The US Federal Government is to cut its access points to the internet from more than 4,000 to 50 in an effort to reduce its exposure to malware attacks, the Secretary of Homeland Security Michael Chertoff told RSA delegates this week.
However, this still leaves exposed the vast majority of America's critical national infrastructure (CNI), which is owned and run by the private sector, said Chertoff. This means the government needs the private sector's help to protect the US.
The ability to defend the CNI was tested in the Cyber Storm 2 exercise in March. Greg Garcia, assistant secretary in the department, told a town hall meeting at RSA this involved 18 federal departments, several states, five countries (including the UK) and 40 private firms in a simulated attack on the CNI.
The exercise, 18 months in the planning, was valuable for the relationships created in the run-up. Garcia said one thing to emerge was how dependent users' organisations are on their suppliers in an emergency. A spokesman for Dow Chemical, one of the private sector members, said, "Our suppliers would still be our first port of call before we escalated it to our industry representatives (for response co-ordination)."
Garcia did not provide details of the exercise, saying a full report would be published in late summer. However, responding to a question from the floor he revealed that it did not involve an active "Red Team attack". This meant the attack was static and could not respond to countermeasures, said a source involved in the exercise, who asked not to be named because of non-disclosure agreements.
He said Cyber Storm 2 tested responses to the simulated theft of an identity and credentials that allowed a hacker to infiltrate a secure part of the CNI and take it down. At the same time, a DDoS attack on another part of the CNI distracted attention from the main attack.
"It was a good learning experience," he said.
"At least you know who to call if it all hits the fan. But it's not real life."