U.S. Government officials and private sector representatives held a press conference the afternoon of Feb. 10 to declare the Cyber Storm digital war game exercise a success.
The governments first full-scale exercise to test federal, state and local response to a cyber-attack improved coordination between the public and private sectors and government agencies, according to George Foresman, Under Secretary for Preparedness at the U.S. DHS (Department of Homeland Security).
Experts who attended the exercise said Cyber Storm did a good job of mimicking a realistic attack, but that the U.S. government needs to do more to prepare for the real thing.
DHS ran the week-long exercise, which involved 115 public, private and international agencies.
The so-called “table-top” exercise was similar to other war planning events conducted by the Department of Defense, and did not involve any hacking of systems or attacks, according to Scott Algeier, executive director of the IT-ISAC (Information Technology Information Sharing and Analysis Center).
The Cyber Storm scenario imagined a combined physical and Internet-based attack designed to sow confusion. It involved a series of targeted Internet attacks on strategic public and private sector entities.
The attack coordinators, based in Washington, also introduced extraneous events and information into the exercise.
Participants were asked to communicate, weed out extraneous information and detect the larger attack that lay behind the isolated events, Algeier said.
“It was about players connecting the dots and seeing what was going on,” he said.
Private sector companies, including Microsoft, VeriSign and the CERT Coordination Center at Carnegie Mellon University, helped DHS design the scenario and played a role in the simulated attack, said Jerry Cochran, senior security strategist at Microsoft, in Redmond, Wash.
“I was pleasantly surprised about how this came together. There was good collaboration between government and the private sector,” Cochran said.
“It was an excellent experience,” said Steve Solomon, CEO of Citadel Security Software in Dallas, Texas. “This is just what the public and private sector should be doing.”
Citadel does vulnerability research and helped contribute attack scenarios to the exercise, according to a company spokesperson.
“What was impressive about [Cyber Storm] was that it was complex enough to be real,” said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
Paller observed one day of the exercise from the Cyber Storm coordination center at a U.S. Secret Service building in Washington, and said participants had to respond to more than 800 “injects,” or planned events that required a response. Some of those were part of the actual attack, but others were unrelated “noise,” Paller said.
“It [was] more like a real-world situation where youre dealing with junk and with the really bad things,” he said.
Even though Cyber Storm didnt test any real hacks, it did put key decision makers from the private and public sectors, including organizations like the Red Cross, in the same room, Paller said.
“It wasnt just a bunch of paid consultants,” Paller said.
However, participants in the exercise were reluctant to draw any conclusions about the nations preparedness to fend off a large-scale cyber-attack.
“Theres some immediate value [to Cyber Storm], but … we need more time to reflect on the entirety of the exercise before we can come up with concrete lessons learned,” Algeier said.
Paller said Cyber Storm was great for testing inter-agency communication and coordination, but it didnt test out coordination with large ISPs and Internet backbone providers who would need to response to a large scale Internet-based attack.
DHS is planning an event later this year with members of IT-ISAC that will test response to attacks that attempt to bring down the Internet, Algeier said.
Regardless of the outcome of Cyber Storm, just conducting the exercise has benefits, participants agreed.
“There are no bad sides to doing an exercise like this,” Cochran said.