Simulating a Cyber Attack

Last week the Patterson School simulated a cyber attack against U.S. defense contractors. The results were not encouraging.

Last week, cyber-security concerns burst onto the stage with a series of articles linking the People’s Liberation Army to hacking of various U.S. institutions.  The source of these articles was a report from Mandiant, which detailed a selection of Chinese cyber-espionage efforts.  These efforts included attacks on nearly 150 firms and institutions, most often with the object of gaining access to valuable intellectual property.

While international espionage is nothing new, this manifestation of espionage is the result of several trends, including the information revolution, the growing importance of intellectual property to the international economy, and the increasing capacity of NGOs and substate organizations to conduct major, independent intelligence gathering operations.  Indeed, some doubt remains as to the extent to which the activities of the “Unit 61938” can be directly attributed to the Chinese government, as opposed to parochial business interests within the PLA. In any case, the Mandiant Report has sparked a vigorous debate about the appropriate U.S. response to cyber-criminal activity, whether Chinese or not.

Coincidentally, my institution (the Patterson School of Diplomacy and International Commerce) ran a simulation last week on a cyber attack against U.S. defense contractors.  Although the simulation abstracted a great deal from reality, it nevertheless provided some policy lessons.  The attackers in our simulation (representing a Russian criminal organization rather than the PLA) shied away from directly assaulting U.S. government institutions, instead focusing their efforts on a law firm associated with several contractors.  The attackers hoped to gain access to intellectual property, including patent applications and trade secret information, as well as patterns of communication between the firm, the government, and the contractors.

In our simulation, the attackers substantially succeeded in most of their goals, although they did run into some difficulty selling the information. The most important lesson we learned is that poor communication between government and private organizations can doom cyber-defense efforts.  In our case, the law firm only reluctantly relayed its concerns about a breach to the government and to its clients, leaving the attackers with ample time to conduct their theft. This reluctance was hardly irrational; the perception that secrets could be at risk would prove devastating to the firm’s business prospects. Although our simulation did not subdivide the U.S. government (by creating different teams for different departments), similar dynamics surely complicate interagency responses to cyber-attacks.

As noted, the Patterson School simulation abstracted from reality in several critical ways, and in any case concentrated on accomplishing goals other than realistically portraying a major cyber attack.  Nevertheless, the simulation described a series of events more likely to characterize the experience of soldiers, sailors, policymakers, entrepreneurs, and the leaders of non-governmental organizations than the various “hot war” scenarios that often occupy organizational time and effort. Not all future conflict will occur in digital space, but many will, and developing the proper human and organizational capital for managing such conflicts is a critical task for government and academia.