Ransomware: From the Boardroom to the Situation Room

Posted on in Presentations

At RSAC 2022, a panel simulated a board meeting confronting a ransomware attack. Now this session will look at the parallel Government meetings and explore how senior federal government officials might react and respond to the challenges of a major cyberattack and how only close collaboration between public and private sectors can diminish, if not overcome, the consequences of malicious cyber activity.

Video Transcript

   >> SPEAKER: Please welcome your narrator, Glenn Gerstall.



   >> GLENN GERSTALL: Good morning. I'm Glenn Gerstall, and I'll set the stage for our immersive panel today, introduce the cast, and then I will join the cast myself. But first, thank you for joining us today for a simulated meeting in the famed White House Situation Room, which is actually far less glamorous than it sounds.

   A meeting of key members of the National Security Council staff and staff of the National Cyber Director and representatives of the federal -- various federal departments has been urgently called because there are reports of ongoing ransomware attacks against critical infrastructure across the country. And we're going to ask you in the audience to play a role here, too, as I'll explain in a minute.


   Since you all got up early in the morning to join us, I'm assuming that you might just wonder just what would happen if the nation experienced a coordinated cybeattack. How would the principals of the National Cybersecurity Strategy be put into place? How would the private sector and the public sector work to defend the nation? If you work for a critical infrastructure entity, you may have received the question from your boss, how would your organization work with the government if infrastructure was taken down by an attack?


   Our goal today is simple, to give you a sense of what goes on behind the scenes at 1600 Pennsylvania Avenue and in the halls of government, and, in particular, shed light on the interaction in situations like this between the Federal Government and the private sector.

   But much like you do when attending a show or seeing a film, I'm going to ask you to suspend your disbelief just a little. Our scenario is totally fictional. We're going to compress what might be hours of meetings stretching over days and weeks into just 50 minutes. And even though our cast is multi-talented, we can't play every possible role. And, in reality, some of these meetings might involve dozens of people.


   A few more quick disclaimers. First, although several of our cast members have, indeed, sat in the real-life White House Situation Room, we are, of course, not here representing the Administration or claiming to reflect how any administration will handle the scenario we present today. Neither, of course, are we representing in any way our employers. We are just doing this as individuals. And second, we picked a handful of roles to be representative. We also took some liberties in envisioning who might chair the meetings as that might change not only by the particular topic to be covered, but also by the administration or the personalities in the room. And one more liberty we're taking is that if I was really in the Situation Room, I'd be in a suit and tie, and, more importantly, none of us would have cell phones or laptops. They're all banned for security reasons.


   Now we come to your part. At the end, you'll have a decision to make, and we'll ask you, the audience, to play the role of the principals of the National Security Council, the heads of various cabinet departments and other senior officials. There are options this group will provide to you at the end, and you will have to decide what your recommendation would be for the President.

   So, let me whisk you off to the Situation Room where Suzanne Spaulding, the National Cyber Director, the person statutorily responsible for advising the President on cyber, has called a meeting with Phyllis Schneck, the director of the Department of Homeland Security's Cybersecurity ‑‑ sorry, the director of the Department of Homeland Security, Cybersecurity, and Infrastructure Security Agency -- always a mouthful -- CISA, Bob Huber, an Assistant Director of the Federal Bureau of Investigation, Preston Golson, who is the National Security Council Coordinator for Strategic Communications, and then, finally, I'll step out of my narrator role and take my seat at the table. I'm going to be representing the Director of the National Security Agency, a role that's also dual-hatted as the head of the United States Cyber Command.


   Well, I see that everybody is already at the table, so that means I'm late, so I'd better get to the meeting.


   >> SUZANNE SPAULDING: Good morning, everyone. I really appreciate everybody getting here so quickly. Glenn, glad you could join us. I just came out of the Oval Office, a meeting with the National Security Advisor and the President. She has a lot of questions. Are these incidents connected, these critical infrastructure disruptions happening all across the country? What are we doing to contain these incidents, and to protect both the public and private sector networks? That's priority one. But the President is also going to need to know who is behind this. Are we under attack from a nation state? As you all know, our north star for our work is sustaining public confidence. We know that public trust is often a target of our adversaries, even through cyber means, so this is something we'll have to keep in the forefront of our minds.


   So, what do we know, and what are we doing? Bob and Phyllis, need you to give us a situation report on where we are and what the impacts are. Preston, I want you to update us on how the public and the media are responding to the disruptions. And Glenn, since you were a little late, I'm sure that's because your team at Fort Meade was processing some fresh intelligence. We're anxious to find out what you know. And then I think it is going to be really important for us to discuss what we need from the private sector, but what the private sector needs from us as well, and what we need to do to restore -- maintain and restore public confidence. So, Bob.


   >> ROBERT HUBER: Thanks, Suzanne. So, please bear with me. I have a lot of information to cover here.


   What we're seeing appears to be several cyber incidents involving infrastructure in disparate parts of the country. We have been coordinating closely with Phyllis and the CISA team. You have all seen the situation report already, but I'm going to do my best to summarize here.


   So, over the last 24 hours, we have witnessed a series of cyber incidents that have occurred across the country. We don't know if any are connected at this point, but they're all happening at the same time, and we really haven't seen anything like this before. In addition, a major utility in the northeast said they are experiencing electrical power grid disruptions in New York and New Jersey. So, right now, we don't have any indication this is affecting sensors and switches to this point. It's also unclear whether this is an intentional attack on industrial control systems or malware with unintended consequences. So, this could cause major issues during the cold snap we're currently experiencing.


   We also have a water treatment plant in Cincinnati, Ohio that has experienced service disruptions after its systems were encrypted with ransomware. That's creating concerns that the water in the city is not fit to drink, so we're already experiencing a run on bottled water as we speak. Meanwhile, at a chemical plant in California, they've halted production after portions of their networks were also locked up. This chemical plant is responsible for the production of nitric acid, which is used as a propellant for conventional weapon systems, and that facility also possesses chemicals of interest as designated by the Department of Homeland Security in significant quantities. So, what does that mean? It means that it could represent a risk of explosion, contamination, or increased toxicity should they be released. That facility has completed what we call top screen surveys, which are required by the Chemical Facility Antiterrorism Standards Regulation, which CISA is currently reviewing to determine the risk level. So, the IT teams at all these affected sites, they have discovered the ransomware nodes on their servers within each of the companies, though the names of the cyber-criminal gangs remain unknown at this time.


    So, we've heard from two of the three Corporate Chief Information Security Officers, and they've engaged their internet response teams, they've kicked off their business continuity plans, disaster recovery, and also crisis management. So, as they gather additional information for us to include vectors of attack, systems potentially impacted, and artifacts, they'll continue to coordinate with us. So, the one call reaches all principle seems to be working here for us. As the calls came into the local FBI field offices, we've shared that with CISA and the Department of Energy.


   Because all three called in, we were able to link patterns of attacks on infrastructure more quickly than we have been in the past. very useful for us. We haven't heard much from the water treatment plant, unfortunately, beyond the basic fact of, hey, we were attacked. We've been trying to get more details, but they aren't returning our calls at this point. So, I get it. They're drinking from a firehose right now. But if they would answer the phone, we can coordinate intelligence collection, sharing of intelligence, discuss ransomware payment options, CISA can help with mitigation activities, and also assessing risks to the local area. So, with Phyllis' help, CISA and the FBI are convening the responsible ISACs for critical infrastructure. Phyllis, I'm going to turn it over to you to lay out how the ISACs are responding.


   >> PHYLLIS SCHNECK: Great. Thank you, Bob.


   So, Suzanne, the Cybersecurity and Infrastructure Security Agency has already convened several of the Information Sharing Analysis Centers, the ISACs, for the electrical, chemical, and the IT sectors. Under that CPAC, the Critical Infrastructure Partnership Advisory Council, allows us to have those trusted relationships directly with the private sector pre-established. We've included those entities directly affected, as we know, in addition to other members of the sector for information and for early warning. We can also convene other sectors as well as needed, as we see this event covering our entire critical infrastructure more broadly, potentially. The ISACs and the Sector Coordinating Councils, the policy bodies that work with them, are actively engaging, and we're leveraging that trusted framework. So, everyone is shields up.


   Now I know we're always vigilant in steady state. And it's a fair assessment, though, with these unfolding events, that our private sector critical infrastructure constituency is already at a heightened state of alert. And as we work with the FBI and Bob and other partners, we can also, as requested by the private sector, convene ground teams from CISA to be additional boots on the ground to work with those affected companies and entities in concert with the FBI Threat Response, meaning we can get help to get these companies back online as needed, and complement and support the law enforcement engagement, as well as any third-party private sector incident response they're bringing, while the FBI conducts their ongoing investigations to potentially identify the adversaries for attribution.


   We have a call every hour on the half hour with each sector. and at the top of every hour with everybody, so everybody knows where to get that bidirectional holistic information sharing. We have an all-hands-on-deck approach to this, the CISA Joint Cyber Defense Collaborative, the JCDC, for Cyber Defenders. We're working with the NSA Cyber Collaboration Center, the private sector facing force of the NSA for cyber. The FBI National Cyber Investigative Joint Task Force, the NCIJTF, which brings together all the cyber players, and everyone is working together.


   We're also leveraging agreements that enable deeper sharing with some that have signed those agreements ahead of time, and open sharing with customers for indicators of compromise that may not already know that they're victims. We also have the strong focus with our state, local, tribal, and territorial resources via the Multi-State Information Sharing Analysis Center, and looking toward recovery, engaging other resources as necessary, potentially, with the National Guard.


   Currently, as the main interface for Critical Infrastructure Cybersecurity, and our private sector, we're the hub for communications and rapid information exchange to include all of those aforementioned partners, and that's why it's so important -- Bob, you're absolutely right, that Presidential Directive 41 is playing out nicely, the designation of roles and responsibilities with threat response and asset response, and a call to one has been a call to all into the government.

   We're gaining indicators of compromise from multiple sources, we're analyzing them together as one U.S. government, and pushing all of that information out, especially as we can in an automated fashion, to our managed cybersecurity providers, our IT providers, our telecom providers to embed that information, in the automated tools that our cyber providers and companies are using.


   >> SUZANNE SPAULDING: Great. And that will help smaller companies as well. That's great, Phyllis. Thank you.


   You know, we're all cognizant that we never went shields down. Right? So, we are going to have to be clear and very specific in terms of communicating what it is we know, and what specifically we want specific actors to do in the context of this now heightened situation. I know you get that, and I appreciate that. Okay.

   Are we getting everything we need about the attacks from the victims so we can spread the word on indicators of compromise, and what do we -- what do the targeted companies need from us?


   >> PHYLLIS SCHNECK: We are in the very early stages of the event, which includes focusing on the business continuity plans for these companies of the affected industries, planning as they planned ahead of time for worst-case scenario. We would be able to move faster if we had more information from all three of the victims. But as you mentioned, we are in shields up, and the Shields Up campaign, as you know, was launched in February of 2022 to bring these resources together to increase organizational vigilance and to keep our stakeholders informed about cybersecurity threats and destructive exploits against the critical infrastructure. That is the good news.     


   >> SUZANNE SPAULDING: Preston, how is the public and how is the media reacting to these disruptions?


   >> PRESTON GOLSON: Yeah. So, clearly, the power outages in the northeast have the EMEA networks in a frenzy as it's right in their backyard. They are talking about homes and businesses not having heat, because even in places with natural gas. They need electricity, of course. And there's some panicky talk about how it might affect Wall Street. All the financial institutions and networks have backup generators, of course. Still, there's a lot of speculation about what's going on. Reports range from a terrorist attack to massive grid infrastructure failure due to aged equipment.


   The media is starting to draw lines between the power failure and the reports of cyber incidents. I'm seeing a lot of speculation on the cybersecurity press that's beginning to go mainstream. Every noble name in cyber is getting a call from major networks and papers right now to come on TV and explain what's happening. Cybersecurity press is all over this, and we're seeing reflections from employees at infrastructure companies that there is an ongoing incident. And also hearing from Congressional Affairs, colleagues at the media, and constituents are calling senators and representatives nonstop. Many representatives are going to go and fill the air with anything that comes to their mind, good or bad, until they have a clearer understanding of what is going on.


   And to be frank, all this government and private sector partnership activity you have all described is no good if no one knows about it. So, a few people know what an ISAC is, and I'm concerned that this will come off as a little bit of alphabet soup when I brief the press on it. It is bad enough that we don't have all the facts, but it is going to sound bad if we don't have a clear communications plan. The White House press secretary is going to need cleat talking points that lay out the concrete actions government is doing to protect the country. This can't be cyber inside baseball.


   >> SUZANNE SPAULDING: Yeah. We're going to have to continue to keep Congress fully up to speed, get them the latest information that we have, and we need to make sure that our messages are measured and that they are clear. We want to be very careful not to overstate our knowledge or our level of confidence.


   >> PHYLLIS SCHNECK: We are working the communications at all levels. Terms like shields up and partnerships engaging these  companies, enabling them in the critical infrastructure sectors to collaborate should engage the public. We're working this together to keep people safe. Business online and prevent further compromise. But Suzanne, it remains a serious event with unknown origin and unknown future consequence.


   >> SUZANNE SPAULDING: So, Glenn, what's the intelligence picture?


   >> GLENN GERSTALL: Well, we have low to medium confidence that these attacks are coordinated. We have seen an uptick in the past several months of criminal groups, potentially working on behalf of certain adversarial nation states, probing critical infrastructure networks. Because of the information that CISA has received from the private sector and the tips we're already getting from some of the major cybersecurity firms, my teams have been able to trace some patterns that may lead us to the culprits here, and I suspect it will lead us to Iran. But as we all know, there is one thing to have strong suspicions about who is responsibility and another thing for the government to actually attribute cyber activity to another country or to a criminal gang. We don't do that unless we're confident in our judgment and we can back it up if allies want to see the proof.

   As you all know, when the intelligence community makes an attribution assessment, we look at four big factors. We often start with infrastructure because that's at least, initially, the most apparent, so we're actually looking at the physical or virtual communications structures used to deliver a cyber capability or to maintain command and control of the cyber maliciousness. Cyberattacks -- cyber attackers can buy, lease, share, compromise cloud service providers, as well as physical networks to build their infrastructure. So, right now, we've identified some IP addresses at two of the major cloud companies, but there is probably more. And, of course, that doesn't tell us who is really behind this.


   Next, we look at Tradecraft. Namely, the adversary's behaviors, an attacker's tools, their techniques, their procedures. All this can reveal patterns. Usually, people stick with the same Tradecraft as long as it is working. The actual malware used, of course, is another factor. How exactly is the cyber adversary compromising the network or device? In order to do that analysis, we need access to the victim's systems so that we can actually look at the code in the malware. It is always the case that there are telltale differentiating signs, for example, code that executes a function in a certain unique way or an unusual algorithm used to compress data being exfiltrated from the victim's system, or some signature way the attacker tries to cover up his tracks inside the network.


   The final piece where the intelligence community has really unique insight is the intent and plans of the attacker. We sometimes know whether another country has a motive to launch an attack, maybe in retaliation for a political event, or maybe just to call attention to a special date in history that might be embarrassing for the victim. The point is, we really need sophisticated analysis of all these factors where an equally sophisticated adversary is trying to cover its tracks. You know, it used to take us months to do this, but now we can take advantage of the improved collaboration and machine speed analysis to more efficiently connect the dots. So, I don't know, I wouldn't be surprised if we have some better judgment in a few days.


   One more thing. It is worth flagging that we have early reports that Germany might also be experiencing a similar situation. It is unclear whether these events are coordinated, or if the attacks in Germany are the work of a copycat, which we sometimes see. It's amazing, actually, how quickly some of these criminal gangs can steal and replicate others' work.


   >> SUZANNE SPAULDING: All right. Team, we're off to a good start, but there is a lot of work still to do to answer the President's core questions. We have to better understand the ins and outs of these attacks. We need to know the indicators of compromise so we can get them out to the community. Phyllis and Bob, let's figure out what we need from the victims if they aren't forthcoming with the necessary information. Let me know, maybe there are steps we can take to incentive them, maybe assuage the concerns they might have about sharing that information, or ultimately perhaps bring some pressure to bear. We need to protect the nation and see what responders and victims need from us. Preston, coordinate with the team, and that includes folks at the victim companies and the targeted companies and the sector leads. All right? We need to develop clear messaging. All the ISACs, as you noted in the great behind the scenes work, isn't going to mean anything if no one can decide for what it all means.


   Concurrent to this meeting, you should know that FEMA is working on plans to get water and needed supplies to the affected areas. They're working with the private sector with particularly the retailers and the distribution and transportation sectors, and so we're prioritizing the needs of those companies so that they can support their communities.


   I know the President will also be eager to have a report on how the various sectors are operating across the country. And importantly, we have got to resolve whether the grid outages are the result of an intentional attack by Iran or anyone else to attack on industrial control systems or to disrupt our critical infrastructure because, clearly, if that's the case, we need to be talking about whether that constitutes an act of war.

   All right, everyone. Back to work.

   Good morning, everyone. The good news is it does not look like there have been any new incidents. However, as you can imagine, the victims are still undergoing challenges related to the disruption, and we don't know whether more incidents might be coming. Of top concern, there is limited fresh water in Cincinnati, and no heat in parts of the northeast, during one of the coldest winters in 30 years. It also sounds like there are a number of narratives that are being spread on social media about follow-on attacks, even though none of these reports, at least to my knowledge, have been verified. I would like to start with Bob from FBI today. I understand you have some more details for us from the cyber division.



   >> ROBERT HUBER: Yes, I do. Fortunately, the affected organizations did grant us access to their information systems, which saves us precious time, and avoids having to obtain search warrants, and no undue pressure necessary in that regards. Here is what we know so far. The threat actors have been in the environments for between three to six months, which is not uncommon in this scenario. The FBI field offices in each of the regions report that the malware used does suggest a sophisticated actor is likely involved, and that the actions do appear coordinated. While the investigation suggests data has been exfiltrated, indicating a possible double exposure attack. So, what does that mean? It means you can also disclose sensitive information as part of the ransomware attack. It appears that the attack may be destructive in nature. So, the threat actors, they are asking for money, but their activities do suggest they may be in there first and foremost to disrupt and destroy.


   >> GLENN GERSTALL: Let me add that you recall that I said that we'd probably make progress on the attribution front, and so I can now say that based on some new intel from a European ally where it looks like ‑‑ it looks likes the command and controls server for at least some of this is located over in Europe, I think we can now say with medium confidence that this attack was carried out by a criminal group. The advanced persistent threat, or APT, group always seems coordinated with the Islamic Revolutionary Guard core of Iran.

   In fact, we actually know that many of their people are former intelligence officers from the IRGC, some of whom you might remember were the subject of a Department of Justice indictment recently, although fat chance we will ever get to extradite them here. But I don't want to jump to conclusions about whether this is something that Tehran is directly or even just approving. In any case, whether or not it is government sponsored, you recall that we've had at least a dozen very specific public advisories over the past few years, jointly from CISA and the Bureau, about sophisticated threat groups aligned with Iran.


   So, as I said at our last meeting, this, unfortunately, is a very complicated and time-consuming process. We all appreciate that we can't just look up IP addresses and know for certain where an attack originated from. We're following all leads very closely, but I do not have a good sense at this time -- just don't have a good sense this time we'll be able to move to a high confidence on an attribution.

   >> SUZANNE SPAULDING: Wow. Again, if the objective is to disrupt and destroy, that would be pretty strong evidence that is not a financially motivated attack, but instead a nation state.


   If we can't get to high confidence in a reasonable period of time, we may have to assess what is a level of confidence that would be sufficient, given what's going on in the world right now, to take some kind of action against Iran or whoever else is behind this.

   And the issue of false narratives spreading about follow -on attacks, who is spreading them, what information do we have on that, and are there any indications that they're impacting our response and recovery efforts, are they designed so we'll panic, what do we know about this? Preston?


   >> PRESTON GOLSON: Yeah. I'm hearing from my counterparts in the intelligence community that many of the memes, bots, and narratives are being pushed by nation state actors. There's also deceptively edited video going around of the Fed Chairman that makes it sound as if the next wave of attacks will devastate the market.


   Phyllis, CISA actually produced a great public insights document to help infrastructure entities deal with misinformation, disinformation, and malinformation that I found quite useful. Among the advice that paper offered was that infrastructure companies should coordinate with other sector entities to reinforce messaging with a goal of building a strong network of trusted voices. This is what we need here, both for the financial systems and for the critical infrastructure that's under attack. How do we get more trusted voices there to maintain public confidence and trust?


   >> PHYLLIS SCHNECK: Thank you, Preston. We are leveraging that CPAC framework on the preset relationships, so the private sector together with the government, and the constant open phone bridges and scheduled briefs, as mentioned, to get all the facts into the critical infrastructure, the lines of communication, and to inform the executives. Independent of what may come on social media, if the sector executives are hearing directly from us in the U.S. Government, and eventually from the National Security Council, and flowing that information across in that trusted partnership, that does help us to somewhat mitigate misinformation.


   >> SUZANNE SPAULDING: So, Phyllis, what is the story with respect to our financial systems? Can we say with confidence that these claims of, you know, attacks targeting our financial systems are false? We have to be really careful here, right, because if we say they are false and then something happens, we lose a lot of credibility. We have to get this right. And we all remember that Iran did attack the banks, right, in 2011 and 2012, so there is precedent here.


   >> PHYLLIS SCHNECK: That's true. It does not look like financial systems were directly impacted by these cyberattacks; however, there is a lot of disinformation. It is affecting broader confidence in the market, stock prices are plummeting amid all the uncertainty, which is why we are creating what we call a TriSeal document, so from DHS or the Cybersecurity Infrastructure Security Agency, with the FBI and with the NSA, pulling that together, and leveraging with the Financial Services Information Sharing Analysis Center, so where many of the banks get together to share their information under that trusted partnership, and we can also leverage, in this case, the National Cyber Friends at the Training Alliance with the FBI and some of the major banks as they work together in trusted partnerships as well to engage those financial sector executives and the analysts at the FBI and across government to put out a communication that represents one U.S. government that mitigates the misinformation with actual ground truth.  


   >> GLENN GERSTALL: Yeah. So, you know, as to the disinformation piece, we've been tracking some Iranian sources and talking to some of our friends that keep tabs on Iran. So, I can say both from a technical collection viewpoint, as well as we know about their usual Tradecraft, we can say that we assessed that the narratives were either started or at least greatly amplified by the Iranian IRGC, or at least an entity working directly at their behest. What we don't know yet is whether this is actually associated with the cyberattack or it's just an opportunistic event with them just trying to capitalize on the chaos.


   >> PRESTON GOLSON: Well, Phyllis, thank you for pursuing the TriSeal statement. That will be very helpful as we seek to calm, understandably, frayed nerves in the public and the market. As soon as it's ready, we should distribute it to reporters and do a briefing on it.


   In addition to this voice ministry, we're going to message from the White House the banking systems are safe. At least we have no indication that they have been affected by any malicious cyberactivity. We can also message that there is disinformation being driven by online foreign adversaries.


   Also, if we can get validation from the cybersecurity and research community, this would help as well. Phyllis, is there anything CISA can do to help on that front?


   >> PHYLLIS SCHNECK: Yes. So, I suggest that joint advisory, when we put out the solid information that counters the disinformation narratives, we'll also include work from the cyber researchers and the cybersecurity community and the vendors. We'll indicate what we know about what's originating and put all that out together.


   >> SUZANNE SPAULDING: Great. All right. I will give the President an update. We have identified the criminal perpetrator, but there are significant indications that Iran may be behind it, particularly if it turns out that the primary objective is disruption and destruction. We have information attacks targeting trust in the banks, and there may be multiple foreign actors behind these, right? We may see a release of personal sensitive information, or other sensitive information, as the malware attacks might move to extortion. And then here's what we are doing. The IC is spearheading the attribution effort and developing response options if we determine that it's Iran or another nation state. CISA is working with the targeted businesses and the involved response firms to get and share information that can help others protect their networks. FBI is moving against the criminal group working with Germany and other allies. Our communications team will coordinate with relevant departments and the private sector on messaging to counter the disinformation narratives. This is really urgent.

   Okay, team. Back to work.

   All right. Good morning. First, I want to thank my twin sister, the National Cyber Director, for doing such a great job chairing the last two meetings, and for leading the interagency efforts to defend our networks and critical infrastructure. Now that it is looking more that Iran may be behind these attacks, as the national security advisor, I will lead today's meeting where we will discuss response options. First of all, team, great work beating back the disinformation targeting trust in the banks. You know, it was extremely valuable that the intelligence community was willing to share the information it had collected, showing Russia and Iran communicating about their plans to provoke a meltdown without actually attacking the financial system.


   Combined with the messaging from the banks themselves, the regulators -- surprisingly, both parties in Congress -- and even responsible reporting by the media, all that works to frustrate the objective of our adversary. Well done. Also, on the good news front, we are still not seeing any new attacks, although it is not yet clear that the attackers have been fully kicked out of the victim's network. I know that last piece is going to take some time.


   Moreover, we are still not able to tell with certainty if the activity in Germany was part of a larger coordinated attack or just the work of a copycat. In any event, it is good news that Germany has been working diligently with our government and our private sector leads to coordinate response plans. We're also working with Germany and the EU on public statements, making it clear that these attacks are unacceptable and that we are looking into all options, including possible multi‑national sanctions on any countries involved in these attacks.

   I want to thank the State Department for all the work in keeping our allies up to speed, and also working with the Swiss to convey these messages to Iran. We're also reaching out to Russia to make clear that we are concerned about evidence of collaboration with Iran on cyber and warning them not to engage in cyber or information operations to undermine trust in our critical infrastructure, including our banks. How's the recovery process going? Phyllis, what types of assistance have we been able to offer to the private sector?


   >> PHYLLIS SCHNECK: Well, the good news is there are a number of industries that were proactive in sharing information, and they've already mapped out continuity of operations plans ahead of the incident. In particular, one was already able to engage their backup files. They're following a pre-established playbook. They're having their boardroom conversations on potential payments or not. And the scenario is on time to return to normal business for customers if they're ready to switch to alternate data centers and a different part of the power grid.


   Now, unfortunately, we haven't had much luck working with some other sectors that have not created or exercised resilience plans more recently. We have engaged the Office of Foreign Asset Control at Treasury in case the adversary is identified as a sanctioned nation. That would affect the ‑‑ the affected entity's ability to legally pay. Boardrooms across the critical infrastructure, not limited to the known victims, have convened, both in person and virtually, to determine if and how they would want to pay ransom if it expedites their recovery. And while the U.S. government has not recommended such, that's an option for the private sector within those legal and Treasury commissions.

   So, we all remember last year when Reliable Plastics was hit with ransomware, and they refused to pay initially, but eventually worked with us in a way that will allow the FBI to track the payment and to claw back the funds and take down the bad guy infrastructure. Those companies that have cyber insurance for ransomware have also been reaching out to their carriers for options. I'd also like to put on the table, the industries are eager to hear how or if they'll be called upon to assist with any sort of response plans, and, for instance, will any of their infrastructure end up being used to effectuate a response action?


   >> SUZANNE SPAULDING: Thank you, Phyllis. That's really helpful. And you raise important considerations. And these are exactly the kinds of issues we're going to be discussing with senior industry executives later this afternoon when we call them into the White House for a Unified Coordination Group meeting. We want to make sure that we have the insights from the private sector, and that they understand and are part of and inform our strategic response.

   In order to properly assess our options for response here, the President is going to need more on who is responsible for these attacks. Glenn, can we yet say that we know Iran was behind the attack, operating ostensibly through a criminal gang?


   >> GLENN GERSTALL: Well, though we can now say with, I think, greater certainty that the attacks were carried out by criminal actors operating within Iran, and that the Islamic Republic was generally aware of their activities, we still cannot determine how much prior knowledge they had about these particular attacks, or if these attacks were actually carried out at the direction of the IRGC or even supreme leader  Ayatollah Khamenei.


   So, depending upon the IRGC's level of involvement, we're going to have to consider whether this is -- whether a criminal case against the cyber gang is sufficient, or that we do something diplomatically, or on the other end of the spectrum, as you've said before, do we need to start considering if this is an act of war?


   >> PHYLLIS SCHNECK: We will need to be very clear about whether or not this is an act of war. If it is, that could be in the impacted private sector. Industries might not be covered by their cyber insurance plans. And that distinction will determine how costly the recovery process is for the private sector. The words we use and the actions we take affect the private sector in morale, potential further adversary actions, and have legal and insurance ramifications for the entire private sector, and that's why our partnership is so critical. We're all here today at a facility drinking water and under lights provided by the private sector, but we determine how to protect them.  


   >> SUZANNE SPAULDING: Bob, how are we doing on going after the criminal gang that actually perpetrated the attacks?


   >> ROBERT HUBER: So, the FBI, working with our international allies, partners, and industry, have been able to stop the ongoing activity by temporarily disrupting the infrastructure of the criminal gang.


   >> SUZANNE SPAULDING: Preston, how's the press covering this? Are they already attributing this to a nation state?


   >> PRESTON GOLSON: Yeah. The biggest problem here for the President is that the coverage is likening this incident to an act of war. As a result, there is a great deal of energy from the public and from commentators for a robust response. Otherwise, many warned will have no robust -- will have no deterrent against future attacks. People want answers, and they want reprisals, especially the more the power disruptions can be directly linked to the potential loss of American lives. Now I understand from a cybersecurity perspective, what we're dealing with here is extremely difficult to calibrate correctly. I'm just saying that the political pressure is going to really intensify for the President.


   >> SUZANNE SPAULDING: As soon as we can attribute, we need to do so, and I know that's a challenge. But even before that point, we obviously need to be considering, as we are what our response options might be. Glenn, I understand Cyber Com has developed a few response options in the cyber realm. We all have that ‑‑ those options laid out for us in the memos that you all received before this meeting. But Glenn, go ahead and walk us through this a bit.


   >> GLENN GERSTALL: All right. Well, thanks. Well, as you correctly stated, you know, attribution is, indeed, going to be the threshold issue. We're not there yet, but let's assume we knew for sure that the government of Iran had actually directed this cyber maliciousness. My lawyers briefed me this morning, and the essence of what they said is that under the international law of war, that means we can hold that nation responsible if we conclude that their actions qualify as an act of war. Now, of course, that's easy to determine in the noncyber world if Iran dropped a bomb on that utility causing the same level of outages in winter. With the foreseeable consequences we're seeing now, that's clearly going to be viewed as an act of war. Cyber, obviously, gets a little fuzzier since, in part, the results of what might otherwise have been a relatively harmless cyber mischief can be unpredictable.


   But given the scope, it's quite possible this could, indeed, be considered an act of war, and that would allow us to take action in self-defense. Those actions have to be proportional to the attack itself, so that could include using Cyber Com, under my command, to degrade or destroy the cyber infrastructure used in the attack, and perhaps take pre-emptive steps to prevent future attacks, at least where we have good reason to know they're forthcoming.


   And most importantly, I really want to stress this, our response doesn't have to be limited to a cyber one. Not only can we take proportional military action, but also appropriate political, diplomatic, and economic action. But again, I want to emphasize that we need more certainty around our attribution in order to hold Tehran responsible.


   >> ROBERT HUBER: So, in addition to the options that Glenn just reviewed with us, we can coordinate with our domestic and international partners to follow the money, seize the Bitcoin wallet used for the ransomware payment. The U.S. Attorney's Office can handle the seizure with assistance from multiple department components through the departments Ransomware Digital Extortion Task Force. The department also has access to the ransomware group's computers and networks and can disrupt the infrastructure required for the malware to target additional organizations. So, with support from the intelligence community, we also believe we could obtain the decryption keys to be shared with the victims relatively soon.


   >> SUZANNE SPAULDING: Great. All right, NSC principles. We've gotten the briefing from staff. You all received the memo before this meeting. I know you all carefully reviewed it. I'm going to need you to ‑‑ we're going to need to have a vote on what we're going to recommend to the President. So, let's review the options that are laid out in the memo. Option one is using our law enforcement tools to go after the criminal actors. We know who those criminal actors are, at least the criminal group and the infrastructure they are using. So, option one, and I want to be very clear, these three options are not mutually exclusive. Right? Option one is we continue with these law enforcement efforts aimed primarily, first and foremost, at disruption so that we can stop any ongoing or planned activities, and then we can focus on trying to identify the individual actors. The possibility for prosecution here is extremely low, but perhaps there are things that can be done lawfully to deter these actors from future actions. Option one is go after the criminal actors using our traditional law enforcement tools.

   Option two, actions aimed at the state. In this case, we could undertake option two if we were confident that Iran was aware of these activities and turning a blind eye. All right? And that would involve taking diplomatic measures, including sanctions. I know we already have multiple massive sanctions against Iran, but Treasury Department says there are more things we can do. Those are laid out in the memo. And importantly, the EU is cooperating with us. They are concerned about the attacks, increasingly in Germany, that look like they are connected. And they did lift many of their sanctions against Iran, and so they could reimpose some of those. And finally, Germany is looking at imposing unilateral sanctions. So, that's option two.

   Option three, moving from law enforcement diplomatic sanctions to military and intelligence activity. Right? This is something that we would recommend only if we get to the adequate level of confidence -- ideally, a high level of confidence -- that Iran not only knew about this activity, but, in fact, was directing or actively encouraging it. On that assumption, DoD and the military has laid out a series of actions that they could take, and this is limited to the cyber realm right now, they are developing non-cyber options, and we'll consider those at a future meeting. But the options that are laid out in the memo in front of you today are really in the cyber realm, and they are on the grounds of self-defense.

   So, we're going to discuss these. And on that last item, we could make a decision at that time whether to make this public or not, the activity that we're taking under option three. I know the IC has raised some concerns with going public on this, including, and the State Department agrees with this, there is a concern of escalation, of course. Right? If it's public that we have done this to Iran, that puts pressure on the supreme leader to do something in response. That said, I always assume that the shelf life of secrets is vanishingly short. We should only undertake this option with the understanding that it is likely to become public and we should make our decision accordingly. So, what are your thoughts on these options? We've got just a few minutes before I have to go report to the President.


   >> PHYLLIS SCHNECK: If we decide to take action against Iran, I highly recommend we tell the private sector owners and operators ahead of time that they need to be in a shiels up posture preparing for potential retaliation. Of course, they are already, but we need to be proactive, and we need to be sure we're working closely with them to help protect them. Depending on the option we choose, we should consider whether or not we fully brief the relevant private sector entities of those plans because they're going to be frustrated. If we can't tell them at this stage who is behind the attacks, and I know that we can't, the recommendation is we try to be as forthcoming as we can with those affected industries.


   >> SUZANNE SPAULDING: So, as we consider what to tell the private sector folks and how much to involve them, we also need to keep in mind that if they're too closely tied to our activities, the adversaries may consider them combatants and make them targets. State also raises a legitimate issue regarding the consultation required if we go through a third-party country's infrastructure to respond. These are details we'll have to work out if the President is comfortable with option three, and we can achieve the needed level of attribution.


   >> PRESTON GOLSON: Yeah. We'll need to deploy talking points soon to administration officials, Congress, and key opinion leaders to make sure that they can explain at some level to the American people the complex decisions we have in front of us here.


   >> SUZANNE SPAULDING: Thanks, Preston. Good point. I very much appreciate these briefings from the staff and the discussion, but I'm now going to ask our principals for a vote on the options. I'm going to present these options to the President with your recommendations attached. And note that they ‑‑ that option three and, to some extent, option two will depend on our achieving the appropriate level of attribution.


   >> GLENN GERSTALL: So, that's going ‑‑ I'll step back into our narrator role, my narrator role, and we're going to end the scene here for a minute, and now we're going to turn to you. You've heard the options. You are the National Security Council, and you get to decide what option or options you may want to recommend to the President. So, many of you may feel that you don't have all the information that you need in order to make a decision, but that's often the case in these situations.


   To recap, here are the three options. They are not mutually exclusive. Option one is to limit the actions to law enforcement, involving shutting down the threat actor servers, trying to recover the Cryptocurrency used as ransom, et cetera. Option two is to do the law enforcement actions, plus, also, take diplomatic actions, such as sanctions, which you just heard the Homeland Security advisor talk about, against the nation state, Iran, which we believe is ultimately attributable for this action. And then option three, on top of that, adds a recommendation to the President that she authorize Cyber Com, part of the United States military, to make plans and be ready to take destructive action again the Irani cyber infrastructure that is used in the current attack and against infrastructure that's likely to be used in future attacks.

   So, I'm going to ask you to raise your hand. How many of you would like to support option one and only option 1? Okay. How many of you would support option two, which, as I said, builds on option one. Option two? Okay. And then finally, how many of you would support option one, two, and also three, the military option?

   Thank you.


   >> SUZANNE SPAULDING: All right. I have the recommendation of this principal's group. I will present this to the President, and I will let you know what she decides. Thank you very much. Now let's get back to work. 

Glenn Gerstell


Senior Adviser, Center for Strategic and International Studies (CSIS)

Preston Golson


Director, Brunswick Group

Robert Huber


CSO, Head of Tenable Research, President Tenable Public, Tenable

Phyllis Schneck


Vice President & Chief Information Security Officer, Northrop Grumman Corporation

Suzanne Spaulding


Former Undersecretary, CSIS

Share With Your Community