Cyber Storm II, the world's largest international cyber security exercise so far, ended on Friday (15 March 2008). Undoubtedly, the US Department of Homeland Security-sponsored event will report it as a resounding success and learning experience in its final report due in late summer.
The exercise, by the US Department of Homeland Security simulated a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets. It simulated a crash of the US and international telephone system which in turn caused problems for top level domains such as .com, .net and .gov.
Crisis managers had to identify, evaluate and respond to more than 1,800 malware incidents. These included botnet, phishing, and denial of service attacks. Some were "white noise". These were relatively harmless events designed to mask or confuse more serious attacks on the systems.
Cyber security is one of four priorities at DHS, which is responsible for securing the government's IT and critical national infrastructure. Federal departments use an intrusion detection sysem called Einstein, as well as US-Cert, a 24x7 public-private operation that monitors and defends against malware attacks. DHS also plans to cut the number of internet access points that link to federal systems from about 4,000 to 50 to make the federal IT system easier to guard.
Speaking to reporters near the end of the exercise, Homeland Security under secretary Robert Jamison said the biggest lesson from Cyber Storm II "is there is no substitute for having established relationships and knowing who is on the other end of the phone, and having tested the capabilities to respond and prepare together."
Assistant secretary Greg Garcia said making the internet unreliable "greatly impacted participants' ability to post critical information externally to their constituents and communicate with other stakeholders."
The event brought together the so-called "white-eye" community, Australia, Canada, New Zealand, the UK and the US, as well as participants from federal, state and local governments, the private sector firms that run critical national infrastructure, and IT industry suppliers.
The Cyber Storm II scenario imagined persistent, fictitious adversaries with a distinct political and economic agenda. The Cyber Storm II adversaries used sophisticated attack vectors to create a large-scale incident requiring players to focus on response, the organisers said.
This scenario parallels the three-week botnet attack in March/April 2007 that crippled Estonia's networks. Spokesmen for the DHS denied any links between the Estonia attack and Cyber Storm II. The attack led Nato to set up cyber attack research centre in Estonia.
Cyber Storm II follows the discovery late last year by anti-malware supplier Kaspersky Labs of botnet attacks apparently designed to take entire cities off the internet.
The exercise follows repeated complaints from US and UK national security chiefs of ongoing espionage attacks by Russian and Chinese hackers. In November MI5 warned 300 firms that run the UK's critical national infrastructure systems that they were targets.
Cyber Storm II was the second in a series of congressionally mandated exercises to test US cyber security preparedness and response capabilities. It also comes hard on the heels of similar exercises in the banking sector to stress-test plans to cope with an avian flu epidemic.
Cyber Storm II aimed to test:
- participants' capacity to prepare for, protect against, and respond to cyber attacks
- how they make strategic decisions and coordinate interagency responses against national level policy and procedures
- how they validate and share information and what communications paths they use to collect and share cyber incident situational awareness, response and recovery information
- how to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.