The U.S. government and private companies could be caught flat-footed if a nation-state hit the software supply chain with malware or a worm. That’s the conclusion of a report, or “after-action memo,” released Tuesday .
In October 2018, the Foundation for Defense of Democracies and The Chertoff Group held a tabletop exercise hypothesizing what would happen after a cyber-enabled economic warfare, or CEEW, event.
A strike as such would be intended to cripple the country’s economy and infrastructure. It could a severe impact, affecting food supplies, healthcare and financial services, possibly sparking a public panic.
The exercise involved former government officials from the CIA, NSA the FBI, as well as a dozen top executives from industries including energy, and manufacturing.
According David London, senior director at The Chertoff Group, some executives are realistic that they may not get much immediate assistance from the government.
Lack of Technical Data Sharing
The idea is to jump start initiatives that would help an array of industries anticipate an attack would affect their operations and what government resources are available.
Although the U.S. government has been working to strengthen its capacity and private sector cooperation for reacting to major cyber incidents, there’s agreement it may not be enough. London states that there has been some progress, as many critical industries such as finance and energy are participating in collaborative groups.
London states, there is a lot of embedded and highly regularized coordination, but when you take a cyber scenario and put it on steroids … those models can start to fray.
Policy analyst Annie Fixler at the Foundation for Defense of Democracies, believes there are concerns that with a lack of U.S. government support, private companies may try to directly engage foreign governments to call off an attack. This could result in a violation of the Logan Act of 1799, which forbids unauthorized people from negotiating with other governments.
The interactions with foreign governments may run in direct conflict with what U.S. government is planning in response to the cyberattacks. The U.S. governmenteeds to convince the private sector that it can and will come to their defense in a CEEW scenario to pre-empt them from taking independent actions.
‘Feel the Pain’
Russia was blamed for the The NotPetya malware attack, and is thought to have been a test run to see what kind of damage could be inflicted on another country. The malware was implanted in a software update for a type of Ukrainian accounting software.
However, because it was a worm, it quickly spread outside Ukraine, causing hundreds of millions of dollars in damages for companies including FedEx, shipping company.