The results for Cyber Storm III are in, but are government cyber agencies missing the point?
The armed forces of nation states around the world have come together for combat drills and war games for decades, but now the simulations have moved into the digital era with Cyber Storm.
Cyber Storm III, held last year, saw Australia participate in a global event simulating a malicious attack on the nation's digital infrastructure, with agencies like the government's Computer Emergency Response Team, or CERT, tested for adequate response. The results of the exercise were announced last week.
In the announcement, there was much handshaking, patting on the back and discussion of "learnings to be applied", but I think the government's cyber agencies are kind of missing the point here.
The aim of Cyber Storm is to replicate a real-life cyber incident in the nation's digital infrastructure and thereby test how long it takes for companies and government agencies to respond and if the correct procedures are followed. So, to make it as real to life as possible, shouldn't the exercise take organisations by surprise, rather than having them know exactly when it's going to happen?
If I told you I was going to come and kick you senseless at midday, you'd get a helmet, a bat and read up on how to defend yourself, no? Apply such a scenario to Cyber Storm and you can see the problem. Any attack on our infrastructure will be swift, ruthless and random. We won't be forewarned.
Cyber Storm IV therefore should come at an unspecified time to properly simulate a real cyber incident. Tell agencies that they can expect to see a major cyber incident at some point in the next three months to ensure maximum readiness at all times, not just when the adjudicators are watching.
Watch the video for more slapstick comedy