January 1, 2007
Testing might not improve our ability to respond and recover from crippling cyber-attacks.
Two key members of your cybersecurity staff just won the lottery. Two hundred million dollars richer, they walk off the job in the midst of escalating Internet attacks on your networks. Isolated electrical systems are failing, telecommunications are experiencing sporadic outages and your state's Amber Alert system has been hijacked. A couple of online cyber criminals say they can make it all go away, for a price.
Sounds bad, and it was, but it was only a test, a worst-case scenario of network attacks on federal agencies, state and local governments, and the private sector. In what organizers say should be the first of many periodic events, network guardians came together a year ago to conduct the Cyber Storm exercise. The results, released in an after-action report, were not good, and as organizers rev up for another test in 2008, there's little reason to expect a better performance.
Because the exercises are congressionally mandated, their federal backers are naturally enthusiastic. Outside security experts don't fault the test for lack of drama and challenge, but they wonder whether anything comes out of it. In all, the Homeland Security Department spent $3 million to mount Cyber Storm over five days in February 2006.
One problem is that participants are self-selected volunteers. The 110 government organizations, international partners and private sector associations that signed up already care and know about the importance of having good cybersecurity. Cyber Storm may have challenged their skills, but it assumed that a real attack would pull together legions of ready and willing responders.
The agencies, organizations and corporations that don't care and aren't involved with exercises are the ones information security officials are most concerned about. The second Cyber Storm is supposed to enlist new players.
Still, that doesn't address another question: What do willing participants get out of such tests? Paul Kurtz, executive director of the Cyber Security Industry Alliance, says Cyber Storm revealed problems of coordinating response to a massive cyberattack, but didn't yield many surprises. "We don't have clarity in roles and responsibilities, but we knew that already," Kurtz says.
The after-action report produced recommendations familiar to anyone knowledgeable about federal coordination of emergency response. Contingency plans should be solidified, a training program is needed, and network security personnel must get better at seeing connections among cyber incidents occurring across multiple infrastructures.
John A. McCarthy, director and principal investigator of the Critical Infrastructure Protection Program at George Mason University School of Law, echoes Kurtz. "Did we need a $3 million exercise to tell us that the interagency process is not established and working?" he asks.
Jeffrey Wright, exercise director in the Homeland Security Department's national cybersecurity division, says the findings might not have been surprising, but the exercise gave participants an opportunity to focus on nettlesome areas.
The next Cyber Storm will include the first DHS assistant secretary for cybersecurity and telecommunications, Gregory Garcia, who was named in September 2006 after the position sat vacant for 14 months.
McCarthy says exercises promote better coordination between the private and public sectors by forcing them to work together. But the worth of the next Cyber Storm should be measured by true advances in capability, says Kurtz: "To truly capitalize on the exercise means taking the lessons and putting in place the mechanisms necessary to handle a large-scale event."
January 1, 2007