Imagine a scenario in which a downloadable application turns smartphones into network-clogging bots, causing U.S. mobile-phone networks to fail, and eventually spreads to the wired Internet.
Then imagine, as U.S. White House officials debated how to handle that situation, the energy grid in the eastern U.S. begins to fail. A group of national security and cybersecurity experts wrestled with those scenarios Tuesday, during the Cyber ShockWave exercise hosted by the Bipartisan Policy Center, a Washington, D.C., policy think tank.
The scenario started small, with a downloadable application infecting smartphones. But the number of infected phones grew, and the malware started attacking the wired Internet as smartphone users synched their phones with their computers. The malware began sending huge video files across the Internet, crippling both mobile networks and the wired Internet.
A group of security experts, acting as U.S. cabinet members and presidential advisers, debated for hours about how to handle the situation, with some participants arguing the U.S. president should declare the attack an act of war and mobilize the U.S. military. Former U.S. Secretary of Homeland Security Michael Chertoff, playing the role of U.S. national security adviser in the scenario, asked whether the president has the authority to order mobile-phone networks be shut down or to turn off service to infected phones.
"We don't have the authority in this country to quarantine cell phones," answered former U.S. Deputy Attorney General Jamie Gorelick, playing the role of attorney general. "We're in uncharted territory right now."
Stewart Baker, a former assistant secretary for cybersecurity policy at the U.S. Department of Homeland Security, wondered why the president doesn't have that authority. If a person with a deadly and communicable disease were at a major sporting event, U.S. authorities would have the ability to remove the person, said Baker, playing the part of U.S. cybersecurity coordinator.
"I think we can find legal justification for what we want to do," said Baker, now a visiting fellow at the Center for Strategic and International Studies. "[Telecom] is a regulated industry. We can take those legal authorities and tell them what they need to do to get this worm out of the system. We've got to find the authority."
Acting as the DHS secretary, Frances Townsend, former chairwoman of the U.S. Homeland Security Council, suggested the president ask people not to use their mobile phones as a way to prevent the malware from spreading.
But former presidential spokesman Joe Lockhart questioned if that would work. People would continue to use their mobile phones, even after the president asked them not to.
During the discussion, participants learned that the hypothetical malware originated from a group of servers in Russia. Retired Air Force General Chuck Wald, acting as the secretary of defense, assured the other members of the national security team that the U.S. had the offensive capability to shut down those servers, but other participants questioned whether Russia would see that as an act of war.
The U.S. doesn't have a well-developed policy for responding to major cyberattacks, Wald said.
While the group was debating how to respond to the cyberattacks, the electrical grid in the eastern U.S. began shutting down. In what appeared to be an attack coordinated with the smartphone malware, pipe bombs exploded at two energy facilities in the U.S., causing a major gas pipeline to shut down. A heat wave contributed to problems of electrical blackouts.
As blackouts began to cover much of the Northeast and several large Midwestern cities, participants began talking about mobilizing the National Guard and active-duty military members to protect electrical generating facilities and to prevent civil unrest.
Townsend suggested the military help deliver diesel fuel to hospitals in areas where there were blackouts. Hospitals have backup generators that run on diesel, but the generators only can run for six to 12 hours without additional fuel, she said. "People, after about 12 hours, are going to start dying in hospitals," she said.
At that point, Lockhart suggested the president has to assume the worst -- that the cyberattack and the electrical grid shutdown were related and not the end of the problems. "We have to assume [the perpetrators] have the ability to attack again at some other place," he said.
Organizers of Cyber ShockWave said they hoped the scenario would help U.S. policymakers better understand how to deal with cyberattacks.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.