How do you respond when hit by a cyber attack tsunami?
That’s what Cyber Storm II, the most comprehensive cyber exercise ever held in the U.S., was designed to answer.
Forty private sector companies, 11 Cabinet-level agencies, 10 states and five countries were involved in the March exercise, which examined the processes, procedures, tools and organizational response to a multi-sector coordinated attack through, and on, the global cyber infrastructure.
The adversary in the exercise launched simulated coordinated cyber and physical attacks on critical infrastructures within selected sectors to meet specific political and economic goals.
Public, Private Involvement
Greg Garcia, assistant secretary for cyber security and communications at the Department of Homeland Security (DHS), gave highlights of what the DHS learned to an audience at a town hall meeting at the RSA Security Conference in San Francisco.
“The public/private partnership in cyber security is very important,” Art Coviello, president and CEO of RSA Security, said when he opened the meeting. It was a “real thrill” to have this topic revised in Cyber Storm II and to see that the current administration is involved in it at such a high level because the cooperation “will not take a back seat like before,” he added.
Government cannot tackle the issue of cyber security alone, and it has to be dealt with “on an industry by industry basis,” Coviello said.
Garcia, who has held this post since 2006, said the exercise had three major priorities: To strengthen against cyber attacks; respond in real time in a synchronized fashion; and to build awareness, “mainly through forums like this.”
Cyber Storm II was “fundamentally about identifying and responding to fast-breaking cyber epidemics — testing our ability to identify and act, validate our ability to respond, and make decisions from the executive level down to the operational level,” Garcia said.
The relationships built up over the 18 months of planning for Cyber Storm II “will last well beyond the one week of the exercise” and will result in better responses and improve our defense capabilities, he added.
Early Connections Essential
The cooperation of industry was, and will be, “critical” when we are under cyber attack, Garcia said.
Another lesson the DHS learned was that social networking is essential well before any threat occurs. Exchanging business cards “in a crisis when your hair is on fire” is of no use, Garcia said.
Cyber Storm II let large corporations exercise across national borders, Garcia said. That will be useful because cyber security “is a planetary issue.”
Panelists on Lessons Learned
Panelists at the Town Hall meeting were Dan Lohrmann, director, Office of Enterprise Security for the state of Michigan; Christine Adams, senior information systems manager at Dow Chemical, Paul McKitrick, business manager of New Zealand’s Center for Critical Infrastructure Protection, Paul Nicholas of Microsoft’s Critical Infrastructure Protection Team, and Randy Vickers, deputy director of the U.S. Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security.
“For IT staff, Storm Cloud II tested our processes and procedures and enhanced our capabilities,” Lohrmann said. “Lots of cities are used to exercising for nuclear attack scenarios but not really for cyber security attacks.”
The 18-month planning process for Storm Cloud II impressed New Zealand’s McKitrick the most. “If the preparation time was all the exercise gave us, developing relationships, the planning process, that would be worth it,” he said.
Although it was generally doing the right things, US-CERT learned a few lessons. “There were still some shortfalls in information sharing, and most of it was as simple as groups or organizations not having the means to share information or having the means but these weren’t robust enough for good information flow,” Vickers said.
One of the new things US-CERT learned is that it needs to take the National Advisory Color System (red for high threat, yellow for low threat and so on) into account. “How do we integrate that with the cyber security alert system?” Vickers said.
Threats Without Borders
While coordination between the public and private sectors is becoming a catchphrase, it isn’t as easy as everyone thinks. “Public-private partnerships roll off the tongue; it’s easy to say but very hard to implement in reality,” Microsoft’s Nicholas said. Constantly exercising these capabilities is crucial: “One of the key takeaways for Microsoft was that exercises are important, and we as a community have to think about drills in the space if we are going to sustain that.”
The international nature of cyber threats was also a concern. “We don’t have borders around cyber security,” Nicholas said. “How do you engage if a cyberstorm lands in another country where our State Department can’t work with them easily?”