In an unknown location, a handful of Australia's best known companies and government agencies are undertaking secret tests in a mock cyberwar, as the country's infrastructure comes under attack in a simulated online war named Cyber Storm II.
This week, as part of Cyber Storm II, 50 critical infrastructure businesses are discovering not just what they can do for Australia under a cyberattack but what they can't. The exercises, which began on Tuesday, involve a series of simulated online and physical attacks, targeting a number of Australia's most important critical infrastructure businesses, including the Commonwealth Bank, Energex and Telstra.
Australia's involvement is being controlled from a secret location in Victoria, a spokesperson for Attorney-General, Robert McClelland, told ZDNet.com.au.
"From there we'll throw out different scenarios to all those involved," the spokesperson said.
Exactly what scenarios participating organisations have been facing, however, remains a secret -- to protect the vulnerabilities being tested, the spokesperson said.
Several government agencies are taking part in the exercise, including the Australian Federal Police, the Office of the Attorney General and Department of Defence. Of the 50 Australian organisations taking part in the international exercise, only 28 were willing to reveal their involvement.
From the financial sector are Commonwealth Bank, National Australia Bank, Westpac, ANZ, Bank of Queensland, Bendigo Bank and Citigroup. The Australian Stock Exchange and the Reserve Bank of Australia also participated.
The energy sector is well represented too, with Woodside Energy, Country Energy, Energex, Energy Networks Association, Ergon Energy as well as South Australia's Department of Transport, Energy and Infrastructure.
Participants from the IT vendor community include Cisco and Microsoft, along with smaller organisations such as ISP Internode, and domain registry organisations Ausregistry, AU Domain Administration and Melbourne IT -- owner of WebCentral.
Australia's Computer Emergency Readiness Team (AusCERT), is also taking part in the exercise, three years after its director criticised the Federal government for lacking a strategy to deal with a cyberattack.
"We don't have a national cyber response plan -- if something happened tomorrow, nobody has a clue who does what," Graham Ingram said at the time.
Australia's two largest telcos, Telstra and Optus, are also involved.
Ask not what we can do for our country but what we can't...
MelbourneIT participated in the Cyber Storm exercise for the first time this year. Of the dozen or so tests that have been specific to Australia, it has been involved in four, according to its chief technology officer, Bruce Tonkin.
"A lot of the exercises have involved sharing information and finding the right people in a time of emergency," Tonkin told ZDNet.com.au.
"The US [which is also taking part, alongside New Zealand, the UK and Canada] was trying to have some global scenarios but also at the same time each country is running its own scenarios," he said.
Although the US government has provided the infrastructure for the exercise, such as the control centre in Victoria, it has not dominated the exercise, said Tonkin. "There has been close liaison with the US. They've sent people to our meetings and we've sent our people to theirs."
The tests have also attempted to uncover the limits of responsibilities under an attack to ensure that people don't pursue the wrong channels under time-critical attack conditions.
"The exercise is helping educate people on what MelbourneIT can and cannot do in an emergency," Tonkin noted. "Some things we can help with -- we might control a domain name but that doesn't mean we control the Web site," he added.