The Washington Post Live’s cyber-security summit featured a Q&A with Secretary of Homeland Security Janet Napolitano, a cyber-attack scenario and a panel discussions.

Panel: final thoughts

People occasionally offer “silver bullet” solutions to cybersecurity: leadership, minimum standards, or regulation.

Cureton says she “bristles” at “all you have to do is” answers: it’s not just about leadership, it’s not just about passwords. Risks come from all kinds of areas, and change at different times.

She also stresses NASA has data they want everybody to have – to share with academics and others – but also some it wants no-one to have. Information sharing is important too, she says.

“There’s no easy answer for this. You just keep on and keep on.”

O’Harrow says the discussion often remains the same now as it was ten years ago: build information sharing and the private sector will follow. He says that hasn’t happened really at a sufficient pace – “it falls way short of the extraordinary threat the country faces”. He asks about the public health model of cybersecurity, where everyone is held responsible for doing their part.

Bucci says it’s a principle he likes, but the key issue is getting everyone’s incentives in line – and whatever approach would best achieve this (he thinks regulation is not the right choice) would be the right one.

As the panel’s hacker, Mudge is asked what might make his life harder. Minimum security standards probably wouldn’t make a difference, he thinks – becoming just another step in the cat-and-mouse games hackers and security experts already play.

His conclusion’s a familiar one: information sharing needs to be incentivized, and needs to be done better.

Cureton is more blunt. “That’s all nice guys, but I’m just a girl trying to protect some networks here”. She thinks crime is the model: does more law prevent crime? Does more spending prevent crime? Do more police officers prevent crime?

“It’s just vigilance,” she concludes. “Let’s not wait for the cyber-9/11 before we get together.”

And that’s a wrap for our cybersecurity summit this morning. Hope you’ve found it enlightening, and feel free to continue the conversation on Twitter at #cybersecurity2012, and look out for our cybersecurity supplement on today’s sessions on November 13th.

Panel: blackmailing to defend

Cureton says NASA has not always done everything it could to respond to every attack. Says there aren’t enough resources or time in the world to fully protect anything. Defense must be multi-layered, based on priorities, and be tested aggressively.

“We have to cajole, persuade, blackmail and bargain,” with customers to persuade them of the need to defend their priority systems, she says.

NASA’s approach is trying to get more forward-leaning, talk more to intelligence and counter-intelligence organisations, and get more proactive is managing cybersecurity, she concludes.

Asked how he’d look to get into NASA, Mudge teases – “Well, everyone wants to get into NASA because they know where the aliens are, right?”

He says NASA could be tempting as a target because they might have, for example, aerospace technology. If he was doing this he’d look to find people in the agency who might have access to this. If penetration testing, he’d only target work accounts. If he was a hacker, he’d go for anything they could get.

Panel: information and retaliation

Are we living in a virtual Wild West?

Bucci opens by stating his opposition to cybersecurity bills and the executive order, branding them “19th century solutions for 21st century problems”, saying regulation is too slow, impossible to change. He wants legislation, but only which enables sharing of information without mandating it.

He also advocates a cyber-insurance business, to help develop a market response in this field. He’d also like a “cyber-right to self-defence”

O’Harrow says the private sector has already started getting into the retaliation game, through working discreetly with government and one another. He calls it “a global spy-versus-spy campaign”, saying campaigns are apparently underway to retrieve money and track attackers. “We are already in a Wild West scenario here,” he says, before adding the private sector is currently “a lot more restrained than they’d probably like to be”.

Mudge thinks the language around hacking is getting overly scary. To take out denial-of-service attacks, he suggests it’s possible to tell from the malware where a mass-attack originates from, and deactivate or mitigate the attack.

He also notes hacking is often not as easy as it’s made out to be: when he is penetration testing for a client, he says, he often “spear phishes” – sending emails with malware to different users to see if they’ll open it and thus grant him access to the system. He also notes hackers may not know where they’ll end up: they’ll attack any system to see which lets them in.

Panel discussion: what’s next

We’re moving on to our final panel of the summit, looking forward at what more needs to be done to tackle cybersecurity issues.

On this panel we have:

Linda Cureton, Chief Information Officer at NASA

Raphael Mudge, founder of Strategic Cyber LLC

Steven Bucci, Research Fellow for Defense and Homeland Security, The Heritage Foundation

Robert O’Harrow Jr, Investigative Reporter at The Washington Post

You can read some great background on some of these issues from O’Harrow’s “Zero Day” investigative series on cybersecurity.

Cybersecurity executive order and the election

Ratner agrees with Secretary Napolitano’s earlier remarks that the cybersecurity bill’s return to the Senate floor may be contingent on the results of Tuesday’s elections – but the same may not be true of an executive order.

“Senator Reid says he wants to bring the cybersecurity bill back to the floor, and we have every indication that will happen,” says Ratner. But much will depend on the results of Tuesday’s elections as to whether this will happen or not, he adds..

Ratner adds the two key functions of the bill are critical infrastructure protection and information sharing provisions. He believed the White House will issue its executive order on cybersecurity regardless of the result of the Presidential election next Tuesday.

An executive order cannot offer incentives like liability protections or similar to private organizations that share information on attacks, which Ratner says is a clear reason to pursue legislation.

However, if information sharing is done through executive order, Sen. Lieberman may still seek to pass the bill without these provisions.

Panel discussion: cybersecurity policy

Up next is the first of two panel discussions – this one on cybersecurity policy.

On the panel we have:

Jeff Ratner,Counsel and Senior Advisor for Cybersecurity at U.S. Senate, Homeland Security and Government Affairs Committee

James Lewis – who played Secretary of State in the earlier scenario – Senior Fellow and Program Director at CSIS.

The discussion is opening on why cybersecurity legislation presented in the Senate earlier this year stalled, and on other voluntary efforts to achieve similar information-sharing goals.

“In old Washington, the bill would’ve gotten through … we’ve got more money than ever before, but we don’t want to spend it on stuff,” says Lewis.

He adds the role of DHS was also an issue: congress, he says, doesn’t feel DHS should be given more responsibility for cybersecurity, as they are concerned about the Department’s capability.

Lewis feels DHS is the default choice to lead on cybersecurity, rather than the NSA or FBI.

“Somehow when you say you want to put the NSA in charge of all public networks and information sharing, people don’t react with joy,” he says.

Scenario: closing remarks

It’s time for the final remarks from our panel on the fictitious cyberattack scenario here. The situation has shown the difficulty of working without precedents, keeping private sector victims on track, and establishing how much information is enough.

It’s a situation summarized by Dep. Sec. Bill Lynn in his closing remarks:

“One issue is the tension between network speed and government decision speed. You’re considering the diplomatic impacts … the collateral damage. It’s not that government is slow, it’s that there a lot of implications to these decisions that have to be taken into account,” he says.

“Cybersecurity is pretty clearly a public good, you can’t just use the private sector. No one company has the incentives to provide the security the nation might need, but the government can’t just come in and take over … almost all the assets are in private sector hands.”

Scenario: further responses

The fictitious response is continuing to worsen, and the agencies are continuing to respond. Tensions between the U.S. government and the oil company are rising.

Lynn feels the option of a cyber-attack against the Venezuelan server is now a reasonable response, despite risk of damage to other servers of diplomatic repercussions. This varies from blocking to directly taking down the server. The decision, though, rests with the President.

In terms of responses against X-land directly, he is more cautious: plans should be developed, but there are intermediate steps which could be taken before military action.

Lewis says we’re now in an issue where the President needs to consider coercive measures: the servers are a secondary issue, the source of the attack is the primary concern. Directly military action is probably “unadvisable”. He suggests raising the issue with NATO, not as an act of war, but under Article 4. Messages could be passed to X-land through covert channels.

Gen. Cartwright feels impact to environment and energy infrastructure is now severe, but is concerned as to precedents which would be set, both with X-land and with countries which could be wittingly or unwittingly hosting command and control systems for the virus. Building the case in the international forum is now crucial.

Escalation needs to take into account precedent. Keeping the response covert (unattributable) may be significant. A range of options must be developed in case the situation continues to escalate, to make sure they don’t fall short. At this point, discussions will have to take place with Congress.

Alperovitch: “As a private sector victim here, I’m not feeling a lot of love from the U.S. government.” If anything, he’s getting threatened – and getting very little information, either. He is looking for ways to pressure the U.S. government, including by going directly to the media. He wants the government to shut down the attack, and at the very least take down the servers.

Chabinsky says he has the capability to take down the command and control servers, and is suggesting to other agencies it is becoming difficult to deal with the oil company having not taken that action. The legality of such an action, however, seems unclear.
Lewis is concerned about X-land gaining a sense of impunity, which he feels needs to be shaken, perhaps through some covert cyberattacks on X-land to shake their sense of confidence. At this stage he suggests targeting offensive software.

Gen. Cartwright cautions that steps must be in place to prevent constant escalation and re-escalation if such action is taken, but such a course could work towards smoking out more information.

Powell feels things are “sliding his way”, and so is keen to caution intelligence, even with high confidence, can be wrong – he cites Iraq. The full, true, answer might never be known. There is an issue between the speed of the attack and the speed of U.S. response at this point, he feels. The issue in taking down the command and control servers is diplomatic wrangling gives the attackers time to move to new servers.

We’re moving towards final thoughts from the panel on the scenario soon, after some questions from the floor.

Scenario day two: responses

Powell is now confident X-land is behind the cyberattack, and has strong indications that the attack is intended to go wider in the oil sector, and potentially another sector: there are suggestions it could be the financial sector. The source of this information is extremely sensitive, and there could be severe consequences on intelligence gathering if the information gets out

James Lewis of CSIS, playing the Secretary of State, is concerned about sending signals that this type of attack is totally unacceptable and requires a strong response to signal this, and deter other would-be actors. At present, the servers being physically located in other countries is a secondary issue, but he is concerned about setting precedents: his preference is to speak to the countries hosting the servers and asking them to take action.

Gen. Cartwright is looking for State to take this to the UN, and examine other diplomatic actions that could be taken to cut off the attack.

Lewis does not wish to take non-diplomatic options – including covert actions – off the table as responses.

Chabinsky has taken down the server in the United States and has had a good response from some, but not all, of the countries hosting command and control servers. He is reluctant to share too much information publicly at this stage.

Gen. Cartwright is at this point looking at courses of action up to, and including, stopping these actions “in a kinetic way”.

Lynn is looking for options at the cyber-level to take down the attacking servers, depending on legal and diplomatic position. The other package in this area would be military options against X-land, including cyber and traditional military tools.

Alperovitch, our oil CEO, is having a bad week: his stock price has fallen dramatically, and furthermore his efforts to contain the situation have failed – the story has leaked out to the Post, and he is doubly unhappy. Firstly, because the story is out, and secondly, because the Post has more information than he’s been given directly.

His company has independently identified the command and control servers. He is crafting cease-and-desist letters, but is also exploring with legal counsel direct retaliatory options. His position is that he’ll give the government only a few hours before retaliating directly.

Lewis cautions that from a foreign policy perspective, it may be in the U.S.’s interest to take action against the oil company if they take direct action, particularly to avoid unacceptable precedents being set.

Scenario day two: it’s getting worse

The situation is deteriorating fast in our fictional scenario.

The virus has now disrupted control systems that regulate the flow and pressure of oil moving through pipelines, causing valves to close, pressure to build up and major leaks to occur in pipelines from Houston to Washington D.C. Technicians cannot immediately tell where the leaks are occurring.

The virus has also spread to a major refining company’s computers. Gasoline prices hit $6 a gallon. International markets are affected. By day’s end, the Dow has closed down 8 percent or about 1,000 points – and oil futures are up $20 in two days.

US intelligence analysts have identified three command and control servers in Venezuela, Russia and in the U.S. that are sending commands to the virus. They have concluded with a high degree of confidence that the virus was deployed by state-sponsored actors in X-land and have acquired the target list for the virus that showed banks are being targeted.

Scenario: first responses

Dmitri Alperovitch of Crowdstrike, playing the CEO of the oil company, has at this stage shut down drilling as an essential safety precaution. He is discussing with lawyers what information needs to be shared with regulators around the world, and is trying to gauge the impact of the attack on his infrastructure.

He has chosen to share some information with the FBI on the technical aspects of the virus, but not full details of the impacts.

Steven Chabinsky, playing the FBI director, is pleased the oil company has contacted him – as he already had a few guys heading down there. He is insistent that he wants log information as well as the malware itself. Ideally this will be voluntary, but if need be he’ll take action to compel it. At this point, he is unlikely himself to share a great deal of information with the oil company. He may say he’s got information it’s “criminal”, but no information on the actor.

Alperovich is reluctant to let the FBI onto his network at this stage, as his priority is getting systems back online, while the FBI’s is likely to be to investigate. He wishes to avoid “too many cooks”.

Ben Powell, former general counsel to the office of the Director of National Intelligence, playing the DNI, says the intelligence is currently “murky”. There is information that X-land has this capability, and is tied to the attack, but there is no certainty other nations don’t also share it. There is limited information on the extent of the attack. The virus has been named “payback” due to alleged cyberattacks by the U.S. on X-land, which have not been confirmed or denied.

Gen. James Cartwright, former Vice-Chairman of the Joint Chiefs of Staff, playing the NSA, regards the potential that the virus extends beyond the single oil company currently affected as significant, but the oil CEO’s decision to shut off his networks as helpful. The NSA wants more information from the DNI, and as the activity at this stage appears criminal, “if that”, Justice will at this stage take the lead. There’s a need to establish if anyone else has seen this virus.

Bill Lynn, former Deputy Secretary of Defense, playing the Secretary of Defense, believes this is not a DoD issue at this stage, but more information is needed: who is the target, what type of attack is this – disruption or destruction, what are the potential consequences of the attack, and finally: what’s the source of the attack?

A reminder: these are responses to a fictitious scenario.

Scenario: setting the scene

The stage is set for today’s fictitious cyberattack scenario:

It’s the morning after Thanksgiving, and the CEO of a large U.S. oil company is notified an unknown virus has wiped data and rendered 40,000 machines inoperable. The backup system has been sit. The systems contained information on pressure and safety readings on drilling operations in the Gulf of Mexico, preventing drilling. Trading platforms are affected.

The cost of oil immediately increases by $5, as one-fifth of oil is no longer around for trading.

U.S. authorities have independently had word of a virus in circulation, called “payback”, tied to a Middle Eastern nation under U.S. sanction, “x-land”.

International co-operation on cybersecurity

Responding to a question from the floor, Secretary Napolitano acknowledged shortcomings in international co-operation on tackling cybersecurity issues.

“There really is no good international framework right now,” she said. International co-operation on investigations, forensics and deterrents was necessary and a topic of discussion, she added.

The U.S. and the E.U have an ongoing cyber group, she said, who are working through these issues, and cybersecurity is also raised across other international groups. “But it is very much an act in progress,” she said.

The Secretary has now finished her Q&A. We’ll be starting up again in a few minutes with a fictitious cyber-attack scenario.

Should hacking tools be regulated?

Asked about whether the trade in hacking tools, vulnerabilties, and malware should be regulated – an active debate among security analysts – Secretary Napolitano was reluctant to suggest this route, calling instead for greater personal responsibility

“I don’t know about that. Having just been through the ‘anything that’s regulatory is bad’ debate with congress, I don’t know if anything would happen about that,” she said.

“I don’t think there’s anything wrong with a sense of public and private responsibility.”

Napolitano on not using email

The Secretary, it transpires, does not use email whatsoever – a decision she stresses is a “personal choice”. Asked by moderator Mary Jordan if this was a security concern, Napolitano said:

“Yes, and it’s also a timesaver. Your most precious asset is your time, and I’ve personally taken the decision that I don’t want to be scrolling all the time … people around me get email, and I certainly get passed what I need to see.”

Lame duck session for cybersecurity?

In the Q&A session, Secretary Napolitano raised the possibility of resurrecting Senate cybersecurity legislation during the lame-duck session later this year, contingent on the winner of the Presidential election.

“The House bill doesn’t cover a lot of the essential things it needs to cover,” she said. “There is a bipartisan bill in the Senate. That failed during a cloture attempt earlier this year. There may be another attempt in a lame duck session, but that may depend on the outcome of Tuesday’s election.”

“When” President Obama is re-elected, she said, he would consider an executive order on information sharing, but she stressed some steps would require legislation – such as limiting liability for companies under certain circumstances.

Secretary Napolitano’s opening remarks

After opening with an update on Sandy – “an innocuous name for a very destructive storm that is still going on” – Secretary Napolitano likened the potential impacts of cyberattacks on core U.S. infrastructure to the impact of a storm.

“We know that cyber extends into every aspect of everyday life, but just think of this: the nation is under attack constantly,” she said. “It is an area I have seen grow in sophistication and number in the almost four years I have been Secretary.”

To those who would question the potential impact of a cyberattack on U.S. control systems, which operate electricity grids, pipelines, or the financial system, taking any offline for even a few hours, Napolitano pointed to the impacts of Sandy in the past few days.

The DHS manages a 24/7 co-ordination centre between arms of government and the private sector on cybersecurity, and is responsible for co-ordinating responses to attacks.
“We look, and act, like a cyber-FEMA,” she said, adding the DHS “serves as the hub of a very, very large wheel.”

Napolitano said though progress had been made, more needed to be done to tackle online threats.

“We have to do more: we’ve probably gone from about 5mph to 85mph in the last three years,” she said. “We need to be at 120mph.”

In a reference to stalled cybersecurity bills in the Senate, and a mooted executive order on data-sharing, Napolitano stressed the need for “real-time information sharing” at various classifications, between private sector and government as a high priority.

“We’ve presented more than 100 briefings at the Senate … but this was unfortunately an area, where even though it involves security, we could not find bipartisan agreement,” she said. “The plain fact of the matter is that if Congress cannot act, then other means will be pursued … the public interest is involved, the nation’s security is involved.”

Secretary Napolitano will now be taking questions from moderator Mary Jordan and the floor.

Welcome to the summit

Good morning and welcome to the Post Live’s cybersecurity summit. First up this morning is Janet Napolitano, the Secretary for Homeland Security, who’ll be on stage at around 8:30 ET.

Her Q&A will be followed by a scenario modelling a large-scale cyber-attack on U.S. interests. Among the panel responding to the attack will be a panel will be Gen. James Cartwright, former Vice Chairman of the Joint Chiefs of Staff; William Lynn III, former U.S. Deputy Secretary of Defense and Steven Chabinsky, former deputy assistant directer of the Cyber Division at the FBI.

Later in the morning we’ll have panel discussions on policy implications and what’s coming next on U.S. cyber-security.

We’ll be live-blogging highlights here, and you can follow the discussion on Twitter at the hashtag #cybersecurity2012