Lessons to be Learned from “LÜKEX 2011”
by Michael Liebig
For most people in Germany and certainly outside of Germany, the word „LÜKEX“ makes no sense. The weird word is an acronym designating a national command post exercise dealing with „disaster situations“. Every second year, the crisis management for different disaster scenarios is being „played out“ by senior government officials: the breakout of a pandemic, a large-scale power failure or a terrorist attack with a „dirty bomb“ releasing radioactivity. November 30 to December 1, „LÜKEX 2011“ was conducted – this time the topic of the command post exercise was „IT security in Germany.“
What’s the connection between „IT security“ and a „disaster situation“? When you hear the word „disaster“, you probably think of natural disasters such as floods or earthquakes. Or you may think of man-made disasters such as the nuclear accident at Chernobyl in 1986. Or a combination of both, like nuclear reactor accident in Fukujima triggered by an earthquake and a tsunami. But there is yet another threat of potentially catastrophic dimensions: the sabotage and failure of vital infrastructures – carried out via computer networks and the Internet.
Electricity and water supply, air transport, railways, telecommunication, payment systems, and public administration are the lifelines of modern society. The technical term for them is „critical infrastructures“. Today, these critical infrastructures are largely controlled and steered by information processing systems which are interconnected via the Internet. This “IT infrastructure” is „the critical infrastructure within critical infrastructures.“
The targeted penetration of malware – “viruses” or “trojans” – into the information-processing systems of critical infrastructures is principally possible. In spite of the most comprehensive protection for the information technology infrastructure of the aforementioned governmental and private organizations, there’s always the possibility of „weak points“, which could be exploited for unauthorized intrusions. If the malware attack remains undetected and has “taken over” just one computer, the problem can quickly spread through the network.
Because of the functional dependency of critical infrastructures on the IT infrastructure, its sabotage could have far-reaching consequences for „physical“ infrastructures. Disabling the IT infrastructure controlling „physical“ infrastructures, could lead to more serious and widespread damage than, for example, placing explosive devices in transformer stations or railway tunnels. If the IT infrastructure controlling an electricity grid were to be disabled, that might lead to a large-scale, multi-day „blackout“: supermarkets and gas stations would be closed, modern heating or air-conditioning systems would be off, industrial production would come to a standstill… and panic might spread in the population.
There is no need to indulge in Holywood-style horror scenarios, one simply needs to be aware of the potential vulnerability of modern industrial society based on information technology. From such an understanding derives logically not only the necessity for the most comprehensive protection of the IT infrastructure, but equally so the need to prepare for crisis management under “worst case” conditions. The sober awareness of potential vulnerabilities is the opposite of fear mongering. However, an objective reason for angst would indeed exist, if contingency plans for the case of sabotage of the IT infrastructure were missing and, consequently, their implementation had not been exercised.
The Scenario for LÜKEX
The command post exercise LÜKEX 2011 was about crisis management under conditions of large-scale IT sabotage. How serious such a threat is taken by the German government, is evident from the fact that around 3,000 people – predominantly civil servants – participated in the LÜKEX exercise. Under the overall direction of the Ministry of the Interior, the defense, economics, and finance ministries as well as 12 of the 16 federal states were involved. Also involved were the domestic and foreign intelligence services BfV and BND. Operationally, LÜKEX 2011 was directed by the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI).
While the details of the „script“ for the LÜKEX staff exercise are secret, its main features were released to the public: the IT infrastructure of the national government and some federal states governments are attacked with an new type of malware. Also, the information-processing systems of some private and public operators of critical infrastructures are targeted. The malware can both build a botnet to perform denial-of-service attacks and manipulate data files making them unusable. The state’s communication capacity and thus its ability to take action is partially paralyzed. Power supply, transportation, and financial services are seriously impaired. The failures in critical infrastructures begin to trigger panic reactions.
In the background discussion, one participant of the exercise said: „A ‚major IT crisis‘ is quite different from catastrophic events we know from past experience. Those catastrophic events have a geographically definable starting point and their spatial extension can be reasonably estimated. When there’s a flood, we calculate the vertex of the flood and take action downstream. In the case of a ‚dirty bomb‘, we can use meteorological data to set up different danger zones. However, an IT crisis is spatially infinite. If there is one vulnerability in a browser, the malware can spread over a large area infecting and compromising a large number of computers. Also, one doesn’t ’see‘ what is going on, as you can see a bomb before it explodes, or a tidal wave rolling in. There are digital electrical signals that are interpreted only within the computer in a way that then makes the computer do something ‚unintended‘ – the computer becomes ‚converted‘. If you are used to localized crisis situations, you will have great difficulties in the assessment of the situation with regard to an IT crisis. And this applies equally to crisis management in case of a large-scale IT crisis. Unfortunately, in cyberspace you cannot rely on the police, fire brigade and ambulance.“
With LÜKEX 2011, the political-administrative crisis management in the event of a major IT crisis was simulated. How that would look like in detail, what concrete measures would be taken, is secret. The cluster of staff organizations which would run the crisis management, however, is no secret: the “National IT Situation Centre”, the “National Cyber Response Centre”, the „National IT Crisis Response Centre“ and the „National Cyber Security Council“. The very existence of this cluster of state agencies, indicates how important the issue of IT security has become.
From official documents it is clear that IT crisis management is primarily the task of the political leadership and civilian government agencies. The primacy of civilian crisis management differs significantly from the more militarized approach of the Americans.
From the official releases on LÜKEX 2011, one can conclude that the crisis management would probably include four major steps (however not necessarily sequentially):
- The first step would be ensuring the capacity to communicate and the ability to act of the crisis management cluster itself.
- The second step would be to ensure/restore the full communications capability – and thus the capacity to act – of the political leadership. And the same goes for the administrative/executive bodies at the national and federal states levels implementing emergency measures.
- The third step would be to ensure or restore the integrity of the IT infrastructure for vital “physical” infrastructures.
- The fourth step would be „general“ crisis management, that means dealing with the material consequences of the disruption and/or breakdown in energy supply, transportation, food supply and and payment systems. The latter means „traditional“ crisis management using police, firefighters, the military, Red Cross and other humanitarian and technical assistance services.
The official documents on LÜKEX also show that the media – including the so-called „social networks“ in the internet – play an important role in the “script”. Obviously, the intention here is to counter a mass psychological destabilization of the population. One wants to avert panic reactions in a major IT crisis.
The development of the “screenplay” for LÜKEX 2011 and the organizational preparations for the command post exercise lasted 18 months and its evaluation will take another 4-5 months. This too demonstrates how seriously the threat of large-scale IT sabotage is taken by the German Government. That other countries worry too is indicated by participation of official observers from 22 countries, including the USA, Russia, Japan and most EU countries.
Who might be the “Bad Guys”?
This all begs the question: Who would have the motivation and capacity to conduct large-scale sabotage of IT infrastructure with potentially catastrophic consequences? The official documents about LÜKEX 2011 say nothing on that question. One is left with considering „objective possibilities“.
Large-scale IT sabotage could be carried out by non-state actors – organized crime, for example. “IT-crime” or “cyber-crime” is on the rise. The official government estimate of damage from IT-crime in Germany in the year 2010 amounts to € 60 billion. The revenue from IT-crime is about to overtake the proceeds from drug trafficking and other „traditional” activities of mafia organizations. Might mafia organizations want to blackmail governments and/or big infrastructure, industrial or financial enterprises via IT sabotage? Or is this an idea that more fitting James Bond movies? The answer to this question is a really difficult; how difficult is indicated by the well known fact that banks usually don’t go public when they become the victim of IT-crime. Banks fear that they will loose their reputation and their customers‘ confidence when they admit that the integrity of their IT infrastructure has been compromised.
„Propaganda by deed“ would be the main motive for terrorist organizations of any ideological orientation to carry out large-scale IT sabotage. Intimidation and blackmail could be additional motives. In order to achieve catastrophic effects, terrorists need not necessarily release toxic gas into the Tokyo subway, detonate bombs in a Madrid commuter train or fly passenger aircraft into New York skyscrapers. Sabotaging electronic control systems of subway systems, air traffic control systems or chemical factories could lead to similar catastrophic consequences as „conventional“ terrorist attacks using „kinetic“ means.
The question is whether terrorist organizations on their own, without the support of an „interested third party“ – that is, state actors – could acquire the technical skills necessary for large-scale IT sabotage? The development of malware capable of penetrating and manipulating the state’s IT infrastructure or that of providers of critical infrastructure is indeed an exceptionally difficult endeavor.
That leads us to state actors as potential originators of large-scale IT sabotage. The Internet opens up a whole new dimension for „covert operations“ by states. With covert operations, a state tries to damage, weaken, destabilize and demoralize another state – without going into open warfare. Already 2300 years ago, the Indian political theorist Kautilya described covert operations en detail: assassinations, “blind” terrorism, sabotage, psychological warfare – while the originator of these attacks remains hidden. With the Internet, the possibilities of covering up the authorship of covert operations have increased qualitatively: state A can covertly “deposit” the malware for sabotaging the IT infrastructure of state B into computers in state C. When the IT attack against state B occurs, it “originates” from state C – not from the actual IT aggressor. “Non-attribution” is the characteristic feature of IT attacks.
A recent example is the use of the „Stuxnet“ malware to sabotage Iranian nuclear facilities, which was made public in September 2010. Due to the technical sophistication of Stuxnet, it must be assumed that state actors were behind this truly serious case of IT sabotage. Circumstantial evidence would point to American and/or Israeli intelligence services as the originators of Stuxnet – but proof beyond reasonable doubt is not possible. And the same goes for the other publicly reported cases of large-scale IT sabotage – against Estonia, Georgia and Syria.
That many states run IT espionage is an undisputed fact. But the intrusion into the information systems of other countries to spy on them, must be clearly separated from the sabotage of the IT infrastructure with potentially catastrophic consequences. Equally a fact is that major sabotage operations against the IT infrastructure of foreign countries have already occurred – as Stuxnet has demonstrated. Thus, the possibility of large-scale sabotage of IT infrastructure with potentially catastrophic consequences is not a paranoid fantasy. The large-scale sabotage of IT infrastructure is a real threat.
Therefore, the preventive and comprehensive protection of IT infrastructure against sabotage and the preparation for crisis management, in the event that large-scale IT sabotage cannot be prevented, is an obvious necessity. Therefore, a command post exercise like LÜKEX 2011 does make eminent sense. And there’s another aspect to this exercise. The “message” from LÜKEX 2011 to potential IT saboteurs – regardless of whether they might have a state or non-state background – is: We are prepared, so don’t count on the moment of surprise. Such a „chilling effect” is probably the best contribution to ensure IT security in Germany – and beyond.