Preface:
Tonight, CNN will be airing their coverage of the Bipartison Policy Center’s Cyber Shockwave event. I was an invited guest for the event held at the Mandarin Oriental in Washington, DC. To augment CNN’s coverage, I wanted to give my personal perspective of the event.
I tweeted throughout the live event, so feel free to review my @mareck tweets using the #cybershockwave hashtag. (Here’s a quick link to get to all the tweets I posted from that day.)
Also, see my initial quick thought posted after the event concluded.
I’m not sure what you are going to see on CNN. I only know what I saw in person at the Cyber Shockwave event. I have to admit – it was a good production: great stage, high quality multimedia. I think I can safely say you’ll agree it’s quite a “show.”
I think you’ll also like the premise of the show: bringing public attention to (another) serious issue that the country needs to be aware of. Unfortunately, however, you’ll probably also notice the lack of substance (and some reality) in the simulation.
First off, don’t get too tied up in that word, “simulation,” like I did. I look at simulations as analytic tools, that can hold up to analytic scrutiny after the fact. Other simulations I’ve participated in have been that way. Cyber Shockwave, however, was much more watered down. I think if you lessen your expectations, you might get a bit more out of the experience.
That said, it’s unfortunate that this event didn’t include experts in network security, hacking, social media, mobile technology and IT architecture. I think that would have brought a lot of substance and reality into the simulation. Within 30 minutes, I was already starting to note the wide gap between what I was hearing during the scenario and what I already knew from my experience.
I just don’t think the folks involved in the simulation “get” how real cyber attacks might happen. They should have taken examples from crowd-based hacking techniques used by groups like Anonymous (from 4chan fame). That would have helped significantly and it would have kept the scenario from going down the path it did.
You’ll notice how quickly the participants start blaming China and Russia and start looking for individuals who are responsible. Those of you more familiar with IT security, internet vulnerabilities and hacking trends will probably be as disappointed as I was. We know it’s much more likely that a major attack would come from a group of hackers from all over the world, connected primarily though similar ideology, discovered via the internet.
But, I’m not surprised that participants focused so much on obvious nation-states. It’s much easier to target those. It’s easier to think the problem is similar to nuclear proliferation, or something of the like. It’s harder, almost scary, to admit it might be more like terrorism and nontraditional warfare.
Midway through the scenario, you’ll be hit with news that improvised explosive devices (IEDs) were used to blow up some of the nation’s power grid. In an instant, the scenario turns from quasi-typical government response to ENTIRELY typical. I mean, of course there are IEDs… we understand IEDs. IEDs are “traditional” terrorism and we know how to react to that. So, now we can be certain who the enemy is and we can send out our troops to destroy them. To me, that was way too typical.
Introduction of the IEDs completely threw the scenario off course. Suddenly, the participants focus shifted from a cyberattack to full on terrorism on U.S. soil. I have to figure that responses to such terrorism is already being planned out by the Department of Homeland Security and about a hundred other federal, state and local agencies.
As I said in my previous post, you’ll also notice several spots throughout the scenario where participants point out that the private sector can help the government by providing software or services. That tainted my view of the whole event because it caused me to call into question the motives of the participants. I doubt all of them were taking advantage of the public forum, but I couldn’t help feeling like a few of them were.
For instance, at one point, the panel said that they wouldn’t “go to the President” with their recommendation without first having a discussion about what can be done over the next five years to prevent a major cyberattack. If this were a real attack, do you really think the President would be interested in a 5-year plan? He’d probably want an immediate response. Talking about a 5-year plan seemed to be a way to propose where the government should invest.
Also, at the conclusion of the scenario, each participant was given an opportunity to provide some final thoughts. Because my opinion was already tainted, I felt like some of the individuals used this time as an opportunity to market real-life corporate interests. I think former-government-now-corporate-executive folks who participate in these types of events need to be careful of an important fact: the appearance of being biased is just as bad as actually being biased. And most of us public can’t tell the difference.
I look forward to hearing your opinions on Cyber Shockwave after you have a chance to watch it tonight. Perhaps if enough feedback gets back to the Bipartisan Policy Center, it will help them to improve the next event they plan.
