In the early 1960’s, the United States implemented the Single Integrated Operating Plan (SIOP) at the request of then President John F. Kennedy, and in response to the imminent possibility and threat of a nuclear attack from the former Soviet Union. The purpose of this plan was to organize and coordinate the actions of the Federal Government and the Strategic Triad forces of the Department of Defense (DoD) to quickly respond to, and maximize, the survivability of the Nation in the event of such an attack.
The SIOP included, amongst other elements, a communications plan, operational orders, and alert exercises-drills, to ensure soldiers, sailors and airmen’s actions were coordinated "to the minute", while striking or retaliating in response to a nuclear attack. These drills were relentlessly pervasive and realistic, such that in the event of an actual event there would be no mistakes, no hesitation, just flawless execution.
While treaties and diplomacy have managed to reduce the risk of a nuclear conflict (at least until recently), there are other threats to the very survivability of our Nation, clearly different than, but no less devastating, than a nuclear weapon. Enter stage-right the weaponized cyber-attack.
We developed and rehearsed the SIOP for an event that takes anywhere from 20 to some 30 minutes to develop; the flight-time for an intercontinental ballistic missile (ICBM) to strike the United States mainland (CONUS). Including our detection and confirmation time, we have less than a quarter of an hour to validate orders, and execute as trained and planned.
Forget hours and minutes; in the age of the Internet of Things (IoT), a well-coordinated cyber-attack can render critical infrastructure out of commission in a matter of seconds. Power grids can be shut down, banking systems disrupted, logistics and supply/food chains interrupted, communications simply gone. Ok, take away the radiation and the impact on our way of life could be on the same order of magnitude.
How would we respond to a full-on cyber-attack?
Here are some kickers. In a nuclear attack, the weapon is clearly identifiable; its origin very much verifiable and its purpose definitely military. (It’s not like NORAD would detect an inbound ICBM and think it is a peace offering device delivering an Amazon Prime package.) In a cyber-attack, the purpose and form of the attack is almost always disguised; its origin or attribution nearly impossible to trace; and it may first manifest itself in the civilian/commercial world, not in the “Pentagon’s” computers.
If a full-on cyber-attack against the United States commences in our banking infrastructure, or better yet, say in one of our cellular networks, at what point does the private enterprise problem become a matter of National Security? Who makes that call? How does the DoD and Corporate America respond in a single and integrated fashion to ensure success? This is not a simple proposition.
Drilling the SIOP alert exercises was relatively easy in that the soldiers, sailors and airmen of the Strategic Triad, all responded to the orders of a clearly established Chain of Command. How quickly would you think it will be, for example, for AT&T to open their kimono and share with authorities the fact that they suspect or know they have a critical problem on their network’s backbone? How will they get help and from whom? The DoD? Homeland Security? Again at what point, if ever, does the problem get to be an issue of National Security?
Depending on its complexity and sophistication, we may indeed have more than thirty minutes to respond to a cyber-attack. Then again, we may only have time to send just one more text or make one more call; and 911 is not a valid option for this emergency.
If we don’t relentlessly and pervasively plan ahead and prepare for a full-on cyber-attack, and how to successfully respond to and recover from it, we are in for a hard road ahead. Especially when we know with little doubt that there are many more “nations” (recognized or rogue) with cyber-forces attacking us even as you read this blog, than there are nuclear capable nations willing to use them as an option, if ever at all. If we had the SIOP, then why wouldn’t we, as a Nation, have a similarly relevant cyber-response plan?