The US Federal Government is to cut its access points to the
internet from more than 4,000 to 50 in an effort to reduce its
exposure to malware attacks, the Secretary of Homeland Security
Michael Chertoff told
RSA
delegates this week.
However, this still leaves exposed the vast majority of
America's critical national infrastructure (CNI), which is owned
and run by the private sector, said Chertoff. This means the
government needs the private sector's help to protect the US.
The ability to defend the CNI was tested in the
Cyber Storm 2 exercise in March. Greg Garcia, assistant
secretary in the department, told a town hall meeting at RSA this
involved 18 federal departments, several states, five countries
(including the UK) and 40 private firms in a simulated attack on
the CNI.
The exercise, 18 months in the planning, was valuable for the
relationships created in the run-up. Garcia said one thing to
emerge was how dependent users' organisations are on their
suppliers in an emergency. A spokesman for Dow Chemical, one of the
private sector members, said, "Our suppliers would still be our
first port of call before we escalated it to our industry
representatives (for response co-ordination)."
Garcia did not provide details of the exercise, saying a full
report would be published in late summer. However, responding to a
question from the floor he revealed that it did not involve an
active "Red Team attack". This meant the attack was static and
could not respond to countermeasures, said a source involved in the
exercise, who asked not to be named because of non-disclosure
agreements.
He said Cyber Storm 2 tested responses to the simulated theft of
an identity and credentials that allowed a hacker to infiltrate a
secure part of the CNI and take it down. At the same time, a DDoS
attack on another part of the CNI distracted attention from the
main attack.
"It was a good learning experience," he said.
"At least you know who to call if it all hits the fan. But it's
not real life."
RSA Conference 2008 round-up: Reports from RSA USA >>
US federal government lacks confidence in IT security
>>