An Imperfect (Cyber) Storm
Page 1 of 1
SAN FRANCISCO -- Say a highly organized, international group of anti-globalization organizations coordinated a protest attack on the network infrastructure of the United States. Maybe disgruntled individuals and opportunistic hackers quickly launched their own attacks when they saw what was going on.
If a systems glitch could black out the entire northwest in 2003, what kind of damage could such a concerted assault produce?
You might say that the biggest question is why hasn't it happened yet?
The federal government has been working with private companies and security vendors to develop protocols and communications systems that will let them respond quickly and share relevant information on threats and attacks. On March 10, they put the system to the test.
Cyber Storm II was an international exercise, conducted by the U.S. Department of Homeland Security on March 10 through 14 in Washington, D.C. High-level participants provided some general comments about what they learned in a panel discussion held at the RSA Conference on Wednesday.
"It fundamentally was about identifying and responding to a fast-breaking cyber-epidemic. It tested our ability to identify an attack, validate or correct the analysis with our partners -- because we were all getting different pieces of information -- and to respond individually and collectively," said Greg Garcia, assistant secretary for cyber security and communications for the Department of Homeland Security (DHS).
Cyber Storm II simulated attacks via control systems, networks, software, and social engineering to disrupt transportation and energy infrastructure elements of state, federal and international government agencies.
The exploits were intended to degrade government operations and the delivery of public services, diminish the ability of authorities to help fend off attacks on other sectors and undermine public confidence.
Homeland Security hasn't disclosed the nature of the simulated attacks, but the first CyberStorm's threats ranged from denial of service attacks on the oil and gas pipeline map to unauthorized access of the FAA network, crashing the flight control system. Simulated protesters defaced newspaper Web sites and posted the No Fly List on the public Web. They sent false Amber alerts, compromised the HIPAA database and turned off the heat in government buildings.
"In Cyber Storm I, we learned lessons on what we needed to do to get information and propagation strategies out, and get information back," said Randy Vickers, associate deputy director of the U.S. Computer Emergency Readiness Team. "We wanted to leverage II to understand how we take information we discover, develop mitigation strategies and propagate that out."
Congress mandated these exercises to assess the nation's cyber security preparedness and response capabilities. The March exercise simulated a coordinated attack on information technology, communications, chemical, and transportation systems and assets.
Participants included 18 federal departments and agencies, the states of California, Colorado, Delaware, Illinois, Michigan, N.C., Pennsylvania, Texas and Virginia., as well as Australia, Canada, New Zealand and the United Kingdom. Private-sector companies included Cisco, Dow Chemical, Juniper Networks, McAfee, Microsoft and Wachovia.
The second exercise was a shake-down cruise for the strategies and processes put in place following the first Cyber Storm, held in 2006. DHS will publish an after-action report in the fall saying how the group plans to improve, based on what it learned from the exercise.
Garcia said one thing the exercise taught the agency was how critical vendors are in time of crisis. "They built the products and they know how they work," he told the audience, urging them to start networking now. "Build and respect those relationships -- and exchange those business cards now," he said, "rather than in a crisis with your hair on fire."