Most teams urged against retaliating in kind with a comparable cyber attack or to exercising traditional military power. Cobalt was not devastating, and Russia was not clearly the culprit. Several groups advocated diplomatic engagement, echoing the approach taken by the actual U.S. government just one week earlier during the informal summit between President Obama and Chinese leader Xi Jinping in Rancho Mirage, Calif., where cyber espionage was among the topics discussed.
But, again, espionage is not the nightmare scenario—nor is the shutdown of 13 oil refineries. Still, halfway through the student competition in Washington, D.C., when the scenario was updated with new (fake) intelligence indicating a severe escalation of the Cobalt situation, policy recommendations began to veer more toward displays of cyber and physical force by the U.S. military.
The update was alarming: three oil pipelines in the Gulf coast region had been shut down, following malfunctions, and several other pipelines in the region were taken off-line to search for Cobalt infections. Meanwhile, supervisory control and data acquisition system vendors in the U.S. and Germany were experiencing a distributed denial-of-service (DDoS) attack, and several terminals and servers in Russia had been identified as responsible for both the DDoS attacks and activation of the Cobalt malware. The stock market was dropping like a rock, and several private sector firms appeared poised to carry out their own form of vigilante retaliation against Russia by trying to identify and penetrate or cut off the responsible parties’ servers and networks.
The teams had to come up with a response to this escalation within hours. The time pressure was intense, and as the situation grew more serious, the consensus for diplomatic engagement dissolved. The 19 groups suddenly diverged considerably about what the proper response should be. The 65 students, all in their mid- to late 20s, wearing business suits and military uniforms, filled every open classroom in the American University’s School of International Service, whispering feverishly about whether the U.S. should launch a DDoS attack of its own, bomb the Kremlin, invoke Article 5 of NATO to set in motion a collective defense by U.S. allies, or to authorize the members of the private sector to exact their own revenge by working among themselves to shut off connectivity to pieces of the network carrying malicious traffic or to infiltrate or flood the responsible servers.
What does this say about how the U.S. government would respond to such a situation? The recent cases of high-volume espionage of China, which are considerably less intrusive than the fictional Cobalt attacks, don’t give us much to go on. Would the U.S. stick to diplomacy or turn bellicose?
The more important question is how well prepared will the U.S. be if and when an attack comes? Considering how a cyber attack would play out in the heat of the moment may be more exciting than the reality, because by the time an attack occurs many of the options may be practically preordained by the security controls we have in place. Preparation determines the quality, agility and sophistication of answers to mundane but important questions: What kinds of security standards are in place for critical infrastructure networks? Who sets them? Who enforces them? What threat information do companies and government agencies share with one another? How do they share this data—and how quickly? The ability to answer these questions will ultimately determine the impact of a large-scale, sophisticated computer network breach. And because the Pentagon has asserted that its response will be commensurate to the impact of an attack, rather than the means, how effectively we prepare will play a major role in influencing what our response ultimately looks like.
We may soon know what the U.S. government would do. Many people in the field are expecting to see a major breach soon. As former CIA and NSA director Michael Hayden predicted in his keynote remarks to the students at the cyber challenge, “By the time you do this next year, you won’t have to be so imaginative in creating the scenario.”