Federal Attorney-General Robert McClelland has today released the official findings from the international cybersecurity event Cyber Storm III held last year in September.
The exercise aims to test crisis management processes for government and industry during a cyber attack, with an interim cybersecurity crisis management plan tested when the exercise was run last year from 27 September to 30 September.
Around 50 Australian government organisations and 30 banking, finance, energy, food transport, water, IT and communications companies took part, including Telstra, Woolworths, ANZ, ASX and auDA.
The exercise was coordinated from a central control hub in Canberra. From there, "events" (said to include emails reporting problems and phone calls asking questions) were distributed, which required responses from participants. No live systems were used for the tests, which were purely simulated.
According to a report written by specialist consultants, companies were tested on decision making and response coordination, along with the effectiveness of communications paths, looking for instance at sharing sensitive information without compromising intellectual property or national security.
Federal Attorney-General Robert McClelland had said previously that Cyber Storm III was to test relationships between the government and the private sector, as well as across the nation's burgeoning cyber defence chain, which includes the Computer Emergency Response Team and Cyber Security Operations Centre in the Defence Signals Directorate.
The US director of the Cyber Storm event, Brett Lambo, told Federal News Radio last year that the exercise would test the destruction of critical infrastructure.
"We wanted to take that up a level ... we can look at what happens when the infrastructure is unavailable," Lambo said.
"In Cyber Storm I, we attacked the internet; in Cyber Storm II, we used the internet as the weapon; in Cyber Storm III, we're using the internet to attack itself."
Now, after the event, the brief findings said that the exercise identified gaps in the interim cybersecurity plan, which allowed the government to revise processes.
Industry also identified issues with its processes; for instance, in the escalation of problems. Some in industry said that because the exercise involved the CEO, senior management had received a better idea of how important cybersecurity is.
"Substantial good will" had been generated between government and industry during the exercise, according to the report, with "trusted external organisational relationships" developed, which would be helpful in a real cyber event. Indeed, networking was identified as one of the pluses of the exercise, not only within the organisation but also externally, for example with vendors.
Although no costings were provided, the report said that the exercise was a "cost-effective" way to test business continuity and disaster recovery. It found that Australia should keep conducting similar exercises on a regular basis.
The findings quoted executive director of Telstra's network and IT operations, Craig Hancock, as saying that: "exercises like Cyber Storm III were a great opportunity to test the veracity of these network protection measures, in addition to communications and decision-making processes which underpin any technical response to a cyber event. By actively testing our response processes, we can evaluate and improve our effectiveness in managing and responding to cybersecurity incidents."