After one week of Round 3 gameplay, here is a summary of ideas thus far:
Return to New Normal
· These attacks will inevitably alter the environment. Future attacks will occur and society must prepare to respond, if not prevent, more accordingly.
· Regaining the public’s trust, in both the government and businesses, will be extremely difficult.
o Congress will attempt to enact legislation to regain the public trust, but given the current hyper-partisan state, executive orders are more likely in the short term
o Financial/Critical Infrastructure sector should create a separate network
o Use personal stories of cyber security hygiene to educate/encourage the public
o USG should use the crisis to leverage changes needed in industry and government (“never again”)
o USG should adapt the National Weather Service warning system for cyber/critical infrastructure incidents
o Responsible actors will need to be identified
o Create a cyber security ranking of top organizations by sectors
§ This idea came up repeatedly
o Tax Internet usage to cover “cyber insurance”
· Restore Operations
o Financial systems will be rushed back online, but other systems may take more time
o Private industry will restore capabilities with an eye to the future, USG will just get basic capability back up
§ There needs to be a mix of short term patches and long term solutions, but funding for the long term will be difficult until operations are back online
o Leverage disaster recovery structures (FEMA, Red Cross, Small Business Administration, volunteers, faith groups, etc.)
o Improving business’ ability to insure cyber attacks
· Law Enforcement Options
o The need for information sharing is at an all-time high
§ FBI takes lead, but National Guard, DOD, and industry are all needed
o Increased National Guard capability would allow states to activate cyber response when needed.
§ Ex. Michigan Volunteer Cyber Security Corps
§ Players expressed support for an Action Plan on this
o USCYBERCOM could become its own combatant command
o Players also discussed establishing a centralized cyber security office at the national level
· Public Safety Options
o Information sharing across state and federal levels is key
o Social media can (and should) be used
o Local government will have to pick up more responsibility and increase the “boots on the ground” presence
· Physical Vulnerabilities
o There will always be a physical aspect to critical infrastructure and the Internet/cyber security; physical things can always be attacked. The key is how to mitigate risks against such attacks.
§ Multiple nodes and routes make the Internet the easiest to mitigate.
§ Critical infrastructure could mimic the Internet – more distributed
· Network Vulnerabilities
o Increase password standardization and security
o Build a quicker response capability
o Develop a warning system
· Public/Private Balance
o Practicing cyber security needs to become an individual responsibility
§ Is access to the Internet a right or a privilege?
§ Should the common citizen be credentialed to the use it?
· How would this be enforced both domestically and internationally?
· Mandate that all devices have a NIST-defined base level of security – give the consumer/manufacturer a tax break for these
· States license other aspects of citizens’ personal lives, why not cyber security practices
o USG needs to let/encourage private industry to take the lead
§ USG can provide incentives for innovation
o USG will push for additional authorities, but the public may still be wary.
§ Centralized task force/agency
o USG should collaborate with, and incentivize, the utility industry vs. nationalization of utility infrastructure
§ Disagreement over whether private sector actually does a better job than the government
§ International examples of both failure and success
§ Consistency vs. potential for corruption
§ After much debate, the “establish standards and incentivize industry” side won.
o Harsh penalties for cyber criminals
§ Not all offenders are domestic, many are difficult to individually trace
§ There could be penalties for companies that fail to address cyber weaknesses
o Legislation will have to be coordinated across federal and state governments
· International Response
o Develop and share and international blacklist to document all the sites and files that propagate the virus and block access to them
§ How would this work?
o Cyber security assistance programs to help countries with rogue actors
o Future aid to countries could be tied to their level of cyber security
o Desire for a strong IGO to handle international cyber security is high, but realistically unlikely
o Further “internet balkanization” is now another risk
o Cyber savvy countries may make pitches to become new financial/commercial/cyber capitals because they are safer
· Cultural Shifts Needed
o Practicing cyber security hygiene is a common responsibility
§ Training can come from national standards, but demographics will determine how it is practiced on the ground level
§ Education becomes standard, such as civics classes
§ Is the younger generation willing to change its practices? Can the older generation be trained at all?
o Should these initiatives be led by the USG or industry?