U.S. Government to Put Cyber Katrina to the Test

Government agencies are conducting electronic war games called "Operation Cyber Storm" that mimic the effects of massive cyber-attacks and physical attacks.

U.S. Government agencies are conducting electronic war games this week to test the governments ability to respond to the digital equivalent of Hurricane Katrina.

The exercise, dubbed "Operation Cyber Storm," was postponed for two months because of Katrina, but will take place between Feb. 6 and Feb. 10.

The exercise will mimic the effects of a large-scale cyber-attack that affects the IT, transportation, energy and telecommunications sectors, according to published information.

The exercise is sponsored by the Department of Homeland Securitys NCSD (National Cyber Security Division). Representatives from a number of U.S. government agencies will participate, including the Departments of Commerce, Defense, Energy, Justice and Transportation.

/zimages/4/28571.gifSurvey: U.S. adults fear cyber-crime more than physical crime. Click here to read more.

In addition, private companies participate through ISACs (Information Sharing and Analysis Centers), including the IT-ISAC and Telecommunications ISAC.

DHS did not respond to requests for comment.

Representatives from Cisco Systems, Citadel Security Software, Computer Associates International, Computer Sciences Corporation, Intel, Microsoft, Symantec and VeriSign are taking part, according to information published by the IT-ISAC.

Details about the specific scenario that is being used in Cyber Storm are not public. However, the government has said the test scenario will involve cyber-attacks and physical attacks that disrupt transportation and energy infrastructure, coupled with attacks on the state and federal IT infrastructure that undermine the publics confidence by crippling its ability to deliver public services and respond to the attacks.

The exercise is designed to assess the governments ability to communicate internally with the private sector about situational awareness, decision making and proper response to attacks.

DHS has said little publicly about the war game, despite recent news articles. The agencys silence prompted inquires to The SANS ISC (Internet Storm Center) from IT administrators around the globe who were concerned that their networks might be affected, said Marc Sachs, an ISC volunteer.

"People are worried that DHS is about to hack the planet," he said.

Despite its name, Cyber Storm is more akin to a "tabletop" exercise than a real-life simulation of a cyber-attack. It is designed, primarily, to test the mettle of high-level government decision-makers, Sachs said.

"The general idea is to do simulated tests. Theyre not firing live bullets," he said. "The senior people dont need the technical side to make decisions. They know what a [denial-of-service] attack is like."

/zimages/4/28571.gifClick here to read about how cyber-looters capitalized on Katrina.

Cyber Storm was originally scheduled for Nov. 2005, but was postponed because of the governments need to respond to Hurricane Katrina in Mississippi and Louisiana. Ironically, that natural disaster created real-life versions of many of the conditions that government planners will test this week.

But Cyber Storm is designed to prevent the kinds of mishaps and miscommunications between agencies that respond to cyber threats as those that marred the response to Katrina, Sachs said.

"With Katrina, the problem was with the very senior decision-makers. Once the senior people got their act together, you saw the lower level decision-makers start to coordinate," he said.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.