Security and Risk Management Strategies Blog

Blogger: Trent Henry

It sounds so august: "CYBER STORM" (ok, officially it's just plain ol' "Cyber Storm," but a title like that begs for caps).

What is it? Or rather, what was it? The "National Cyber Exercise" was a 2006 Homeland Security (and other federal agencies) sponsored simulation of computer and network attacks. Here's the specific detail from a DHS slide deck:

• Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance
• Large scale exercise through simulated incident reporting only – no actual impact or attacks on live networks
• Specifically directed by Congress ... and coordinated with DHS National Exercise Program

In short, the exercise objective was to pretend that a faux "Worldwide Anti-Globalization Alliance (WAGA)" was attacking U.S. and international interests, and determine how public and private sector targets responded.

Cyber Storm is of interest now for two reasons. First, late last month the Associated Press received a redacted summary report of the exercise results (two years after its Freedom of Information Act request). They found a number of interesting things, many detailed here: news.wired.com. One delicious fact--which supports Burton Group's perspective that insiders are a significant danger--is that someone attacked the off-limits exercise control computers, most likely a participant. When exercises have embarrassingly bad outcomes because people don’t follow the rules, it frequently turns out that the rules have been designed to produce an unrealistically rosy picture of reality. The fact that this happened should be taken as a sign that the exercise conditions were unrealistic, and that in a real incident the results would be even worse than those shown by the exercise. There are many historical precedents for this.

Another important fact, reported by the AP, is that "key players didn’t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn’t have enough technical experts." This suggests that there's confusion in the public-private partnership for attack response, and we need better escalation procedures and fuller participation of private companies (who, by some accounts, own 85% of U.S. critical infrastructure).

This brings us to the second reason for interest in this story: Cyber Storm II. That's right, a repeat of the exercise is taking place in March 2008. DHS spells out the mission here: www.us-cert.gov/reading_room/infosheet_CyberStormII.pdf. In addition to expected public-sector agencies, "private sector players from the Information Technology (IT), Transportation (Rail and Pipe), and Chemical sectors along with multiple Information Sharing and Analysis Centers (ISACs) are scheduled to participate."

Here's what's weird: no one's discussing the exercise. Actually, I'm guessing that's not strictly true. Who's not discussing it is Burton Group clients; and they represent hundreds of the largest organizations in the world and own/operate important global infrastructure. These organizations routinely ask us probing questions about information protection, incident response, security program management, and the like. I'm pretty surprised that Cyber Storm hasn't come up. Not even once.

Now, there are some possible reasons for this. First, DHS might be asking people to keep quiet for national security reasons. I could possibly buy that argument. Outside the exercise participants, too much knowledge could be a dangerous thing (and even among participants, could taint the exercise results). On the other hand, if the exercise results show that there is a problem to be fixed and that there’s a shortage of technical experts, thought-leading third parties (such as, I might add humbly, Burton Group) should be among the first people both our customers and DHS turn to – us and security consulting firms. If they’re not looking for such help, then I'm concerned they’re sweeping the problem under the rug. Second, enterprises might not feel that industry analysts are important pieces of this particular puzzle. Again, that's something I could buy--but it's at odds with the other intimate advice we offer to security planners, including security architecture for major systems. Third, our client list simply might not intersect with the invited participants, which, while plausible, means that some really important players are being ignored.

Here's what makes me nervous: the possibility that DHS isn't really involving the private sector. That is, amid the massive list of prospective Federal, State, local, and international government participants, individual companies are but a miniscule component. Given the importance of financial services, energy, and other private sectors, this prospect gives me pause. We've heard anecdotes from clients that FBI Infragard and other public-private security contact points aren't fulfilling their promise. Although there's talk of partnership, in the end most organizations don't have clear lines of escalation or incident response to federal authorities. It's my hope that Cyber Storm and its progeny begin to close this gap. But so far, no one's talking.

So help me understand: Is the National Cyber Exercise adequately exercising all stakeholders? If so, please speak up! If you can, let me know...