Lessons from Cyber Storm II
- By William Jackson
- Apr 09, 2008
SAN FRANCISCO ' When things start to go bad on the Internet, communication is the critical element in an effective response, participants in the recent Cyber Storm II exercise said Wednesday at the RSA Security conference.
'There was still a shortfall in information sharing,' said Randy Vickers, assoiate deputy director of the U.S. Computer Emergency Readiness Team (US-CERT), the national center for first response in cybersecurity.
Vickers was part of a panel of government and industry participants in the recent exercise who shared their lessons. The discussion was short on specifics because participants signed nondisclosure agreements to ensure that sensitive data about systems and vulnerabilities is not leaked. An after-action report is expected to be published this fall, but among the preliminary lessons discussed, the need for communication was the one recurring theme.
'Cyber Storm II was fundamentally about identifying and responding to a fast-breaking cyber epidemic,' said Greg Garcia, assistant secretary for cybersecurity and communications at the Homeland Security Department.
The weeklong exercise held last month was the product of 18 months of planning and involved 18 U.S. federal agencies, five countries, nine states, 40 companies, and 10 information sharing and analysis centers. The scenario involved disruptions of telecommunications, the Internet and control systems.
'One of the things we learned was how important vendors are in a crisis,' Garcia said. They are the ones who know what the products are and how they work. Agencies and companies need to establish strong relationships with vendors of critical systems well in advance of a crisis, he added.
Vickers said US-CERT had learned the need for effectively gathering and disseminating information in the original Cyber Storm exercise and built on that in preparation for the second Cyber Storm. 'We're doing things right,' he said. 'It is still better than it was,' but there are improvements to be made.
Paul Nicholas, senior security specialist at Microsoft Corp., said cooperation is tougher than it looks.
'Public/private partnership is easy to say, but it's very hard to do in reality,' he said. That is why communication channels must be established, tested and kept fresh well in advance of a crisis. That includes activities as mundane as having an up-to-date list of contacts with current telephone numbers and alternate means of contact.
Cyber Storm II was a more realistic test than the original one, which was essentially a tabletop exercise. People took part in the latest exercise from their working environments, while controllers at a central DHS facility 'injected' the problems. But it still fell short of a fully competitive exercise with a red-team enemy. The exercise is not yet ready for that environment, Vickers said. 'Maybe in the future.'
William Jackson is a Maryland-based freelance writer.