Rigging War Games to get the result you want….
Playing “war-games” like those played by the “good guys”, ie; the US and allies, is akin to setting up a game of “Monopoly” and controlling each roll of the dice to ensure that you end up with “Mayfair” and 2/3 of the 3 remaining players get all the other good stuff and the remaining person, (the bad guy) is left to defeat the rest of you….with the probability bias!
And guess what? They do!
Malcolm Gladwell in his book, “Blink”, relates such a story of war games undertaken before the first Gulf War. An “old head” (Lt. Gen. Paul Van Riper) is assigned as the leader of the “Red Team” (the bad guys) - left with nothing but his mind, experience and gut feel to base his attack and defence upon. The good guys, the “Blue Team” use computers, simulations and data crunching to develop their plans. Surprise surprise….the old head destroys the major force of the good guys within a day. Game over you would think, but hey, this is a war game…..lets change the rules to suit us……
The rules are changed and the Red Team is crippled big time in what they can do. History is wiped and it all starts again. Surprise surprise…..Blue Team wins!!!! Everyone celebrates and now believes they can invade a country like Iraq and win the war quickly! Hmmm…….
Why am I talking about this? Let’s move onto one of my favourite topics of the year, not talked about in a few months – Cyber Storm (in a tea cup) II. Related posts:
http://beastorbuddha.com/?s=cyber+storm
Thanks ZDNet for this post.
Lets look at this:
Firstly, we all expected the results to be released for broader review. They never were to my knowledge but correct me if I am wrong. Thank you to the dudes that worked to get this under the “Freedom of Information”. Well done…it should have become more widely distributed!
The Big Galoot adds comment here about the first point:
“The jaw-dropping comments obtained by AAP was this pearl of wisdom; “Freedom of Information documents, obtained by AAP, show the participants, which included the private sector, were surprised by the “borderless nature” of cyber attacks and the “speed with which they can escalate”.”
Hang on a second. ‘The participants were surprised by the “borderless nature” of cyber attacks’ ????? WTF???
I seem to recall there’s this thing called ‘The Internet’, a borderless electronic communications tool. We humans have been using it for quite a while now. Miraculously, we can actually communicate with the other side of the world using computers, and a thing called TCP/IP, in a matter of nano-seconds, apparently. No border guards with snarling Alsatians, no immigration checks. Magic !
All of which begs the question. You could easily forgive native highlanders living in the remote jungles and mountains of New Guinea for not knowing about the internet. But how on earth, in this day and age, could anyone living in civilised society, be ’surprised’ by the borderless nature of cyber attacks?
What’s worse is - these ‘participants’ of cyber storm II are the same guys that are entrusted with protecting our data. It’s no wonder they didn’t want us to know the actual details of their cyber storm. What an embarrassing debacle.
God help us all !”
Now moving on to other quotes:
“Contingency planning must include potential flow-on effects,” the final report into Cyber Storm II states”.
Really, did we just learn this in 2008? This is about as dumb as saying that should the US have financial / economic problems, others may feel the effect!!! We have known this for years!!
Okay, more:
“An important learning was the need to formalise lines of communication between government and industry to ensure that the scope of any problem is properly understood to enable a coordinated and effective response.”
A nice lovey dovey statement that really exists in only the report and in no way actually starts to make things happen!
NOW THE BIGGEST OF BIGGEST BS STATEMENTS…WTF?
“The report says Australia passed the games without major faults being uncovered. “The exercise proved that the major elements of the national response arrangements are sound, but as expected also found a number of areas where improvement would be possible.”
We “passed” but we could improve? What a load of crap! We work in this space every day and we know what we can do and what is possible. Securus Global would not pass “Australia”!!
End of the day, if you set up a war games exercise and play it out to your expected outcome, you are always going to win. This is what Cyber Storm does and if you expect me to believe anything else, please provide me with some information that hasn’t been provided so far. I may probably learn something that I don’t know because I wasn’t involved, but then again, I would like to think that I would also be able to demonstrate some reality into the “game” from actual experience in doing this for many years with my teams…..but then…..we’re not looking for realistic outcomes here are we?….(like the Gulf Wars). We’re just wanting to show that we can win. In which case, reality is not a pre-requisite to any of this.
October 6th, 2008 at 2:05 pm
Am I getting more militant, black-o(o)psy’… Time to think the unthinkable?
I feel like we need a homegrown ‘FightClub’ but of an even more insidious cyber nature.
The decadence and complacency of a generation ill aware of the role code plays in this life will be our downfall.
One can nearly see how puritanical/extremists justify their actions. Do the needs of the many outweigh the needs of the few? Yes I am the Kwisatz_Haderach
October 7th, 2008 at 8:06 pm
It is important to remember the key objectives of CyberStorm because success is not only determined by outcomes, but also from requirements.
The key CyberStorm outcomes are*:
* Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects;
* Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures;
* Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and
* Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.
*http://www.dhs.gov/xabout/structure/editorial_0839.shtm
No where here does it say “make the internet secure” or “liaise with the private sector to fix most common system vulnerabilities” or anything of the sort.
When I was a Fireman, we used to perform routine exercises where by we would go through our response plan for various scenarios to to make sure when the real thing hit, we would all know what to do, and to see if there were any improvements that could be made to the plan.
At no point did we attempt to determine how easily a house could catch fire, or what we could do to stop houses from catching fire in the first place - while valid, these were a completely different exercise.
Things like equipment, communication and strategic thought were key and helped enormously when were called to response to a fire.
While they didn’t in themselves stop any fires from starting, these were completely successful and saved much property and many lives.
Its the same for CyberStorm - having worn incident response shoes before I know what that the hardest part is equipment, communication and strategy.
We don’t need to have a capture the flag style event across countries because we already know what will happen - in the same way that we don’t need to test nuclear bombs anymore because we know what happens - things blow up.
Should the results of cyberstorm be revealed so we can all determine for our selves whether or not it was a success and good use of our hard earned money ? Maybe. Or better yet how about releasing all the useful outcomes for us so we, as a community can be safer - well in a way they have.
Run your own CyberStorm and see how you go. List various scenarios and see how you would react - how you /could/ react.
Then update your risk register. Without attacking a single system you may well have solved the biggest problem in security that we all harp on about all the time.
Incorrect risk assessments.
Maybe CyberStorm was worth it after all.
October 8th, 2008 at 3:46 pm
Erm, this feels like trolling, ah well
I do agree with you once the “intent” of the excercise is defined.. however…
Known knowns.
Known unknowns.
Unknown unknowns.
Nuclear bombs go boom as they were engineered to and have a blast radius. We can detect the results relatively easily.
Enough houses *have* gone on fire for us to know what happens and how. Data has been shared.
Am going to play devils advocate and say, how does one engineer a process around a set of unknowns. This then moves from engineering and applied science back to pure science. “A scientific method consists of the collection of data through observation and experimentation, and the formulation and testing of hypotheses” Wikipedia
I just think we are ahead of ourselves. Complex stuff fails complexly. Determinism should be the flavour of the day… but our ecosystem is vast.
Feynman: “For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.”
Physics, space time compression, cost and value have all changed in cyberspace… humans haven’t!
October 8th, 2008 at 5:42 pm
“how does one engineer a process around a set of unknowns.”
Good point D2. How indeed - and that is precisely the point of CyberStorm.
October 8th, 2008 at 9:41 pm
[...] just posted a response here to my previous rant on [...]
October 8th, 2008 at 10:54 pm
If we head down the Australian Wheat Board investigation path into dealings with Saddam and decide due to politics and protection of the guilty that we create a scope – ie; called in cases like this, a “terms of references” - read: anything bad that could come out of this or anything that could implicate poor or negligent practice by “senior people” will not be considered in scope, then, with such “war games”, it doesn’t matter what the outcomes are or are not! We’ve done something that in the eyes of the majority, looks like we are on top of this and are acting in a manner that should be perceived as trying to “protect” and “serve” the interests of our country – individuals and business!
Waffle waffle waffle waffle….
Cyber-Storm I - Lessons learnt: ????? Nothing noticed nor measurable.
Cyber-Storm II – Lessons learnt: ????? Nothing seemingly released to business and community in general. Nothing noticed since then nor measurable.
Now maybe I am not close enough to this and that is a definite but surely the purpose of these exercises is to spread information and for that information to be turned into something that improves a position in a “war” scenario…ie; supposedly a war happening now? As an aside, where this differs to other “war games” is that we play these games while the real “war” is happening. Surely we don’t have the resources to play games while the actual events happen around us? That’s something to think about – play the game, analyse the results, plan what we should do, do it (yeah right) and then play another “war game” in 2 years time to see how we are going?!! WTF?
Genghis and the hordes have destroyed everything in their path. Their arrows are killing people through our (fire)walls but lets play games to assume/predict what they could do based upon the knowledge of a few “select” companies with real “bad-assed” hacker dudes (sarcasm extreme) to predict how bad it could get…..you get the gist……..
Bottom line is pretty much as D2 has put forward….we’re past the BS theoretical of it all and should be well past thinking about what we know and thinking about what we don’t know and how to build a capability (study) on approaches to dealing with that! A big macro-level exercise based upon what we already know does nothing….which then begs the question, are the people running this only getting to that level of knowledge that we in the industry have had for a long time?
Didn’t most of us go nuts at the TV screen every time Bush and Howard talked about how smart their approach to Iraq was and the work they were doing was for the good of the world? Flame on….Since when do we trust government to be doing the smart thing? With Cyber Storm exercises, I am yet to be convinced we have any positive and measurable outcomes!
October 9th, 2008 at 8:50 am
If Cyber Storm (in a teacup) were such a resounding success, why are we still all in the dark as to what went on ? Its the very reason we’re still arguing about it. Point is, no-one, outside the participants, really knows.
I and others attended a 40 minute briefing on the so-called ‘results’ of Cyberstorm II at AusCert. What we got was a load of ‘high level’ platitudes, meaningless jargon-drivel and a bucketload of repetetive statements about Cyberstorm being “a Capstone project” (whatever that means). What a load of old codswallop.
No doubt they’d say it’s all “need to know stuff”, old chap. Thing is, we, as information security professionals, need to know. Not everything, mind you, just the guts of what happened.
Yep, I’ll continue to call it Cyber Storm - in a teacup.
October 9th, 2008 at 9:36 am
@BG
>If Cyber Storm (in a teacup) were such a resounding success, why are we still all in the dark as to what went on ? Its the very reason we’re still arguing about it. Point is, no-one, outside the participants, really knows.
This is the key point - we don’t know.
Would it be fair to summarise the criticism to:
* CyberStorm is great but it does little to solve the deeper issues of Information Security.
* The lack of public disclosure inhibits the spreading of information back into the community which could well assist in the first point, and will help to shut up a whole heap of narky consultants who are frustrated because they genuinely want to make Australia a more secure place and see it as a lost opportunity.
On question I have is that other countries involved with the CyberStorm exercise engaged more specialist private firms give a more realistic focus to the attacks - but Australia did not.
So, I happily put up my hand to assist with CyberStorm III*
*Revenge of the Sith ?
October 13th, 2008 at 2:21 pm
@Dec,
re:
“Would it be fair to summarise the criticism to:
* CyberStorm is great but it does little to solve the deeper issues of Information Security.” etc.
I s’pose it all depends on your interpretation of the word “great”.
I’ve had great cold beers, great fishing, great food, great flying.
Was Cyberstorm “great” ?
Who really f%$@ing knows ? But with the little we do know - I’ll err on the side of it having being an expensive fizzer.
BG.