Just when you thought that the buzz over the Bipartisan Policy Center’s (BPC) Cyber ShockWave attack simulation would diminish, the BPC’s working group of former White House, Cabinet and national security officials reconvened for a briefing Monday on Capitol Hill.
In a follow-up to the February simulation that demonstrated the nation’s cyber and network communications vulnerabilities, panelists offered their final thoughts on the groundbreaking project.
David Batz, Manager of Cyber and Infrastructure Security at Edison Electric Institute, warned the audience that new and emerging risks are inevitable as our society increasingly depends on technological systems. He wondered how policymakers will balance security and privacy concerns going forward. Drawing on the evolution of car safety laws, Mr. Batz suggested minimum security standards for private networks as a mechanism to boost standards. In the end, he insisted that incorporating the voices of private sector operators is vital for future cyber attack simulations.
Stewart Baker, former Assistant Secretary for Policy at the Department of Homeland Security, emphasized the problem of attribution—detecting a threat, whether it is a bug or a system-wide breach, can prove extremely difficult. Like Mr. Batz, Mr. Baker cautioned against frayed relations between the national security apparatus and the private sector. In the middle of a crisis, he said, officials must lean on those who built the systems in jeopardy; whether or not those operators have adequately protected their creations is crucial.
Both Michael Chertoff, former secretary of Homeland Security, and Dr. Catherine Lotrionte, a visiting professor at Georgetown University and Associate Director of the Institute for Law, Science and Global Security, recommended the declaration and implementation of the nation’s offensive and defensive capabilities. Response tactics such as the quarantine of affected systems must remain available. Even today, two decades removed from the fall of the Berlin Wall and the end of the Cold War, deterrence is a viable factor in defense circles.
Providing a summary at the conclusion of the briefing, Mr. Chertoff spoke about the limits of the simulation, but argued that it did flush out some important questions. What happens now? Who owns what? What are our capabilities? With whom does the necessary authority lie when an attack occurs? The nation is in dire need of a clear policy, and international rules and expectations for cybersecurity are no doubt on the horizon.