Every spring semester, the Patterson School of Diplomacy and International Commerce at the University of Kentucky launches a 24-hour policy crisis simulation. Thirty-five or so students are divided into 6-8 teams, each led by a faculty member or program graduate. Simulation Control, normally involving myself and one or more graduates or faculty members, manages the sim with a combination of remote and direct contact. The University of Kentucky School of Journalism coordinates with the Patterson School during the simulation, independently operating at least two news websites that cover the events in-sim. This year's simulation involved thirty-three students, five faculty members, three graduates, and a massive criminal conspiracy to steal defense-related intellectual property from U.S. firms.
The design philosophy of the Patterson School simulation concentrates on developing difficult decision-making scenarios for students. Students make decisions under conditions of time pressure, asymmetric information, inter- and intra- group dynamics, and exhaustion. Each scenario begins with a realistic premise, and the teams have realistic motivations and goals. Simulation Control feels free to abstract from reality, however, in order to facilitate this decision-making environment. In this case, abstraction was doubly necessary because of the highly technical nature of the subject matter, as well as the secrecy that normally accompanies policy work on the question. Obviously, we could not ask students to develop worms or conduct DDoS attacks against other teams, although some did employ innovative techniques for stealing passwords, such as observing and recording carelessly placed post-it notes.
The primary architect of the 2013 simulation was Patterson graduate Trevor Sutherland. Trevor was also my primary partner in conducting the simulation, and enabled the success of the project through his familiarity with the subject matter. We were also assisted by Dr. Alex Vacca of Northrup Grumman, who contributed in his capacity as a scholar of international affairs and cyber-security subject matter expert, and played an in-sim role as the head of the cyber-security firm "Germanicus."
The teams in this exercise fell into three categories: State actors, private firms, and non-governmental organizations. Teams included:
United States government (subdivided into departments)
Israeli government (subdivided into departments)
Green and Company Financial Services: A large American bank and financial services company, with significant interests in Canada and Israel
Smith, Smith, and Smith LLP (Smith3): A major New York law firm representing a wide variety of corporate clients, including Green and Co. and a number of defense contractors
Force Orange: A hacktivist collective that develops around the #opFreeEnoch movement.
An unnamed Russian criminal organization (RICO): An experienced and well-connected cyber-crime organization focused on the expropriation and sale of intellectual property
Websites associated with the simulation included:
International News Network: This is an international competitor to CNN, FNC, and the BBC.
BluWired: This is a tech and media oriented magazine.
Social Media Proxy (password protected): This site served as a proxy for general social media discussion of the ongoing crisis
Course of Simulation
The setting for the simulation involved an attempted terrorist attack (using an overcharged laptop battery) on an El Al flight. After the plane successfully landed, the terrorist explained that he had developed the idea for the attack by watching YouTube videos. As a consequence, the Israeli government attempted to ban a variety of similar videos from domestic distribution. This move sparked international controversy, which was exacerbated by the Israeli decision to arrest Enoch Moses Kaplin, an Israeli man who had disseminated software for evading the ban from his personal website. In response to this arrest, a movement developed around the hashtag #opFreeEnoch, targeting Israeli private and public institutions with a series of sustained DDoS (Dedicated Denial of Service) attacks. As news emerged that these attacks had spread to an Israeli branch of the U.S. financial services firm Green and Company, our simulation began.
The Israeli team quickly ascertained that many of the #opFreeEnoch attacks were coming from the United States, and placed pressure on the U.S. government to arrest perpetrators. The U.S. government followed through on this, while also monitoring the situation with Green and Company. Green and Company took the step of shutting down Israeli operations completely, although the Force Orange attacks subsequently spread to the U.S. headquarters.
As these attacks proceeded, RICO took the opportunity to launch a prepared, sophisticated "spearfishing" attack against Smith3, targeting information about Smiths' defense contractor clients. RICO had previously come to an arrangement with a Russian defense company wherein the latter would make implausible claims about American intellectual property holdings, in the hopes that U.S. contractors would enter into sensitive communications with their legal representation. The Russians also launched an attack on Green and Co. just for the fun of it, managing to acquire some credit card, account, and password information.
These actions proceeded as planned until early Friday evening, when Force Orange determined that Smith3 represented Green and Co.'s Israeli interests and launched a DDoS attack. This, combined with the previous Russian efforts, completely crashed Smith3's computer system, temporarily immunizing them from the Russian attack. This had additional effects, including making Smith3 aware of their vulnerability, and making the defense contractor clients nervous about the firm's reliability. However, as the US government was focused on the Green and Co. situation, it paid little attention to Smith3's plight. In order to restore and improve access, RICO carried out a daring kidnapping of a Smith3 associate, prying out computer information that would assist with later attacks.
Late on Friday evening (early morning Israeli time), the Israeli government announced that most charges against Enoch Kaplin would be dropped, and that he would shortly be released from prison. The Israeli government also announced that it had received sufficient assurances from Google to allow full access to YouTube videos. This announcement substantially ended the #OpFreeEnoch operation, and slowed attacks on both Green and Co. and Israeli state institutions. However, disquiet at Smith3 persisted. Force Orange revealed that it had rejected entreaties from what it suspected to be a Russian criminal organization, although few took this revelation at face value.
After restoration of Smith3's servers, the Russian attack resumed. In consultation with the firm Germanicus, Smith3 noted an unexplained bump in .html activity, but undertook no immediate steps beyond contacting the U.S. government. The U.S. government, having just apprehended a member of Force Orange, paid little attention to this contact. Force Orange responded by renewing its attacks on Green and Co., as well as by launching an SQLi attack against BluWired, a tech magazine and website. Israeli intelligence (in contact with some Russian assets) warned the United States that a security breakdown might be in progress, but the U.S. misinterpreted this signal by focusing on Pentagon defenses.
In the final hours of the simulation, Smith3 contracted with a private company to give advice on tracking the lost information. Although this took several hours, technicians eventually traced the loss to Liaoning, China, then to Tallinn, Estonia, where the trail went cold. Meanwhile, RICO began attempting to sell data to potential customers. A prior arrangement with a Russian state defense firm broke down over a price disagreement. The Russians pushed feelers towards Brazil and Israel before coming to an initial agreement with a Chinese defense firm for part of the information. At this point the simulation ended.
This section borrows heavily from Dr. Vacca's account of the simulation, as his views are largely in accord with my own.
Communication Breakdown: Perhaps due to the subject matter, paranoia set in early at the simulation. Teams became reluctant to communicate with one another, and reluctant to convey their genuine concerns even while communicating. Organizations which had suffered attacks were reluctant to reveal the full extent of those attacks, believing that a true account would undermine the credibility of their security. This was especially true of Smith3, for which a reputation for security was a central asset.
Asymmetric Information: Communication breakdown enhanced the problem of asymmetric information, which is one of the hallmarks of these simulations. The United States was unable to draw together the disparate information it received about the security attacks, in no small part because the information was difficult to decipher and came in small, seemingly discrete packets.
Creativity Pays: The RICO team had a great deal of freedom of action, and used it to good effect. In order to make up for their lack of legitimate presence, the team (on its own initiative) developed a series of shell identities, which it used in collaboration with Germanicus to acquire intelligence about the other teams. RICO also responded in nimble fashion to the loss of access to Smith3, carrying out the high risk, high reward kidnapping of a Smith3 executive. Although Smith3 managed the damage as well as it could, this helped accelerate RICO's theft efforts. Similarly, Force Orange took advantage of the lack of political constraints by engaging the other teams in a public manner:
People Make Mistakes: As noted above, the simulation is designed to mimic an environment in which decision-makers choose poorly. As the simulation stretched into the early morning, the ability of students to process information and to maintain composure waned. The teams demonstrated much greater energy and acuity after a short break allowed for some rest and recuperation. Although seemingly obvious, this is a critical lesson for any organization; even crises that don't involve explosions can tax the wetware.
Consultants Will Outlast Us All: Germanicus, in the person of Dr. Vacca, received substantial (imaginary) cash payments from every team. Given the contradictory nature of team goals, this obviously meant working both sides of a problem at the same time. In this exercise Germanicus acquired the veneer of respectability through his association with simulation management, but even in the real world the vetting of consultants and other third party actors can be difficult, especially in technologically challenging environments.
At the Patterson School we normally only run each simulation once; unlike the Army War College negotiation scenarios, we lack the opportunity to retool and tweak the scenario each time in order to improve outcomes. Were we to rerun this scenario, we would undertake some simple administrative changes, such as improving the access that each team had to information about the other (public) teams. In retrospect, I would not have paused the simulation at 2am, instead pushing forward with some additional events to keep the teams awake, interested, and paranoid.
Altogether, however, the simulation represented a valuable use of our time. Students became familiar with a wide swath of terminology just as major concerns over cyber-security hit the New York Times and the Washington Post. The architect and the participants should all feel proud of their achievements. Next week Patterson will release a podcast giving some personal accounts of the simulation, as well as greater detail regarding the course of events.
Wednesday, February 27, 2013
Posted by Robert Farley at 8:05 AM