The U.S. Defense Advanced Research Projects Agency (DARPA) is interested in understanding strategies for the investment of research and development funds for securing the U.S. information infrastructure against "information warfare" (IW) attacks. (As Roger Molander put it, tongue in cheek, during his opening remarks at the exercise described in this report: "OK, you guys built the ARPAnet, which has become the Internet; now fix it!") A variety of recent studies (e.g., Hundley and Anderson, 1995) have documented the web of interrelated information systems comprising the national information infrastructure and its heavy dependence on the public switched telephone network. These systems are attacked every day by hackers worldwide and, less commonly but more insidiously, by trusted insiders, organized groups, commercial organizations, intelligence agencies, and other agencies of foreign governments. As our society becomes more dependent on this information infrastructure, concern rises about what strategies and technology might best be employed to substantially strengthen the infrastructure against deliberate attacks.
The Purpose of This ExerciseThe purpose of this particular exercise was "to conduct an exercise informing ARPA staff and selected representatives of the user community of the principal features of (defensive) information warfare (IW) and identifying for participants the future demands that IW may place on ARPA information technology programs." Dr. Howard Frank of DARPA's Information Technology Office acted as the project monitor.
In subsequent discussions with Dr. Frank and among RAND staff, we referred to the exercise purpose as helping inform DARPA's investment strategy for research and development on the integrity and reliability of information systems on which the security and safety of the nation depends.
The Scenario and Methodology Used for This ExerciseThe original "The Day After..." exercise methodology used a three- step process: (1) preparing a memo to a senior government executive regarding problems occurring about five years in the future, in the early stages of a crisis; (2) addressing additional problems several days to a week later, as the crisis worsens; and (3) preparation of a memo "today" (i.e., 1996) discussing measures that should be taken now to avoid problems such as those described in steps 1 and 2. The diagram used to illustrate this process in previous exercises is shown in Fig. 1.1.
Figure 1.1--"Classic" Three-Step Day After Exercise Methodology
Figure 1.2--Revised Two-Step Day After Exercise Methodology
We began with an existing scenario of cyberspace attacks on U.S. infrastructure used in a previous exercise and tuned and expanded the cyberspace attacks for our particular purposes. We wanted to illustrate the diversity of infrastructure systems dependent on "cyberspace" that might be subject to attack, from transportation control systems to power control to key financial systems. Since the participants for this exercise were to be technologically sophisticated, we added some indications of how these attacks might be performed, to increase their believability and counter any possible reactions that "that couldn't possibly happen!".
The set of cyberspace incidents we evolved for the scenario used in this exercise is shown in Table 1.1.
Cyberspace Incidents Used in Scenario
|Year 2000 background|
|general||software agents roaming net and Web|
|1999||MEII discussed but not yet established|
|1998||electronic "looting" of Saudi Arabian bank ($1.2 billion)|
|1999||attempted placement of Trojan horse in AB-330 flight control software|
|1999||sniffers and logic bombs in Israeli C2 systems|
|general||electronic "looting" of U.S. and European banks by Russians|
|1998||computer virus in software causes Yen crisis in Japan|
|1998-99||Infonet Threat Center established in U.S.|
|1999||flight control software alert regarding U.S. commercial aircraft|
|The Crisis - Step 1|
|2000 May 11||power in Cairo (90%) out for several hours -- perpetrator uncertain|
|2000 May 11||public switched telephone network (PSTN), massive failure in Riyadh, Saudi Arabia|
|2000 May 11||PSTN, Ft. Lewis, WA, mass dialing attack|
|2000 May 11||Saudi PSTN, apparent "trap door" in switching code|
|2000 May 13||control malfunction, Aramco refinery, Saudi Arabia -- perpetrator uncertain|
|2000 May 14||control malfunction, Bundesbahn train crash, Germany -- perpetrator uncertain|
|2000 May 16||sniffers, Bank of England funds transfer system|
|2000 May 16||power grid for Rhein Main airbase, Germany, fails|
|2000 May 17||non-governmental organization "Consortium for Planetary Peace" mobilization via Internet and other media|
|2000 May 18||PSTN in Delaware and Maryland fails -- affects air traffic control at Dover AFB|
|Continuing Crisis - Step 1|
|2000 May 20||Automated Teller Machine networks malfunction in Georgia|
|2000 May 20||CNN off air for 12 minutes; issues special report|
|2000 May 20||worm, corrupting data in Time Phased Force Deployment List (TPFDL)|
|2000 May 22||flight control software malfunction; AB-340; plane crash at O'Hare|
|2000 May 22||recommendation that all late-model AB-340 and -330s be grounded|
|2000 May 22||TV signal in Saudi Arabia replaced by other broadcast|
|2000 May 23||PSTN, Saudi, fails; trap doors similar to earlier Saudi PSTN failure|
|2000 May 23||full-scale IW attack at CONUS military bases involved in deployment|
|2000 May 23||Chicago Commodity Exchange subjected to electronic manipulation|
|2000 May 23||PSTN failed, Wash./Baltimore area, similar to Saudi PSTN failure|
The Conduct of the Exercise
The exercise was held on Saturday morning, March 23, 1996, in RAND's Washington, D.C. offices. After a plenary introductory session to review the scenario and some recent developments, approximately 60 participants were placed into five groups of about 12 persons each to discuss the Step 1 scenario. The agenda for the exercise is shown in Table 1.2.
Agenda for Exercise
|Saturday, March 23, 1996|
|0800-0900||Complementary coffee, tea, rolls, informal get- acquainted discussions among participants|
|0900-0930||Welcome to RAND (David Gompert); introductory remarks (Howard Frank); situation briefing (Roger Molander); breakout into five groups|
|0930-1020||Working groups on Step 1|
|1020-1100||Plenary session: groups debrief on Step 1 findings and recommendations|
|1100-1300||Working groups on Step 2; working lunch served|
|1300-1400||Plenary session: groups debrief on Step 2 findings and recommendations|
|1400||Conclusion of exercise|
As can be seen in the above agenda, we left two hours for the new Step 2 discussions, plus an hour for a plenary debriefing of the groups, to emphasize the focus on a current R&D agenda that can address future cyberspace insecurities.
In Step 1, participants were told to act as members of "a technical tiger team advising the Secretary of Defense and the Director of ARPA, in a time-urgent process. The group's task is to revise a draft memo to the SECDEF in preparation for the ARPA Director's meeting with the SECDEF scheduled for a few hours hence."
In Step 2, participants were brought back to the "very near future--say the late spring of 1996." They were told that they were "again in the role of a top advisor to the Director of ARPA, preparing him for a meeting with the Secretary of Defense on a national R&D investment strategy for information systems security and related issues."
A list of all participants is provided in Appendix A. The complete scenario and instructions given to all participants are available in Appendix B. The Step 1 materials were mailed to participants a week before the exercise. Step 2 materials were handed to them on the day of the exercise at the beginning of their Step 2 group discussion.
The following section contains findings and research suggestions resulting from the groups' deliberations.
 From the Project Description, August 25, 1995. At the time of its writing, DARPA was referred to as ARPA. In this report, when quoting original materials we use the terminology of those materials.