Introduction
Every spring semester, the Patterson School of Diplomacy and International Commerce at the University of Kentucky launches a 24-hour policy crisis simulation. Thirty-five or so students are divided into 6-8 teams, each led by a faculty member or program graduate. Simulation Control, normally involving myself and one or more graduates or faculty members, manages the sim with a combination of remote and direct contact. The University of Kentucky School of Journalism coordinates with the Patterson School during the simulation, independently operating at least two news websites that cover the events in-sim. This year's simulation involved thirty-three students, five faculty members, three graduates, and a massive criminal conspiracy to steal defense-related intellectual property from U.S. firms.
The design philosophy of the Patterson School simulation concentrates on developing difficult decision-making scenarios for students. Students make decisions under conditions of time pressure, asymmetric information, inter- and intra- group dynamics, and exhaustion. Each scenario begins with a realistic premise, and the teams have realistic motivations and goals. Simulation Control feels free to abstract from reality, however, in order to facilitate this decision-making environment. In this case, abstraction was doubly necessary because of the highly technical nature of the subject matter, as well as the secrecy that normally accompanies policy work on the question. Obviously, we could not ask students to develop worms or conduct DDoS attacks against other teams, although some did employ innovative techniques for stealing passwords, such as observing and recording carelessly placed post-it notes.
The primary architect of the 2013 simulation was Patterson graduate Trevor Sutherland. Trevor was also my primary partner in conducting the simulation, and enabled the success of the project through his familiarity with the subject matter. We were also assisted by Dr. Alex Vacca of Northrup Grumman, who contributed in his capacity as a scholar of international affairs and cyber-security subject matter expert, and played an in-sim role as the head of the cyber-security firm "Germanicus."
Teams
The teams in this exercise fell into three categories: State actors, private firms, and non-governmental organizations. Teams included:
United States government (subdivided into departments)
Israeli government (subdivided into departments)
Green and Company Financial Services: A large American bank and financial services company, with significant interests in Canada and Israel
Smith, Smith, and Smith LLP (Smith3): A major New York law firm representing a wide variety of corporate clients, including Green and Co. and a number of defense contractors
Force Orange: A hacktivist collective that develops around the #opFreeEnoch movement.
An unnamed Russian criminal organization (RICO): An experienced and well-connected cyber-crime organization focused on the expropriation and sale of intellectual property
Websites associated with the simulation included:
International News Network: This is an international competitor to CNN, FNC, and the BBC.
BluWired: This is a tech and media oriented magazine.
Social Media Proxy (password protected): This site served as a proxy for general social media discussion of the ongoing crisis
Course of Simulation
The setting for the simulation involved an attempted terrorist attack (using an overcharged laptop battery) on an El Al flight. After the plane successfully landed, the terrorist explained that he had developed the idea for the attack by watching YouTube videos. As a consequence, the Israeli government attempted to ban a variety of similar videos from domestic distribution. This move sparked international controversy, which was exacerbated by the Israeli decision to arrest Enoch Moses Kaplin, an Israeli man who had disseminated software for evading the ban from his personal website. In response to this arrest, a movement developed around the hashtag #opFreeEnoch, targeting Israeli private and public institutions with a series of sustained DDoS (Dedicated Denial of Service) attacks. As news emerged that these attacks had spread to an Israeli branch of the U.S. financial services firm Green and Company, our simulation began.
The Israeli team quickly ascertained that many of the #opFreeEnoch attacks were coming from the United States, and placed pressure on the U.S. government to arrest perpetrators. The U.S. government followed through on this, while also monitoring the situation with Green and Company. Green and Company took the step of shutting down Israeli operations completely, although the Force Orange attacks subsequently spread to the U.S. headquarters.
As these attacks proceeded, RICO took the opportunity to launch a prepared, sophisticated "spearfishing" attack against Smith3, targeting information about Smiths' defense contractor clients. RICO had previously come to an arrangement with a Russian defense company wherein the latter would make implausible claims about American intellectual property holdings, in the hopes that U.S. contractors would enter into sensitive communications with their legal representation. The Russians also launched an attack on Green and Co. just for the fun of it, managing to acquire some credit card, account, and password information.
These actions proceeded as planned until early Friday evening, when Force Orange determined that Smith3 represented Green and Co.'s Israeli interests and launched a DDoS attack. This, combined with the previous Russian efforts, completely crashed Smith3's computer system, temporarily immunizing them from the Russian attack. This had additional effects, including making Smith3 aware of their vulnerability, and making the defense contractor clients nervous about the firm's reliability. However, as the US government was focused on the Green and Co. situation, it paid little attention to Smith3's plight. In order to restore and improve access, RICO carried out a daring kidnapping of a Smith3 associate, prying out computer information that would assist with later attacks.
Late on Friday evening (early morning Israeli time), the Israeli government announced that most charges against Enoch Kaplin would be dropped, and that he would shortly be released from prison. The Israeli government also announced that it had received sufficient assurances from Google to allow full access to YouTube videos. This announcement substantially ended the #OpFreeEnoch operation, and slowed attacks on both Green and Co. and Israeli state institutions.
However, disquiet at Smith3 persisted. Force Orange revealed that it had rejected entreaties from what it suspected to be a Russian criminal organization, although few took this revelation at face value.
After restoration of Smith3's servers, the Russian attack resumed. In consultation with the firm Germanicus, Smith3 noted an unexplained bump in .html activity, but undertook no immediate steps beyond contacting the U.S. government. The U.S. government, having just apprehended a member of Force Orange, paid little attention to this contact. Force Orange responded by renewing its attacks on Green and Co., as well as by launching an SQLi attack against BluWired, a tech magazine and website. Israeli intelligence (in contact with some Russian assets) warned the United States that a security breakdown might be in progress, but the U.S. misinterpreted this signal by focusing on Pentagon defenses.
In the final hours of the simulation, Smith3 contracted with a private company to give advice on tracking the lost information. Although this took several hours, technicians eventually traced the loss to Liaoning, China, then to Tallinn, Estonia, where the trail went cold. Meanwhile, RICO began attempting to sell data to potential customers. A prior arrangement with a Russian state defense firm broke down over a price disagreement. The Russians pushed feelers towards Brazil and Israel before coming to an initial agreement with a Chinese defense firm for part of the information. At this point the simulation ended.
Lessons Learned
This section borrows heavily from Dr. Vacca's account of the simulation, as his views are largely in accord with my own.
Communication Breakdown: Perhaps due to the subject matter, paranoia set in early at the simulation. Teams became reluctant to communicate with one another, and reluctant to convey their genuine concerns even while communicating. Organizations which had suffered attacks were reluctant to reveal the full extent of those attacks, believing that a true account would undermine the credibility of their security. This was especially true of Smith3, for which a reputation for security was a central asset.
Asymmetric Information: Communication breakdown enhanced the problem of asymmetric information, which is one of the hallmarks of these simulations. The United States was unable to draw together the disparate information it received about the security attacks, in no small part because the information was difficult to decipher and came in small, seemingly discrete packets.
Creativity Pays: The RICO team had a great deal of freedom of action, and used it to good effect. In order to make up for their lack of legitimate presence, the team (on its own initiative) developed a series of shell identities, which it used in collaboration with Germanicus to acquire intelligence about the other teams. RICO also responded in nimble fashion to the loss of access to Smith3, carrying out the high risk, high reward kidnapping of a Smith3 executive. Although Smith3 managed the damage as well as it could, this helped accelerate RICO's theft efforts. Similarly, Force Orange took advantage of the lack of political constraints by engaging the other teams in a public manner:
People Make Mistakes: As noted above, the simulation is designed to mimic an environment in which decision-makers choose poorly. As the simulation stretched into the early morning, the ability of students to process information and to maintain composure waned. The teams demonstrated much greater energy and acuity after a short break allowed for some rest and recuperation. Although seemingly obvious, this is a critical lesson for any organization; even crises that don't involve explosions can tax the wetware.
Consultants Will Outlast Us All: Germanicus, in the person of Dr. Vacca, received substantial (imaginary) cash payments from every team. Given the contradictory nature of team goals, this obviously meant working both sides of a problem at the same time. In this exercise Germanicus acquired the veneer of respectability through his association with simulation management, but even in the real world the vetting of consultants and other third party actors can be difficult, especially in technologically challenging environments.
Conclusions
At the Patterson School we normally only run each simulation once; unlike the Army War College negotiation scenarios, we lack the opportunity to retool and tweak the scenario each time in order to improve outcomes. Were we to rerun this scenario, we would undertake some simple administrative changes, such as improving the access that each team had to information about the other (public) teams.
In retrospect, I would not have paused the simulation at 2am, instead pushing forward with some additional events to keep the teams awake, interested, and paranoid.
Altogether, however, the simulation represented a valuable use of our time. Students became familiar with a wide swath of terminology just as major concerns over cyber-security hit the New York Times and the Washington Post. The architect and the participants should all feel proud of their achievements. Next week Patterson will release a podcast giving some personal accounts of the simulation, as well as greater detail regarding the course of events.
Wednesday, February 27, 2024
2013 Patterson School Crisis Simulation
I'm an assistant professor at the Patterson School of Diplomacy and International Commerce, University of Kentucky.
Monday, February 25, 2024
My F-35 Question
A question on the F-35:
Perhaps more importantly, rules of engagement are inherently political. Civilian leaders, and their politically attuned senior military counterparts, will draw up guidelines for combat in context of political, not military, necessity. If the F-35 can only operate successfully in BVR context (and to be sure the networking capability of the F-35 make “BVR” a different proposition than with past aircraft), and if the civilians restrict the ability of the aircraft to operate under such conditions, then the utility of the fighter comes into grave question. This question is hardly academic, as potential peer competitors of the U.S. (including Russia and China) will undoubtedly take political steps to limit the ability of the F-35 to fight at full capability. Again, this may be even more true of the partner countries in the F-35 program, which often suffer from more rigorous political restrictions that U.S. forces.Is the answer:
- The surveillance capabilities of the F-35 and associated systems are so impressive that the politically problematic aspect of BVR engagement disappears.
- The services expect to be able to muscle civilians into accepting their preferred ROE (perhaps using the F-35 as a cudgel in this effort).
- The integration of technological means with political ends has not been fully worked out.
- Some of the above.
- Other.
I'm an assistant professor at the Patterson School of Diplomacy and International Commerce, University of Kentucky.
Saturday, February 23, 2024
When You've Lost George Will.....
From George Will's column this morning:
"The sequester has forced liberals to clarify their conviction that whatever the government’s size is at any moment, it is the bare minimum necessary to forestall intolerable suffering. At his unintentionally hilarious hysteria session Tuesday, Obama said: The sequester’s “meat-cleaver approach” of “severe,” “arbitrary” and “brutal” cuts will “eviscerate” education, energy and medical research spending. “And already, the threat of these cuts has forced the Navy to delay an aircraft carrier that was supposed to deploy to the Persian Gulf.”
“Forced”? The Navy did indeed cite the sequester when delaying deployment of the USS Truman. In the high-stakes pressure campaign against Iran’s nuclear weapons program, U.S. policy has been to have two carriers in nearby waters. Yet the Navy is saying it cannot find cuts to programs or deployments less essential than the Truman deployment. The Navy’s participation in the political campaign to pressure Congress into unraveling the sequester is crude, obvious and shameful, and it should earn the Navy’s budget especially skeptical scrutiny by Congress."
Update: In response to Bryan Clark's comment, I need to clarify something. My reason for posting this was not to indicate agreement will Will's position or facts. Rather, I posted it to show the degree to which the sequester debate has alienated someone who is generally speaking, a Navy booster. That said, Will is largely wrong on the facts and Bryan Clark is largely right. There simply aren't a lot of options available to implement the sequester's spending cuts in a fraction of a year, which is why OM&N is a big billpayer.
Bryan McGrath
"The sequester has forced liberals to clarify their conviction that whatever the government’s size is at any moment, it is the bare minimum necessary to forestall intolerable suffering. At his unintentionally hilarious hysteria session Tuesday, Obama said: The sequester’s “meat-cleaver approach” of “severe,” “arbitrary” and “brutal” cuts will “eviscerate” education, energy and medical research spending. “And already, the threat of these cuts has forced the Navy to delay an aircraft carrier that was supposed to deploy to the Persian Gulf.”
“Forced”? The Navy did indeed cite the sequester when delaying deployment of the USS Truman. In the high-stakes pressure campaign against Iran’s nuclear weapons program, U.S. policy has been to have two carriers in nearby waters. Yet the Navy is saying it cannot find cuts to programs or deployments less essential than the Truman deployment. The Navy’s participation in the political campaign to pressure Congress into unraveling the sequester is crude, obvious and shameful, and it should earn the Navy’s budget especially skeptical scrutiny by Congress."
Update: In response to Bryan Clark's comment, I need to clarify something. My reason for posting this was not to indicate agreement will Will's position or facts. Rather, I posted it to show the degree to which the sequester debate has alienated someone who is generally speaking, a Navy booster. That said, Will is largely wrong on the facts and Bryan Clark is largely right. There simply aren't a lot of options available to implement the sequester's spending cuts in a fraction of a year, which is why OM&N is a big billpayer.
Bryan McGrath
Thursday, February 21, 2024
Why Ship Numbers Matter, Part XXXVI
"Highlighting the continuing fallout from the Sept. 11, 2012 attack on
an American consulate in Libya that took the lives of four Americans,
defense officials told NBC News on Wednesday that the U.S. Marine Corps
is on the verge of announcing a new group tasked with crisis response in
north Africa and eastern Europe. The group, which will be known
as the Marine Air-Ground Task Force, will likely be based at Naval Air
Station Sigonella in Sicily, Italy. The team will be capable of rapid
deployment for responding to security threats throughout the region —
including a U.S. embassy under attack."
And when you don't have enough of them, you do the next best thing, which is to land-base your force, subject to vetoes and restrictions from host-nations.
Bryan McGrath
And when you don't have enough of them, you do the next best thing, which is to land-base your force, subject to vetoes and restrictions from host-nations.
Bryan McGrath
Wednesday, February 20, 2024
The Unintended Consequence of the Earmark Ban
I have written here several times of my support for the discredited practice of "Congressional adds", or "earmarks". Nothing gets me branded a RINO faster by my friends on the right than my continuing sense that earmarks were in many ways good for DoD (I don't have an opinion on their value elsewhere). Earmarks were a method of keeping the bureaucracy on its toes, they contested the growing anti-competitive power of the federal labs, and they were a relatively efficient way of distributing resources MAINLY in helpful ways.
But lets face it--earmarks served an even more important purpose, one whose absence is on full display as our system seems unable to get out of its own way. Earmarks provided incentive to compromise. Incentives provided leadership with tools to influence outliers. Earmarks--to put it mildly--lubricated the system.
Committee assignments appear to be one of the few tools Congressional leadership has at its disposal to impose discipline, but as we saw in the Republican Caucus this year, even that isn't as powerful as "bringing home the bacon". And as long as no one is "bringing home the bacon", there is no incentive to bend to the will of leadership and members simply have to answer to the folks back home, many of whom cheer their legislators (on both sides) along their paths to perdition. And there is little purchase in reaching across the aisle to fellow committee members to achieve goodness. A necessary and efficient internal control is gone, and the system suffers.
Now correlation is not causation, I'll grant that. But the little I know about how the system works leads me to believe that the "relief valve" that was earmarks was essential to proper system operation. Without it, the system has overpressurized and has ceased to operate effectively.
Bryan McGrath
But lets face it--earmarks served an even more important purpose, one whose absence is on full display as our system seems unable to get out of its own way. Earmarks provided incentive to compromise. Incentives provided leadership with tools to influence outliers. Earmarks--to put it mildly--lubricated the system.
Committee assignments appear to be one of the few tools Congressional leadership has at its disposal to impose discipline, but as we saw in the Republican Caucus this year, even that isn't as powerful as "bringing home the bacon". And as long as no one is "bringing home the bacon", there is no incentive to bend to the will of leadership and members simply have to answer to the folks back home, many of whom cheer their legislators (on both sides) along their paths to perdition. And there is little purchase in reaching across the aisle to fellow committee members to achieve goodness. A necessary and efficient internal control is gone, and the system suffers.
Now correlation is not causation, I'll grant that. But the little I know about how the system works leads me to believe that the "relief valve" that was earmarks was essential to proper system operation. Without it, the system has overpressurized and has ceased to operate effectively.
Bryan McGrath
Subscribe to:
Posts (Atom)