Daniel Zender

Computing / Cybersecurity

Imagine the US was just hit with a cyberattack. What happens next?

An oral history of a devastating strike that hasn’t happened yet.

Oct 24, 2019
Daniel Zender

This moment had been 10 months in the making. But no one noticed until last week.

A group of well-resourced hackers have been combing through the networks of the gas pipeline operator for almost a year, harvesting crucial information. Now the hackers know the network better than the pipeline company does: every piece of equipment, the company’s entire workforce, usernames and passwords. They have the privileges needed to access both the firm’s desktop computers and the machinery of the pipeline itself. Now they are ready to strike.

The US has a lot of cyber-enemies. It trades blows with China, Russia, Iran, and North Korea on a daily basis. A full-blown cyberwar, thankfully, remains the stuff of theory and tabletop exercises. But what happens when one breaks out for real?

To better understand how it would play out, we talked to a number of experts in cybersecurity and national security. We asked them to consider hypothetical scenarios, including the one on the opposite page in which unknown hackers have accessed the computers, networks, and hardware of gas pipelines in New England.

The potential consequences would range from espionage and intellectual-property theft to more devastating attacks that could leave Boston without power or, in the worst case, cause fires and life-threatening damage. What happens next—and whether it escalates into a real cyberwar—depends on who is on the attack, what their goals are, and how the US responds.

The variables at play mean there’s no telling exactly how this would go. But imagining the worst might help us better understand how conflict is changing, and let us plan how to act when cyberwar lands on our doorstep.

Our panel was made up of some of the US’s leading experts in cyberwarfare.

Angus King: wikimedia commons / Sandra Joyce: courtesy photo / Richard Clarke: wikimedia commons / Michael Daniel: courtesy photo / Eric Rosenbach: wikimedia commons / John Livingston: courtesy photo / mike Gallagher: wikimedia commons

Sandra Joyce is senior vice president of global intelligence at the cybersecurity firm FireEye, the first company to openly name Chinese government hackers working against US companies.

Richard Clarke has worked in the administrations of Bill Clinton, George W. Bush, and Barack Obama. He was among the first high-level White House officials to focus on cybersecurity.

Michael Daniel was cybersecurity czar under President Obama. He now leads the Cyber Threat Alliance, a team of cybersecurity companies sharing information on threats.

Eric Rosenbach was the chief of staff to former secretary of defense Ash Carter. He led the Defense Department’s cyber activity and crafted the military’s cyber strategy.

John Livingston is the CEO of Verve Industrial Protection, a company that handles management of industrial cybersecurity for projects including natural-gas pipelines and other critical infrastructure.

Representative Mike Gallagher is a former counterintelligence officer in the US Marine Corps and now cochair of the Cyberspace Solarium Commission, a panel of experts charged with formulating a US cybersecurity doctrine.

Senator Angus King is a member of the Senate Select Committee on Intelligence and cochair of the Cyberspace Solarium Commission.

We spoke to all of our panelists individually, and their responses have been edited for length and clarity.

Rosenbach: The first thing that would happen is the NSA [National Security Agency] collecting intelligence abroad. When this first comes through there’s just kind of a fuzzy gray picture that someone is operating in natural-gas infrastructure. And you don’t know necessarily whether they intend to immediately pull the trigger on the attack.

King: The first problem is attribution [i.e., who is behind the attack]. That’s one of the key challenges in this field, because the adversaries are getting smarter all the time about their tracks.

I’m proposing to the Cyberspace Solarium Commission that the US government should have an attribution center that would combine resources from NSA, FBI, CIA, and other intelligence agencies so that there’d be one central place to go.

Clarke: The attribution problem is not as bad as people think it is. With regard to cyber, if you are in the enemy systems, then you’ll know who did it because you’ll see them doing it. If you can see it live, you’ve got a very good chance to figure out attribution. If it’s a post hoc analysis or forensic analysis, then attribution can be harder, especially since we know now that many nations, possibly including the US, are using attack tools created by other countries. What if they used a computer with a certain kind of keyboard, or used other techniques that fingerprint to another country? That creates a problem.

Rosenbach: Next, you would see whether there could be a cooperative relationship between [various US government agencies] to try to figure out where the attack might occur, look for certain types of malware that adversaries may have used in the past.

You see whether you can get more granular intelligence about that. The whole time that you’re working on all those kinds of domestic mitigation issues, you can try to think about what would happen in the case that the attack is successful and what you do. What is incident response during winter if there are hundreds of thousands of people, or millions of people, without heat?

You think about what you would say about that. At the same time, you’re thinking about whether or not you would confront the adversary nation with this information. Do you go to them and say, “We know that you have malware in the natural-gas infrastructure and grid”? Do you actually threaten them? And then, just like in the case of the 2016 elections, and also for the first time during the [2014] cyberattack on Sony [Pictures], the president would have to talk to all the senior advisors and staff about whether he goes public with this information. Is it fair to the public, if you know that there’s an attack about to occur, that you keep it to yourself? What are the pros and cons of publicly attributing?

Gallagher: One problem we have to deal with in cyber is whether the difficulty of attribution creates deterrence problems and deterrence failures. If you’re trying to deter an adversary from conducting a cyberattack, you need to be able to establish who the adversary is and also signal clearly what your response will be. There’s an open debate as to whether we should have such a declaratory policy in cyber or whether that would incentivize that behavior just below whatever threshold we determine is acceptable or unacceptable.

Clarke: Around four years ago, the intelligence community wanted to know who these [hackers] were. Once the [Justice Department] realized that knowledge was available, they then asked the intelligence community if it could be unclassified. Somewhat remarkably, the Justice Department won that and persuaded the intelligence community to declassify. I was surprised. Some of it is part of a name-and-shame strategy. Some people say the value is low because the hackers will never be arrested, but actually a couple have been. They have to be very careful about where they travel.

Rosenbach: After that you start to move into a phase where you’re trying to collect more intelligence. You’re trying to come up with options for the president or, if you’re in a specific department or agency, for the secretary, in order to figure out how you could mitigate the risk and the impact of an attack like that. That’s when it starts to get really complicated.

Clarke: Cyber can speed war up. I think it provides an attacker with the ability to do significant damage to the enemy’s homeland. And it provides the ability to do damage with speed. That’s true in cyber along with other things that are happening in warfare, like hypersonic missiles and AI-driven weapons, that could result in a war coming to a pretty quick conclusion—or at least the first phase of a war coming to a pretty quick conclusion.

This is part of what I think a lot of people in the Pentagon are worried about. They talk a lot over there about the “decision loop” and getting inside the other guy’s decision loop. They realize that cyberweapons mean there may not be a lot of time to decide how to react. That creates the possibility of greater instability. It might give you an incentive to attack first. You might have to make decisions about reacting before you really have good intelligence about what the hell is going on. Fast wars are something that we haven’t really understood yet.

Daniel: Just like how air power changed the nature of how militaries applied force and opened up options, I think cyberspace does the same thing in that it offers new channels for conflict. Some of the new physics and math of cyberspace mean that, for example, distance doesn’t mean the same thing. You can cause a physical effect all the way on the other side of the planet without nearly the kind of investment you have to make to do that in a physical domain.

Joyce: When you think about the type of conflict that is military against military, the United States has a clear advantage. We have near peers, but essentially the US outspends everybody. When countries want to challenge the US, they cannot do it in the ways the US is strong. So they’ll opt for other avenues.

Rosenbach: Nations who are adversaries to the United States have realized that the asymmetry of cyber and information operations is a huge advantage to them. The biggest and the clearest example would be North Korea. Think about how skilled they are as a cyber operational unit. Think about some of the attacks they’ve done in the past. Think about some of the things they’re doing now in terms of using ransomware to raise money through cryptocurrencies to get around economic sanctions.

The fact that they have very little telecom and IT infrastructure, and are therefore not vulnerable, [makes cyber] an even better tool for them. That means [that] if the US or other countries were trying to figure out how to mitigate the impact of North Korean cyber operations, they would have to go to either economic sanctions, where there aren’t a lot of options left, or outright military operations, where you risk too much escalation.

Then the Russians, of course, have totally perfected this by using pretty aggressive cyber and info ops and hybrid warfare. Ukraine is a great example. There they are attacking both the grid and elections. Of course, they’re attacking American elections as well.

A more recent example is what US Cyber Command did against Iran’s Islamic Revolutionary Guard Corps to try to have an impact on them, limit the effectiveness of that Iranian military organization, and at the same time control escalation so it might not grow into a broader conflict.

King: I’m very worried about gas pipelines. Our gas pipeline system does not have the same kinds of controls and requirements as the electric grid, although as far as I’m concerned, the gas pipeline system is part of the electric grid because so much of our power comes from natural gas.

Gallagher: Around 85% of critical infrastructure [in the US] is owned by the private sector. That’s a very difficult challenge. That is unique to cyber, in many cases, and requires the Department of Defense and the intelligence community to operate a little bit differently. Perhaps be a bit more forthcoming in terms of the information they’re willing to share with the private sector.

Livingston: When you have historically thought about national defense, it has been a government responsibility. You build a navy, you build an army, you defend the borders. The private sector’s role in that has largely been to supply that army or navy with whatever it needs. It has not been defending itself. But if we go forward 20, 30, 50 years, suddenly you have a world where the security of the nation depends on the private sector and not the government. What is the role of government in a world where my security is dependent on what my utility decides to spend money on? Or what that for-profit gas pipeline decides to spend money on? Or what that chemical plant that’s 50 miles away from me decides to spend money on? That is a very difficult public policy issue, and we won’t get there, I don’t think, until—unfortunately—there is a major incident.

King: It has become apparent to me that we have no doctrine, we have no strategy, and we have no policy that will in any way deter adversaries from coming after us. We’re a cheap date. Why wouldn’t you attack us in the cyber realm if you can do so with relative impunity? Until we develop some deterrent capability and also better resiliency, this is going to keep happening.

The good news is we’re the most wired country in the world. The bad news is we’re the most wired country in the world. That makes us the most vulnerable.

 

• An earlier version of this article stated that Sandra Joyce is vice president of global intelligence at FireEye. She is senior vice president.