CyberWar Games Highlight the Increasing Danger from and to an Interconnected World.
“The next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.”
This is the conclusion of the latest annual Symantec CyberWar Games excercise.
Each year Symantec builds a full kinetic representation of a new and emerging technology, and invites its 11,000-strong global workforce to attack it. Five years ago, it was ‘nation states’. This was followed by oil and gas and SCADA systems; then finserv; and then healthcare. This year the chosen target was the global supply chain; bringing together the various technologies that enable it (mobile devices, digital currencies, SCADA, autonomous vehicles, and commodities).
Samir Kapuria, SVP and GM of Symantec’s cyber security services, explained the multiple purposes of the CyberWar Games. The first is effectively a massive staff training session — a way of honing the threat IQ of its people and the collective IQ of the company. The second is to uncover new and emerging threat vectors and existing vulnerabilities; and the third is to feed that knowledge back to the industry and into its own products.
The CyberWar Games are open to all Symantec employees, and there are no restrictions on what skills can be used. “Everyone — from Accounts, HR, Marketing, Technical — is invited to take part in the first phase, which is online. From this, the top ten teams from around the world are flown into Mountain View where we have this large kinetic representation of real industry. Our technical staff would use their technical skills, but marketing and HR people might explore methods of social engineering since that’s more in line with their own expertise.”
The teams are given a goal. This year they were asked to examine the insider threat, extortion and what could happen if SCADA controlling an agricultural watering systems was breached, forcing over-watering and destroying entire crops. “Then we moved to ‘siege’, said Kapuria. “What happens if all of the autonomous vehicles and IOT devices are taken over in a command and control type manner, so that everything could be forced to stop at a certain time? What action could the government take, and what should it be?” The purpose is to examine how today’s technology could become tomorrow’s threat, and to learn how to prevent it.
(Image Credit: Symantec)
But this is not some massive simulation, like the flight simulators used to train pilots. “What we’ve done is create a safe physical environment for people to explore — explore and learn. We have no idea how each of these teams are going to do anything. This is one of the only industries where you have an active adversary changing the whole spectrum of the environment on a daily basis. The ground is always changing and evolving at a rapid pace. Because of that, we don’t create a fictitious simulator like a pilot’s simulation that has rules and parameters, where people have to fly within those rules.”
Doing similar within the CyberWar Games would introduce cognitive bias — would limit attack vectors to those already known to the games designers. “Instead, we build a planet; and say, here’s a planet, you figure out how to fly. We give them a task — but because it’s a complete kinetic environment, there is no imposed bias on how they might achieve that task.”
The CyberWar Games tap into the collective IQ of one of the world’s largest security firms — and what comes out is often a new and fresh look at possible attack vectors and the discovery of new 0-day vulnerabilities within that environment.
The results from the Games are best seen from last year’s event, since those have already been resolved. The Symantec wargames against the healthcare industry discovered 20 0-days in a three-day period — effectively two-fifths of all the 0-days discovered by the rest of the industry in the entire year. “When we discovered the 20 0-days in various healthcare technologies, from EMR systems to diffusion pumps and POS in pharmacies,” explained Kapuria, “the first thing we did was to engage all the different vendors, and the users we knew about through our managed services. Since we had the teams that discovered the attacks, we could also design the solutions — which we gave back to the industry.”
This year, the result of the games has highlighted what Kapuria calls the ‘digital domino effect’ enabled by the increasingly interconnected nature of society and commerce — the effect of a successful cyber-attack can ripple through supply chains. “While devastating to a business,” he explains in an associated blog, “the ‘digital domino effect’ could have a greater societal impact by escalating a seemingly small cyber attack to an exchange of global power and influence by targeting the production and trade of important commodities like oil, metals and agricultural products.”
During this year’s CyberWar Games, he continues, “teams were able to infiltrate multiple entry points within a business targeting the fabric of connected devices. They were also able to use these smart systems to string together a series of attacks creating that ‘digital domino effect’, leading to an ultimate shift in the global power and influence scale through commodities trading. Given these results, we can conclude the next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.”