This Forum is Closed
January 20, 2022, 05:22:57 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: GGF now has a permanent home:
  Home Help Search Links Staff List Login Register  

The "Digital Pearl Harbor"

Pages: [1]   Go Down
Author Topic: The "Digital Pearl Harbor"  (Read 2803 times)
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« on: December 10, 2010, 12:23:59 pm »

In July 2002, Gartner and the U.S. Naval War College hosted a three-day, seminar-style war game called "Digital Pearl Harbor" (DPH). Gartner analysts and national security strategists gathered in Newport, Rhode Island, with business and IT leaders from enterprises that control parts of the national critical infrastructure. Our objective was to develop a scenario for a coordinated, cross-industry cyberterrorism event.

Results of a post-game survey indicate that the DPH game experience had a profound impact on the participants: 79 percent of the gamers said that a strategic cyberattack is likely within the next two years.

DPH participants played the roles of terrorists, devising coordinated attacks against four national critical infrastructure areas: the electrical power grid, financial service systems, telecommunications and the Internet. Their goal was to determine if a cyberattack could create a crisis of confidence that would shift the strategic balance of power, at least temporarily. Since the game did not test defenses against cyberterrorism, the questions of whether a real attack would achieve the goals set in the game and how much economic damage it would cause are still open.

The question as to whether cyberterrorism is a realistic threat is resolved. DPH skeptics abound, of course, and level many criticisms, but two criticisms stand out.

The first criticism is that by engaging in this type of exercise, we are opening Pandora's box, showing those with malicious intent what could be done. Good point, but before we started, we ran this issue by national security officials, and as one of those officials succinctly put it: "The bad guys already have the knowledge of these systems, and they know what they are going to do." The purpose of the DPH game was to get inside the opponents' heads. All of the data and information created in the DPH game underwent a national security review before we published our analyses.

The second criticism is that there are no new lessons to be learned from the DPH game. Good point, and really a very daunting criticism. Yet, how often do we hear from these same critics: "If only enterprises (or users) would follow good IT security practices ..." But good practices are very difficult to follow. How many readers have ever installed a new operating system or application on their home PC, only to spend the next several days trying to get the PC to work again? Multiply that experience by thousands when you are talking about enterprises installing new applications, security patches and system connections on hundreds or thousands of servers, mainframes and PCs. Preventing such downtime requires deliberate, linear steps that take time, people and money. DPH-type exercises help identify the threats, improve risk management processes and, in turn, prioritize resources for IT security activities. As one military commander put it: "We must shoot the closest wolf first."

Nevertheless, the skeptics have history on their side (as do all Luddites at the dawn of a new era) there has never been a cyberterrorism event. Or has there? Electrical power grid failures in some parts of the world, such as Western India, are so common that tampering with the grid to test cyberattacks could go unnoticed. This path leads to conspiracy theory oblivion, which is one of the reasons we ran the DPH game: determine what is really possible by a cyberattack.

Even skeptics of a DPH-type attack must acknowledge that our enterprises are under small-scale cyberattacks every day; hence, we are confident most readers will find our analyses of the DPH war game at least somewhat useful and very interesting.

Featured Research

'Digital Pearl Harbor' War Game Explores 'Cyberterrorism' By French Caldwell, Richard Hunter and John Bace

Security Best Practices Will Do Most to Foil Cyberterrorists By Paul Schmitz, John Mazur and Rich Mogull

Cyberterror Poses Growing Threat to Financial Services By John Bace, Annemarie Earley, Vincent Oliva and David Furlonger

Utilities Should Upgrade the Security of Their Operations By John Dubiel, Kristian Steenstrup and Paul Pechersky

Prepare for Cyberattacks on the Power Grid By John Dubiel, Kristian Steenstrup and Paul Pechersky

Telecom Is Secure but Not a Cause for Complacence By David Fraley and Ron Cowles

Could Terrorists Bring Down the Public Switched Telephone Network? By David Fraley and Ron Cowles

Terrorists Could Hijack the Internet By Ron Cowles and John Mazur

Recommended Reading and Related Research

Force Vendors to Make Software More Secure By Arabella Hallawell and Rich Mogull

Cyberattacks and Cyberterrorism: What Private Business Must Know By Rich Mogull and Richard Hunter

Dealing With Cyberterrorism: A Primer for Financial Services By David Furlonger
Report Spam   Logged

Pages: [1]   Go Up
Jump to:  

Powered by EzPortal
Bookmark this site! | Upgrade This Forum
Free SMF Hosting - Create your own Forum

Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.109 seconds with 21 queries.