your view is more nuanced than it first appeared.

I still say that planned exercises (perhaps we should not call them "drills") are valuable. My experience is that most people aren't very imaginative. They can't see what would be obvious to them in a walk through when they are trying to plan ahead.

For years I sold a software package that was used in the public health field. I used to go to conferences and give training sessions and lectures, I know these were highly rated, because I read th

It's a war game, not a drill

[wiredog]

They are war gaming this.

Re:

[david_thornley]

There's two sorts of drills, both useful.

A scheduled drill is a teaching tool. For example, the recent fire drill where we were all shepherded out the proper door and to the designated rally point. That develops specific knowledge in the participants. The drillers won't learn much.

An unscheduled drill is more like a test. It won't teach the participants much, except in the post-mortem, but it will show you how well they react to the fire alarm or whatever.

Re:

[Mishotaki]

controlled fire? bad idea... use a big smoke machine that you got in while everyone was out on weekend and start it in the first hour of monday morning... see how people react to a shitload of smoke coming out of a room instead

Hope you don't have plans next Tuesday...

[N3tRunner]

I'm sure this will go well. If you have any government work that you need to do, make sure it's in before next Tuesday! Or maybe you should wait until afterwards in case they lose everything somehow.

Re:

[hittjw]

Don't know why they need a simulated attack, ever script kiddy is banging on their equipment anyway. Maybe they will have a serious plan for handling it rather than what I've seen with speculation and lax best practices. At least they are trying.

Re:

[MachDelta]

"Sorry mister IRS man, my tax got hax'd!"

how will they know?

[Anonymous Coward]

Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets

Have they been notified? And how is it a simulation if they are or how will they know how to respond or detect it even?

If I imagine this to happen here, to a global bank, this has been a real scenario:

"How did they get those data?"
"Appearantly all our clients have been leaked"
"Oh shits, heads gonna roll! Call serverteam!!"
*Perform security audit, fire 3rd party solution creators, creating a hole through carelessness.*

Now, if you would do a "large scale test", it will in my experience go like this:
:
"Agents complain of slow access, what is up?"
"It's lunchbreak, people are surfing, let them know we're checking it out."
"Agents are still complaining, we have some error logs coming in from website users."
"Ok, lets contact servermaintenance, request a logfile."
"Server maintenance here, we're swamped with requests, I can send it to you tomorrow or the day after soonest."
"We need a stat on the server, things are slow"
"CPU is looking ok, memory is reasonable. Must be some configuration on your side, wait for the logs. Tmorrow."
"Oh, nvm it cleared up. Guess we got a pusblished article in the papers drawing in more folks. Applause for sales. Close the ticket."

Simulation of the results follows

[0racle]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Re:

[TubeSteak]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Did you even RTFS?
They've invited a bunch of "former administration and national security officials" to pretend to be Cabinet members at a simulation they've setup at a hotel.

This is a private company inviting private citizens to do some techno-LARPing.

Re:

[AMuse]

Sounds like an excellent idea for foreign espionage. Set up a private shell company, then invite a bunch of former officials who know exactly how the real systems work, to get together in a hotel you've bugged and start pretending they're responding to a cyber attack of some sort.

Official1: "Call the NSA Task force Orange, tell them to begin operation Stork."
ForeignAgent: (making notes) Operation Stork.... NSA... means X..."

This will be a nice change from the status quo,

[Minwee]

...where "Political Hacks Interfere With US Government Response".

Re:

[bsDaemon]

And here I squandered all my mod points on dumb crap... I wish I had saved some.

Paranoia

[handy_vandal]

What a perfect cover story for launching a real cyber attack. Let the paranoia begin!

Duck and cover!

[gparent]

The only appropriate response.

A Simulated Fire Sale...

[spammeister]

Bruce Willis is not impressed! (or) There's an app for that!

Re:

[datapharmer]

I'm going with B) there's and app for that.

Those phones are made in China right?


what's this button do ::breaks internet::

I guess I'll have to register in South Carolina now...

Re:

[spammeister]

Well that didn't go exactly as planned :(

The Office

[LtGordon]

Reminds me of episode where Dwight teaches the office self-defense by attacking himself. It's kind of hard to successfully attack yourself without the element of surprise!

Observe 4Chan

[taliesinangelus]

Shouldn't they learn all they need to know from observing 4Chan and Verizon?

How it all works.

[KevinH456]

in america, you pen test the government in soviet russia, government pen tests you

Re:

[gparent]

In Soviet Russia, the government penetrates you.

Chinese Sub

[Hadlock]

Does anyone remember this event happening?
 
  http://www.dailymail.co.uk/news/article-492804/The-uninvited-guest-Chinese-sub-pops-middle-U-S-Navy-exercise-leaving-military-chiefs-red-faced.html [dailymail.co.uk]
 
Yes, that really happened in real life. It also happened in Tom Clancy's book "Executive Orders". Let me summarize the headline for you real quick, The uninvited guest: Chinese sub pops up in middle of U.S. Navy exercise, leaving military chiefs red-faced
 

When the U.S. Navy deploys a battle fleet on exercises, it takes the security of its aircraft carriers very seriously indeed.
At least a dozen warships provide a physical guard while the technical wizardry of the world's only military superpower offers an invisible shield to detect and deter any intruders.
That is the theory. Or, rather, was the theory. Uninvited guest: A Chinese Song Class submarine, like the one that sufaced by the U.S.S. Kitty Hawk
American military chiefs have been left dumbstruck by an undetected Chinese submarine popping up at the heart of a recent Pacific exercise and close to the vast U.S.S. Kitty Hawk - a 1,000ft supercarrier with 4,500 personnel on board.
By the time it surfaced the 160ft Song Class diesel-electric attack submarine is understood to have sailed within viable range for launching torpedoes or missiles at the carrier.
According to senior Nato officials the incident caused consternation in the U.S. Navy.
The Americans had no idea China's fast-growing submarine fleet had reached such a level of sophistication, or that it posed such a threat.
One Nato figure said the effect was "as big a shock as the Russians launching Sputnik" - a reference to the Soviet Union's first orbiting satellite in 1957 which marked the start of the space age.
The incident, which took place in the ocean between southern Japan and Taiwan, is a major embarrassment for the Pentagon. Battle stations: The Kitty Hawk carries 4,500 personnel
The lone Chinese vessel slipped past at least a dozen other American warships which were supposed to protect the carrier from hostile aircraft or submarines.
And the rest of the costly defensive screen, which usually includes at least two U.S. submarines, was also apparently unable to detect it.
According to the Nato source, the encounter has forced a serious re-think of American and Nato naval strategy as commanders reconsider the level of threat from potentially hostile Chinese submarines.
It also led to tense diplomatic exchanges, with shaken American diplomats demanding to know why the submarine was "shadowing" the U.S. fleet while Beijing pleaded ignorance and dismissed the affair as coincidence.
Analysts believe Beijing was sending a message to America and the West demonstrating its rapidly-growing military capability to threaten foreign powers which try to interfere in its "backyard".
The People's Liberation Army Navy's submarine fleet includes at least two nuclear-missile launching vessels.
Its 13 Song Class submarines are extremely quiet and difficult to detect when running on electric motors.
Commodore Stephen Saunders, editor of Jane's Fighting Ships, and a former Royal Navy anti-submarine specialist, said the U.S. had paid relatively little attention to this form of warfare since the end of the Cold War.
He said: "It was certainly a wake-up call for the Americans.
"It would tie in with what we see the Chinese trying to do, which appears to be to deter the Americans from interfering or operating in their backyard, particularly in relation to Taiwan."
In January China carried a successful missile test, shooting down a satellite in orbit for the first time.

...So who's to say something similar won't happen this time, except in cyberspace? Imagine, in the middle of a simulated hack, the Chinese government actually hacks our systems during a military exercise. Knowing what we know now, it's not improbable.

Re:

[Ltap]

Wouldn't that be "People's Liberation Navy"? "People's Liberation Army Navy" just sounds awkward...

Re:

[Zak3056]

Wouldn't that be "People's Liberation Navy"? "People's Liberation Army Navy" just sounds awkward...

They really do call it that... it's the naval arm of the People's Liberation Army, so I guess it makes some sense, but as you noted, it certainly is awkward.

Re:

[Ltap]

Maybe it sounds better in Chinese.

Re:Chinese Sub

[GooberToo]

Except that article is all fluff and lacking any type of intelligence.

Those were regularly scheduled exercises which take place annually in the exact same spot every year. The FACT is, no one in the military was embarrassed. Period. Only the idiot reporters, who improperly frame it as an embarrassment, have been embarrassed.

This is reality. The Chinese, wishing to cause a publicity stunt, hoping that idiots, which are frequently referred to as reporters, will pick up on a stunt are report on it because one, they are idiots, and two, won't actually check fact their story. And so, the Chinese decide to quietly sit in the middle of nowhere waiting for the US military to come along; as they've done every year preceding for who knows how many years. Sure enough, just like every year before, the US Navy comes cruising along in the exact same area. The Chinese pop up and start cruising toward the highest value target available; a US aircraft carrier. Next, idiot reporter states the military is embarrassed because he's too stupid to realize they are not.

The simple truth is, unless they are able to break US military cryptography, which I very seriously doubt, or if they are planning on a preemptive strike whereby China disappears from the face of the Earth, this is in no way, shape, or form, representative of any type of military action possible by the Chinese.

The Chinese do not pose any credible threat to the US Navy in open waters. None. Not one bit. They do, however, pose a threat in regional, shallow waters, which is why the Navy is pushing so hard to improve their sonar capabilities in that environment.

To summarize, the only people embarrassed by the Chinese are idiot reporters and ignorant masses who believe it speaks to China's Naval capabilities. In reality, it was a completely non-news event and reports and people who ignorantly repeat such stories are nothing but sock puppets for the Chinese propaganda machine; which the US Military is now trying to play to obtain yet additional funding.

Re:

[Hadlock]

Man the millitary types just crawl out of the woodwork when you post anything negative about them. The point was that they were actively scrimming and the Chinese sub managed to bypass their sensors.

Re:

[GooberToo]

sub managed to bypass their sensors.

That's actually easy to do and the expected result for a stationary object resting near or on the bottom. Things that don't don't move and don't make noise are really hard to find. This is especially true where multiple thermoclines exist. Of course, that's also why its not the least bit embarrassing for the US Navy because for it to have any real meaning, the Chinese would have to know where the US Navy would be before hand, during a state of war.

The picture is even more bleak for trying to locate modern d

The ancient DoS attacks: are they really prepared?

[garompeta]

1) Plant a bomb
Who needs a complicated hack when you can use thermite on key interconnections?

2) Lure an insider
Ancient methods that the CIA is still using to gather foreign "intelligence" from their euphemistically called "Agents" (in their respective countries these Agents would be called traitors).
Who can stop a trusted and authorized user with the right privileges from opening ports from behind the enemy lines (aka. firewalls)... when the "bad guys" get him the proper incentive or coersion?

3) C

In the meantime...

[noddyxoi]

Goldman Sachs and JPM prepare a Short Selling attack in America.

Better summary at The Atlantic

[wiredog]

Right here [theatlantic.com]. Although I expect ot see lots of posts here rated "5", which completely miss the difference between a drill and a war game.

wait, we've seen this before

[SkunkPussy]

presumably the response will be to invade an innocent and unrelated country. maybe belgium.

Scripted Simulation

[unsupported]

The simulation is occurring in a hotel. It is being simulated to test the response of officials. Not to test the response of security professionals. There is a production company who is providing scripts to security professionals. So I am sure the officials will be asking the security professionals for updates or detailed information, which will be scripted. It is like a table read for a television show, (ie Saturday Night Live), where everyone sits around a table and reads the scripts, without actuall

Calling BS

[MrTripps]

The whole thing is pretty stupid. It doesn't say there is a specific weakness in security, but rather assumes some hypothetical attack that is immediately successful and is able to bypass any and all security measures. It is like running a bank vault security check using the chick from X-Men who can walk through walls as your test intruder. The take away is that a handful of random political people who don't manage IT infrastructure don't know anything about managing IT infrastructure. That won't stop the s