As Russian cyber attacks ramp up on the West, the U.S. has been running war game-style simulations with spies and banks to play through what would happen in the event of a huge attack.
Several scenarios imagined a strike at the American financial system, whether by a hostile country or private criminals, and used the military concept of ‘war games’ for this civilian context.
‘Say you walked into your bank one day and their logbooks of all their customer accounts had been wiped clean,’ said Ben Flatgard, until recently Director of Cybersecurity at the White House, and one of those who set up the games. ‘We simulated a destructive malware attack like that to see, how would you recover?
“We planned an attack on the companies you never heard of”
‘We also planned an attack on the companies you never heard of but that run the back end of a lot of banks, the guys that oftentimes actually make your ATM cards and credit cards. Or in equities markets how do you defend an attack against the machinery that allows banks to settle transactions with one another?’
Cyber attacks for both political and financial gain have begun to proliferate, with the highest profile case being Russia’s alleged tampering with the US presidential election in November. Germany and France are preparing to be attacked during elections this year, and Hans-Georg Maaßen, the head of Germany’s Federal Office for Protection of the Constitution, has issued a statement warning that Russia is attempting to sow ‘uncertainty in German society’ and ‘weaken or destabilize the Federal Republic’.
The most shocking example to date has been in the small Balkan country Montenegro, which came under a barrage of cyberattacks during its elections in October. Senior sources in the British government have also said that an election-day plot to storm the Montenegrin parliament and assassinate the prime minister – foiled only hours before it took place – was directed by the Russian secret services.
“We’ve seen Chinese theft of intellectual property, Iranian Denial of Service”
The internet is becoming ever more developed as a theatre of war, allowing countries to attack one another without starting any getting killed. ‘Certain countries have tried to push that limit,’ said Flatgard. ‘We’ve seen it with Chinese theft of intellectual property, Iranian DoS against the U.S. financial system, countries figuring out where that line is and what the consequences of their action might be.’
Nor is it only countries doing this. Hackers using ‘ransomware’ have started locking institutions – anything from hospitals to Austrian hotels to San Francisco’s public transport agency – out of their own systems and demanding money to let them back in. The requisite software for credit card fraud can be downloaded from the internet – and its creators run help desks for fraudsters with technical problems. An Australian man has been sentenced to two years in prison after hacking into the Queensland waste management system and spilling millions of litres of raw sewage into parks and rivers simply because he’d been turned down for a job.
The financial sector exercises have been centred in the U.S. around the ‘Hamilton series’, named after Alexander Hamilton, appointed by George Washington as the first U.S. treasury secretary (who was killed in a duel and is a now the subject of a hit Broadway musical). They bring together dozens of people from the NSA, the FBI, the White House, regulatory bodies, financial services firms and banks both big and small. These groups play through each scenario in real time, making decisions and explaining what they would do as each development occurs.
War games have also been run with British counterparts
The idea is that just by talking them through, the weak points in the system become apparent. One consequence has been the creation of ‘Sheltered Harbour’, which backs up banks’ ledgers in case their records are wiped. Set up in 2016, it covers around 60% of U.S. retail bank and brokerage accounts and much more participation is expected in the future.
Another result has been the recognition that the time it takes to make the legal and business decisions needed to respond to an ongoing attack – such as whether a bank should step in and support another bank which is under attack – has been far too slow. For example, regulatory hurdles mean it could take weeks to get a government expert on-site at a bank under attack. Agreements have now been worked out in advance with some 20 financial institutions, so that they can just flip the switch if something happens.
Because both finance and hacking are international, war games have also been run with British counterparts, including MI5, MI6 and the Bank of England. Again the scenario, called ‘Resilient Shield’ was destructive malware wiping bank records and, to make it more realistic, the players were not in the same room, but on opposite sides of the Atlantic, trying to co-ordinate their defence over the phone and via teleconferences.
“When it came down to brass tacks, it was pretty obvious we didn’t have a great system”
‘All these things we’d hypothetically discussed previously, but when it comes down to brass tacks, it was pretty obvious that we didn’t really have a great system for doing so,’ said Flatgard. ‘And what’s unique is that the intelligence community doesn’t often get to talk with all these people. They’d never talked to the regulators for the most part, so now when they see some sort of threat, we have a much smoother ability to connect the intelligence with the subject matter experts who really understand how these different sectors work.’
International co-operation of this kind could even lead to joint operations against the perpetrators, and a UK team has also run through an attack on a US nuclear power plant. The team went to the national labs in Idaho to run the war game on actual power plant systems in a controlled environment. Similar co-operation with more countries, though undoubtedly useful, runs into some practical limitations: the U.S.-UK game involved around 70 or 80 people; bringing in another country would make those almost unmanageable.
Nevertheless, there are always more aspects of national systems and our daily lives vulnerable to cyberattack, not least because of the Internet of Things: mobile company Ericsson estimates that there will be some 26billion connected devices worldwide by five years from now. And as there are no borders on the internet, international co-operation may turn out to be crucial.