Behind Closed Doors with the National Security Council

Think your job is a challenge? Try being a crisis manager inside the National Security Council scrambling to keep up when these headlines cross the transom: 

• United States intelligence services uncover new military dimensions to Iran’s nuclear weapons program.
• Tehran’s leadership refuses all access to weapons inspectors.
• The Trump administration plans to withdraw from the 2015 agreement the US signed to ensure Iran’s nuclear program would be exclusively peaceful.
• The administration says it will reinstate sanctions and warned of unspecified “military remedies.”
• Iran claims the right to consider pursuing a nuclear weapons program and reaffirms its right to continue the development of long range ICBMs.

RSA attendees got a chance to hear from former government officials how they might respond to this kind of shifting war game scenario. It provided a rare opportunity to see how decision makers would go about managing an escalating security crisis that involved both cyber and so-called kinetic attacks on people and property.

In this particular war game scenario, US financial and critical infrastructure targets were being hit by repeated cyber attacks. Participants in the crisis described a pressure-cooker atmosphere at the National Security Council where rapid response measures would need to get decided with the participation of other arms of the government amidst sometimes conflicting and incomplete information.

And then things go from bad to worse.

• While the hotlines between the world’s capitals were buzzing, a series of major cyber attacks get launched against the US.  
• Financial institutions report the theft of $1.5 billion.
• Confidential documents belonging to Congress as well as to major US-Israel interest groups get hacked and leaked to the press.
• US intelligence agencies suspect the involvement of Iran’s Islamic Revolutionary Guard Corps. but cannot confirm their information.

 Working off a pre-determined plan, decision-makers would now find themselves improvising as new data landed on their desks.

“We would dust off our incident response playbook but we wouldn’t be limited by the playbook,” said John Carlin, a former Assistant Attorney General for the U.S. Department of Justice's (DOJ) National Security Division. He described a non-stop communications thread between the State Department, the Defense Department, the Department of Homeland Security and state and local governments in a bid to start deploying assets.

Meanwhile, the government’s initial response would also involve reaching out to Congress to provide asset response assistance – including help eliminating any malicious actors attacking cyber networks, said Suzanne Spaulding, a former Under Secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security.

But this is a highly fluid situation, where military considerations would get intertwined with cyber security concerns and speed being a priority.

“We’ve always been too conservative about attribution. I think we’d need to be more forward-leaning and that it’d be safe to assume it was the IGRC,” said Eric Rosenbach, who served as Chief of Staff to former Secretary of Defense, Ashton B. Carter during the Obama administration. “Should it matter who gave the order? I think it does matter because it will help us calibrate our response. We would have to make sure that senior Iranian leaders understand that escalation is happening quickly and if they want to continue, they’ll need to think very carefully about that.

“In the past,” he continued, “the Iranians have been very successful at getting into DOD networks. We can’t just sit back and watch these guys attack us. We need to make sure they understand it will be a costly effort if they continue to attack the US.”

At this stage, Rosenbach said it would be reasonable to expect the Iranians to try and test the White House to gauge whether the administration was ready for outright war.   

Crisis in Spades 

Meanwhile, a new intelligence bulletin just came through ratcheting up the crisis: The US has now positively attributed the reported cyber actions to private contractors tasked by the IRGC.

Other new information includes the following:

• New cyber intrusions attack Israeli critical infrastructure assets
• A cyber attack against the LA subway system has resulted in a train crash. Unconfirmed media report fatalities.
• US intel now believes Iran may have access to other metropolitan transport systems in the US.

The latest information would confirm the fact that this is an armed attack against US, according to Rosenbach. “All the facts line up and there’s death and significant economic consequences.”

While teams worked on providing a list of options to the White House, the Pentagon by this time would have identified a set of assets belonging to Iran and recommended retaliatory strikes.

“This is strategic signaling,” said Rosenbach, who said the strikes would be intended to send a very clear message. “It’s basic deterrence theory. If your initial attack is weak, there will be others.”

And this is just Day 1 in what could be a multi-day or longer coordinated response. In any case, the session was a great reminder of the importance of scenario planning as part of maintaining a good security posture. 

Join Symantec at RSA Conference 2018 Booth #3901 North Expo Hall.  Click Here for the schedule and follow @Symantec on Twitter for highlights.