High-stakes war games
Cyber Storm II tests public and private sectors' ability to cooperate, communicate
The Homeland Security Department recently hosted a number of federal, state, local and international government agencies along with more than 40 private-sector companies in the second in a series of large-scale cyber defense exercises.
The Cyber Storm exercises are intended to test the technical and organizational limits of responses to a cyber attack.
'When the Internet burns to the ground, how are you going to get updates?' is how Carl Banzhoff, vice president and chief technology evangelist at McAfee, summed it up.
U.S. networks are under attack around the clock, said Bob Dix, vice president of government affairs at Juniper Networks.
'Our adversaries are trying to infiltrate and take information from our systems. One of the things that Cyber Storm addressed was the interdependency across sectors. This was a successful collaboration between industry and government. Industry was invited from the very beginning.'
Dix and Banzhoff were planners of and participants in Cyber Storm II, held March 10 through 13. Dix was part of the central Control Cell, which monitored activities and injected alerts and situations that set off the scenarios to which players around the world responded.
Despite the success of the exercise, it pointed up some weaknesses in the country's ability to respond to cyber attacks, Dix said. 'We are still inherently governmental in our thinking about incident response,' he said. Private- and public-sector resources need to be more fully integrated, as do responses to natural disasters and intentional attacks.
Despite some progress in this area, 'the government has not figured that out yet completely.'
Participants will be meeting during the next several months to discuss the lessons learned and prepare an after-action report, although not much of the report will be released to the public.
'The details are kept pretty confidential,' and participants sign nondisclosure agreements, Banzhoff said. Some of the information involved in the exercise is classified, and some of it could be embarrassing. 'Even though the scenarios are simulated, if a lot of the details are known, it could be turned into a negative event for the participants.'
DHS' National Cyber Security Division hosts the exercises as part of the department's National Exercise Program. Cyber Storm I was held in February 2006 and involved 115 federal, state and local government organizations along with companies from the information technology, communications, energy and air transportation sectors. The exercises are conducted on a biennial schedule, and plans are under way for a third Cyber Storm.
'We spent the last 18 months planning this,' Banzhoff said. 'It's a huge organizational effort.'
The 2006 event was more limited in its international scope.
Participants in the recent exercise built on lessons learned from the original exercise as they collaborated on development of the attack scenarios that would be thrown at them. The goal was to test communications, coordination and partnerships across sectors.
Cyber Storm II was a distributed exercise, with participants interacting from offices around the world. The control center at a DHS facility in Washington distributed e-mail, phone, fax, in-person and Web-based messages simulating effects and incidents to be dealt with or responded to.
In the overarching scenario, fictitious adversaries with a specific political and economic agenda used sophisticated attacks to create a large-scale incident.
Planners developed segments of the scenario based on their own objectives for the exercise.
'The level of trust among people in the exercise is now pretty high,' Banzhoff said.
However, Dix added, that doesn't always translate to the real world, where 'the greatest impediment to sharing information still is trust.'
'The government can't do it alone,' he said. 'There ought to be a joint operations center' that would incorporate industry representation in something on the scale of the U.S. Computer Emergency Readiness Team.
DHS has begun the effort with an integrated situation center, but it needs to be fully funded and fully staffed, Dix said. 'We've taken some key steps in that direction in the last year or so, but it still needs to evolve. Cyber Storm pointed that out for me.'