Details have emerged about "Cyber Storm II", a large-scale exercise carried out to test how governments and critical-infrastructure organisations respond to cyberattacks.
The exercise, which began on 10 March, 2008, was designed to test the readiness of the US, the UK, Australia, Canada and New Zealand to respond to information systems attacks, and was co-ordinated by the US Department of Homeland Security. The focus of the exercise involved the communications channels between affected departments and organisations, rather than simulations of network hacking. According to some participants, those communications channels were found lacking.
Apart from governmental systems, the types of industry targeted in the exercise included chemical, financial, energy and telecommunications. Jordana Siegel, the Department of Homeland Security's acting deputy director for outreach and awareness, claimed the scenarios that were acted out were "developed to mirror the threats we are all facing".
"The scenarios were telecoms disruption, internet disruption and attacks on control systems," Siegel told ZDNet.co.uk at the RSA Conference in San Francisco on Wednesday. The simulations were primarily designed to test how effectively different agencies and businesses communicated with each other in response to threats. The first Cyber Storm drill took place in early 2006, involving IT security organisations from the US, New Zealand, Australia and Canada.
Security or war-game simulations often involve "red teams", which are attack forces used to reveal weaknesses in defence. However, it seems only one country involved in Cyber Storm II — New Zealand — used a red team, and that team was not used for simulated hacking. Paul McKitrick, business manager for the New Zealand Centre for Critical Infrastructure Protection, said his country's red team had simulated denial-of-service attacks on call centres.
"The red team sent emails, made phone calls and sent IDS systems alerts to see how the opposite team would respond," McKitrick told ZDNet.co.uk. "[The red team] flooded call centres with emails, then made 20 or 30 calls in a three-minute space, which is a lot for New Zealand. They put a lot of pressure on them." Sectors that were tested in New Zealand included banking and finance, government, energy and telecommunications.
McKitrick said that in any simulation there was "always an element of fudging" but that Cyber Storm II still tested the New Zealand objectives. "We got zero-day takes off everything," said McKitrick. (A zero-day attack is one where the organisation being attacked has had no time to prepare.) He added that Cyber Storm II had been a "beneficial" exercise for New Zealand in determining who needed to be contacted in the event of a cyberattack.
According to Randy Vickers, deputy director of the US Computer Emergency Readiness Team (US-CERT), his organisation had avoided the use of a red team because it was not prepared for such a scenario. "US-CERT isn't currently ready for a red-team environment," said Vickers. "Not a widely dispersed red team."
US-CERT is based at the Department of Homeland Security and co-ordinates information security data between US government departments and the military. Vickers said the exercise had shown that there was a shortfall in information sharing between various groups. "We were having to send information to various groups of people. There was not one central information point," he said. "Information-sharing is one of the key things we're not doing very well."
Microsoft was also involved in the exercise. Paul Nicholas, a senior security specialist at Microsoft, said public-private partnerships were "really hard to do in reality", and Cyber Storm II had shown that "[multinational] vendors struggle with how to respond in parts of the world where they may not have a easy relationship with the [national equivalent of the US Department of Homeland Security]".
Dan Lohrmann, the US state of Michigan's chief information security officer, said the exercises had tested the technical abilities of a "very large network of tech-savvy people" in the state government, but declined to say whether a red team had been involved. "IT staff tested procedures, looking at competencies and weaknesses," he said.
Christine Adams, senior information-systems manager for Dow Chemical, said the simulated attacks on the US chemical industry had been designed to test and fix problems with communications channels.
"Our communications abilities were somewhat compromised," said Adams, speaking about a conglomerate of chemical companies that had been involved in the exercise. "We have work to do around individual telecommunications services and how to get them in times of crisis."
The next such exercise, Cyber Storm III, is due in 2010, according to McKitrick. Australia, Canada, New Zealand, the UK and the US are scheduled to take part again, along with other countries, including Japan, Norway, Finland, France, Switzerland and Italy.
According to Siegel, the countries that participated in Cyber Storm II are still evaluating the results of the test and have not decided whether there will be attempted systems hacks in the next drill. "At this point we haven't scoped out the red-team scenario [for Cyber Storm III]," she said.