March 13, 2008
Workers operating networks supporting the nation's critical infrastructure such as telecommunications and transportation need better training on how to manage backup systems in case cyberattacks take down main systems, said a top Homeland Security Department official Thursday. That's one of the lessons learned during a DHS simulation of a large-scale coordinated cyberattack on the nation's infrastructure networks. The exercise, called Cyber Storm II, ends Friday, and DHS plans to release an after-action report this summer.
Cyber Storm II builds on the lessons learned in the first Cyber Storm in February 2006. Most information security experts considered that exercise a wakeup call to government to improve the security of critical networks. Recommendations issued after the first Cyber Storm included improving contingency plans, better and more frequent training programs and a more detailed view of the nation's IT architecture, the improvements of which were theoretically tested in Cyber Storm II.
Cyber Storm II, the largest such exercise ever organized, kicked off Monday with five countries, 18 federal agencies, nine states and more than 40 private-sector companies participating. The exercise's players received "injects" that simulated potential threats launched through e-mails, phone, faxes, Web sites and in-person contacts. Participants were expected to implement crisis response systems and follow policies and procedures to deal with the attacks and determine which were false alarms and which were legitimate.
"This is not scripted," said Greg Garcia, assistant secretary for cybersecurity and communications at DHS, during a press briefing. "Players are not aware of what's coming at them next… . The volume and sophistication of attacks has strained some of the best and brightest, which is just what this exercise is meant to do."
DHS officials declined to comment on the specifics of the results. But they said that the kinds of scenarios participants faced included damaged phone lines, Internet failures, which tested the backup capabilities that enabled continued communication, and access to critical information during a crisis.
"We've learned some lessons," said Robert Jamison, undersecretary of the National Protection and Programs Directorate at DHS. "We spend a lot of time working on redundancy capabilities" that help eliminate single points of system failure. "While it all worked, there continues to be a need to train people in those capabilities."
Participating in the original Cyber Storm were 12 federal agencies, three states and 24 private sector companies. Cyber Storm II tested the degree of coordination among a larger group of participants, and it incorporated simulations of current, more sophisticated threats - including various types of 'botnets,' which use malicious code to run coordinated system attacks, phishing attempts that trick users into providing system access and denial of service attacks that can shut down a system.
Most Cyber Storm II participants responded to scenarios from their regular working locations using standard channels of communications, though the primary control center, or "brain" of the exercise, was located in a conference room at the U.S. Secret Service headquarters in Washington. Areas of the room are divided into sections, with each representing a different industry sector: chemical, telecommunications, state and local government, among others. The groups collaborate to combat cyberattacks that cut across sectors. "The challenge is mirroring the real problem," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "If this happened in real life, there would be 100 people you'd have to talk to right away, and you might not have the 100 people that represent the correct groups present and active during Cyber Storm II. It's a matter of making sure the game reflects the real problem, which is an issue of coordination, not technology. If solving the problem largely involves walking from [one side] of a room [to] another, that's not the real world … . That said, it's still good. Before, DHS didn't know how to do tests, and now they're learning."
DHS will immediately begin the analysis that will appear in the after-action report this summer, with lessons learned incorporated into procedures and the long-term Cyber Initiative under development, Jamison said.
March 13, 2008