The Single Integrated Operating Plan (SIOP) Concept applied to Cyber Defense

How would we respond to a full-on cyber-attack?

 

In the early 1960’s, the United States implemented the Single Integrated Operating Plan (SIOP) at the request of then President John F. Kennedy, and in response to the imminent possibility and threat of a nuclear attack from the former Soviet Union. The purpose of this plan was to organize and coordinate the actions of the Federal Government and the Strategic Triad forces of the Department of Defense (DoD) to quickly respond to, and maximize, the survivability of the Nation in the event of such an attack.

 

The SIOP included, amongst other elements, a communications plan, operational orders, and alert exercises-drills, to ensure soldiers, sailors and airmen’s actions were coordinated to the minute while striking or retaliating in response to a nuclear attack. These drills were relentlessly pervasive and realistic, such that in the event of an actual event there would be no mistakes, no hesitation, just flawless execution. It takes some 30 minutes of flight time for an intercontinental ballistic missile (ICBM) from the former Soviet Union to strike the United States mainland (CONUS). Including our detection and confirmation time, we had less than a quarter of an hour to validate orders, and execute as trained and planned.

 

While treaties and diplomacy have managed to reduce the risk of a nuclear conflict (at least until recently), there are other threats to the very survivability of our Nation, clearly different than, but no less devastating, than a nuclear weapon. Enter stage-right the weaponized cyber-attack.

 

In the age of the Internet of Things (IoT), a well-coordinated cyber-attack can render critical infrastructure out of commission in a matter of seconds. Power grids can be shut down, banking systems disrupted, logistics and supply/food chains interrupted, communications simply gone. Ok, take away the radiation and the impact on the way of life could be on the same order of magnitude.

 

How would we respond to a full-on cyber-attack?

 

Here are some kickers. In a nuclear attack, the weapon is clearly identifiable; its origin very much verifiable and its purpose definitely military. (It’s not like NORAD would detect an inbound ICBM and think it is a peace offering device delivering an Amazon Prime package.) In a cyber-attack, the purpose and form of the attack is almost always disguised; its origin or attribution nearly impossible to trace; and it may first manifest itself in the civilian/commercial world, not in the “Pentagon’s” computers.

 

If a full-on cyber-attack against the United States commences in our banking infrastructure, or better yet, say in one of our cellular networks, at what point does the private enterprise problem become a matter of National Security? Who makes that call? How does the DoD and Corporate America respond in a single and integrated fashion to ensure success?  This is not a simple proposition.

 

Drilling the SIOP alert exercises was relatively easy in that the soldiers, sailors and airmen of the Strategic Triad, all respond to the Commander in Chief. How quickly would you think it will be, for example, for AT&T to open their kimono and share with authorities the fact that they suspect or know they have a critical problem on their network’s backbone? How will they get help and from whom? The DoD? Homeland Security? At what point, if ever, does the problem get to be an issue of National Security?

 

Depending on its complexity and sophistication, we may indeed have more than thirty minutes to respond to a cyber-attack. Then again, we may only have time to send just one more text or make one more call; and 911 is not a valid option for this emergency.

 

If we don’t relentlessly and pervasively plan ahead and prepare for a full-on cyber-attack, and how to successfully respond to and recover from it, we are in for a hard road ahead. Especially when we know with little doubt that there are many more “nations” (recognized or rogue) with cyber-forces attacking us even as you read this blog, than there are nuclear capable nations willing to use them as an option, if ever at all. If we had the SIOP, then why wouldn’t we, as a Nation, have a similarly relevant cyber-response plan?