Security and Risk Management Strategies Blog

Blogger: Trent Henry

It sounds so august: "CYBER STORM" (ok, officially it's just plain ol' "Cyber Storm," but a title like that begs for caps).

What is it? Or rather, what was it? The "National Cyber Exercise" was a 2006 Homeland Security (and other federal agencies) sponsored simulation of computer and network attacks. Here's the specific detail from a DHS slide deck:

• Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance
• Large scale exercise through simulated incident reporting only – no actual impact or attacks on live networks
• Specifically directed by Congress ... and coordinated with DHS National Exercise Program

In short, the exercise objective was to pretend that a faux "Worldwide Anti-Globalization Alliance (WAGA)" was attacking U.S. and international interests, and determine how public and private sector targets responded.

Cyber Storm is of interest now for two reasons. First, late last month the Associated Press received a redacted summary report of the exercise results (two years after its Freedom of Information Act request). They found a number of interesting things, many detailed here: news.wired.com. One delicious fact--which supports Burton Group's perspective that insiders are a significant danger--is that someone attacked the off-limits exercise control computers, most likely a participant. When exercises have embarrassingly bad outcomes because people don’t follow the rules, it frequently turns out that the rules have been designed to produce an unrealistically rosy picture of reality. The fact that this happened should be taken as a sign that the exercise conditions were unrealistic, and that in a real incident the results would be even worse than those shown by the exercise. There are many historical precedents for this.

Another important fact, reported by the AP, is that "key players didn’t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn’t have enough technical experts." This suggests that there's confusion in the public-private partnership for attack response, and we need better escalation procedures and fuller participation of private companies (who, by some accounts, own 85% of U.S. critical infrastructure).

This brings us to the second reason for interest in this story: Cyber Storm II. That's right, a repeat of the exercise is taking place in March 2008. DHS spells out the mission here: www.us-cert.gov/reading_room/infosheet_CyberStormII.pdf. In addition to expected public-sector agencies, "private sector players from the Information Technology (IT), Transportation (Rail and Pipe), and Chemical sectors along with multiple Information Sharing and Analysis Centers (ISACs) are scheduled to participate."

Here's what's weird: no one's discussing the exercise. Actually, I'm guessing that's not strictly true. Who's not discussing it is Burton Group clients; and they represent hundreds of the largest organizations in the world and own/operate important global infrastructure. These organizations routinely ask us probing questions about information protection, incident response, security program management, and the like. I'm pretty surprised that Cyber Storm hasn't come up. Not even once.

Now, there are some possible reasons for this. First, DHS might be asking people to keep quiet for national security reasons. I could possibly buy that argument. Outside the exercise participants, too much knowledge could be a dangerous thing (and even among participants, could taint the exercise results). On the other hand, if the exercise results show that there is a problem to be fixed and that there’s a shortage of technical experts, thought-leading third parties (such as, I might add humbly, Burton Group) should be among the first people both our customers and DHS turn to – us and security consulting firms. If they’re not looking for such help, then I'm concerned they’re sweeping the problem under the rug. Second, enterprises might not feel that industry analysts are important pieces of this particular puzzle. Again, that's something I could buy--but it's at odds with the other intimate advice we offer to security planners, including security architecture for major systems. Third, our client list simply might not intersect with the invited participants, which, while plausible, means that some really important players are being ignored.

Here's what makes me nervous: the possibility that DHS isn't really involving the private sector. That is, amid the massive list of prospective Federal, State, local, and international government participants, individual companies are but a miniscule component. Given the importance of financial services, energy, and other private sectors, this prospect gives me pause. We've heard anecdotes from clients that FBI Infragard and other public-private security contact points aren't fulfilling their promise. Although there's talk of partnership, in the end most organizations don't have clear lines of escalation or incident response to federal authorities. It's my hope that Cyber Storm and its progeny begin to close this gap. But so far, no one's talking.

So help me understand: Is the National Cyber Exercise adequately exercising all stakeholders? If so, please speak up! If you can, let me know...

Blogger: Bob Blakley

In Plato's cave, the things we see are just shadows cast by an archetype, which we cannot see, outside the cave. We have to infer the archetypes by examining the shadows.

Here's an archetype:

a. An individual uses a product for its intended use and observes that in that intended use the product is hazardous.

b. The individual publicizes the fact that the product is hazardous.

c. Consequences ensue.

Now let's look at two shadows of this archetype.

1.

a. Shelby Esses of Jacksonville, Ark. gives her son Jack a number of SpinMaster Aqua Dots - a toy designed to let children create pretty designs.

Jack swallows the Aqua Dots and loses consciousness. Jack is hospitalized and it is discovered that the Aqua Dots are coated with a substance that is metabolized into a poison.

b. In due time, this incident is reported to the US Department of Health and the media.

c. The product is recalled. Its Australian distributor (Moose Enterprises), its American distributor (Toronto-based Spin Master) and its Chinese manufacturer are publicly identified and may be subject to legal action or government sanctions.

(links:
http://www.nytimes.com/2007/11/08/business/worldbusiness/08recall.html?_r=1&oref=slogin

http://www.cnn.com/2007/US/11/08/toys.daterapedrug.ap/)

2.

a. Dan Egerstad, a Swedish security researcher, configures a Tor exit server and observes sensitive traffic flowing in the clear through this server.

b. Dan publicizes the hazard to security and privacy by revealing the information he has observed flowing through his server.

c. Dan Egerstad is arrested. There is no evidence that the users of Tor servers have changed their behavior, Tor has not been recalled or revised, the Tor site has published no advisory, and no one appears to contemplate action against Tor's designers.

(links:
http://www.schneier.com/blog/archives/2007/11/dan_egerstad_ar.html
https://www.torproject.org/)

Arresting security researchers for publicizing flaws isn't new; just ask Chris Soghoian or DVD Jon. Winston Churchill recognized the problem, and the solution. He said "I decline utterly to be impartial between the fire brigade and the fire".

Security researchers are not the enemy. Jailing them is based on the assumption that the enemy is dumber than we are, and will not figure out how to attack systems unless we tell him. This assumption is false.

Operating under this assumption and jailing security researchers will have the effect of ensuring that the good guys cannot work together to build an effective defense, while bad guys can work together to build effective attacks.

If society decides that these are the rules they want us (security researchers) to play the game by, we will play the game by these rules - because we're the good guys, and we believe in following the rules.

But if we play the game by these rules, we will probably lose. And so will you.

You pays your money and you takes your choice, but you only gets what you pays for. Think about how you want to treat your fire brigade. Your life - or at least your bank account - might depend on it one day.