1. Introduction

"The Day After..." exercise methodology, developed over the past several years under the leadership of Roger Molander, has proven useful in eliciting thinking about complex strategic issues from groups of up to about 60 individuals. The exercises are also useful in "awareness building"--exposing participants to the possible ramifications of current trends, and options for altering those trends. For examples of previous uses of this methodology to explore the national security policy implications of the continued diffusion of nuclear weapons capabilities, see Millot, Molander and Wilson (1993); Mesic, Molander and Wilson (1995); Molander, Wilson, Mesic and Gardiner (1994); and Molander, Riddile and Wilson (1995). A recent application of the methodology to issues of strategic information warfare is presented in Molander, Riddile and Wilson (1996).

The U.S. Defense Advanced Research Projects Agency (DARPA) is interested in understanding strategies for the investment of research and development funds for securing the U.S. information infrastructure against "information warfare" (IW) attacks. (As Roger Molander put it, tongue in cheek, during his opening remarks at the exercise described in this report: "OK, you guys built the ARPAnet, which has become the Internet; now fix it!") A variety of recent studies (e.g., Hundley and Anderson, 1995) have documented the web of interrelated information systems comprising the national information infrastructure and its heavy dependence on the public switched telephone network. These systems are attacked every day by hackers worldwide and, less commonly but more insidiously, by trusted insiders, organized groups, commercial organizations, intelligence agencies, and other agencies of foreign governments. As our society becomes more dependent on this information infrastructure, concern rises about what strategies and technology might best be employed to substantially strengthen the infrastructure against deliberate attacks.

The Purpose of This Exercise

The purpose of this particular exercise was "to conduct an exercise informing ARPA staff and selected representatives of the user community of the principal features of (defensive) information warfare (IW) and identifying for participants the future demands that IW may place on ARPA information technology programs."[1] Dr. Howard Frank of DARPA's Information Technology Office acted as the project monitor.

In subsequent discussions with Dr. Frank and among RAND staff, we referred to the exercise purpose as helping inform DARPA's investment strategy for research and development on the integrity and reliability of information systems on which the security and safety of the nation depends.

The Scenario and Methodology Used for This Exercise

The original "The Day After..." exercise methodology used a three- step process: (1) preparing a memo to a senior government executive regarding problems occurring about five years in the future, in the early stages of a crisis; (2) addressing additional problems several days to a week later, as the crisis worsens; and (3) preparation of a memo "today" (i.e., 1996) discussing measures that should be taken now to avoid problems such as those described in steps 1 and 2.[2] The diagram used to illustrate this process in previous exercises is shown in Fig. 1.1.

Figure 1.1--"Classic" Three-Step Day After Exercise Methodology

In several dry runs of the DARPA exercise, conducted using RAND staff both in Santa Monica and in Washington DC, we determined that participants became frustrated in steps 1 and 2 because there was little that could be done in the short term to ameliorate or halt the series of cyberspace-based attacks on the U.S. infrastructure. Participants also felt that there was too little time left in the exercise to discuss possible R&D programs that could be instituted today to prevent or greatly reduce such attacks in the future. For these reasons, we decided to modify the exercise so that it contained just two steps: (1) IW attacks occurring five years in the future; and (2) a discussion of what could be done beginning today to cope better with those future attacks. Figure 1.2 shows the revised exercise methodology.

Figure 1.2--Revised Two-Step Day After Exercise Methodology

A second dry run using this new methodology proved successful. Participants developed heightened awareness of the problems that could be encountered in the future in Step 1, but then had ample time left to discuss R&D measures in the new Step 2. Because the purpose of this exercise was to develop R&D strategies, this new two-step approach was clearly superior for our purposes.

We began with an existing scenario of cyberspace attacks on U.S. infrastructure used in a previous exercise[3] and tuned and expanded the cyberspace attacks for our particular purposes. We wanted to illustrate the diversity of infrastructure systems dependent on "cyberspace" that might be subject to attack, from transportation control systems to power control to key financial systems. Since the participants for this exercise were to be technologically sophisticated, we added some indications of how these attacks might be performed, to increase their believability and counter any possible reactions that "that couldn't possibly happen!".

The set of cyberspace incidents we evolved for the scenario used in this exercise is shown in Table 1.1.

Table 1.1
Cyberspace Incidents Used in Scenario

Year 2000 background
generalsoftware agents roaming net and Web
1999MEII discussed but not yet established
1998electronic "looting" of Saudi Arabian bank ($1.2 billion)
1999attempted placement of Trojan horse in AB-330 flight control software
1999sniffers and logic bombs in Israeli C2 systems
generalelectronic "looting" of U.S. and European banks by Russians
1998computer virus in software causes Yen crisis in Japan
1998-99Infonet Threat Center established in U.S.
1999flight control software alert regarding U.S. commercial aircraft
The Crisis - Step 1 
2000 May 11power in Cairo (90%) out for several hours -- perpetrator uncertain
2000 May 11public switched telephone network (PSTN), massive failure in Riyadh, Saudi Arabia
2000 May 11PSTN, Ft. Lewis, WA, mass dialing attack
2000 May 11Saudi PSTN, apparent "trap door" in switching code
2000 May 13control malfunction, Aramco refinery, Saudi Arabia -- perpetrator uncertain
2000 May 14control malfunction, Bundesbahn train crash, Germany -- perpetrator uncertain
2000 May 16sniffers, Bank of England funds transfer system
2000 May 16power grid for Rhein Main airbase, Germany, fails
2000 May 17non-governmental organization "Consortium for Planetary Peace" mobilization via Internet and other media
2000 May 18PSTN in Delaware and Maryland fails -- affects air traffic control at Dover AFB
Continuing Crisis - Step 1 
2000 May 20Automated Teller Machine networks malfunction in Georgia
2000 May 20CNN off air for 12 minutes; issues special report
2000 May 20worm, corrupting data in Time Phased Force Deployment List (TPFDL)
2000 May 22flight control software malfunction; AB-340; plane crash at O'Hare
2000 May 22recommendation that all late-model AB-340 and -330s be grounded
2000 May 22TV signal in Saudi Arabia replaced by other broadcast
2000 May 23PSTN, Saudi, fails; trap doors similar to earlier Saudi PSTN failure
2000 May 23full-scale IW attack at CONUS military bases involved in deployment
2000 May 23Chicago Commodity Exchange subjected to electronic manipulation
2000 May 23PSTN failed, Wash./Baltimore area, similar to Saudi PSTN failure

The Conduct of the Exercise

The exercise was held on Saturday morning, March 23, 1996, in RAND's Washington, D.C. offices. After a plenary introductory session to review the scenario and some recent developments, approximately 60 participants were placed into five groups of about 12 persons each to discuss the Step 1 scenario. The agenda for the exercise is shown in Table 1.2.

Table 1.2
Agenda for Exercise

Saturday, March 23, 1996 
0800-0900Complementary coffee, tea, rolls, informal get- acquainted discussions among participants
0900-0930Welcome to RAND (David Gompert); introductory remarks (Howard Frank); situation briefing (Roger Molander); breakout into five groups
0930-1020Working groups on Step 1
1020-1100Plenary session: groups debrief on Step 1 findings and recommendations
1100-1300Working groups on Step 2; working lunch served
1300-1400Plenary session: groups debrief on Step 2 findings and recommendations
1400Conclusion of exercise

As can be seen in the above agenda, we left two hours for the new Step 2 discussions, plus an hour for a plenary debriefing of the groups, to emphasize the focus on a current R&D agenda that can address future cyberspace insecurities.

In Step 1, participants were told to act as members of "a technical tiger team advising the Secretary of Defense and the Director of ARPA, in a time-urgent process. The group's task is to revise a draft memo to the SECDEF in preparation for the ARPA Director's meeting with the SECDEF scheduled for a few hours hence."[4]

In Step 2, participants were brought back to the "very near future--say the late spring of 1996." They were told that they were "again in the role of a top advisor to the Director of ARPA, preparing him for a meeting with the Secretary of Defense on a national R&D investment strategy for information systems security and related issues."[5]

A list of all participants is provided in Appendix A. The complete scenario and instructions given to all participants are available in Appendix B. The Step 1 materials were mailed to participants a week before the exercise. Step 2 materials were handed to them on the day of the exercise at the beginning of their Step 2 group discussion.

The following section contains findings and research suggestions resulting from the groups' deliberations.


[1] From the Project Description, August 25, 1995. At the time of its writing, DARPA was referred to as ARPA. In this report, when quoting original materials we use the terminology of those materials.

[2] See the research reports cited in the first paragraph of this section for descriptions of previous exercises using this three-step exercise methodology.

[3] See Molander, Riddile and Wilson (1996).

[4] From the Step 1 scenario instructions. See Appendix B for the complete scenario.

[5] From the Step 2 scenario instructions. See Appendix B.


Contents
Chapter 2