http://weblog.infoworld.com/techwatch/archives/007886.html
September 13, 2006 DHS releases Cyber Storm report Filed under: Security The U.S. Department of Homeland Security (DHS) released its public findings from Operation Cyber Storm, a large-scale tabletop simulation of a coordinated cyber attack on the government and critical infrastructure that was held in February, 2006. The exercise involved US-CERT, the Homeland Security Operation center as well as the National Cyber Response Coordination Group (NCRCG) and the Intragency Incident Mnagement Group (IIMG), various ISACs from the transportation, energy, IT and telecommunications sectors, and 100 private sector companies including Microsoft and VeriSign. The report, released by DHS's National Cyber Security Division (NCSD) Wednesday and while no performance "grade" was assigned, read between the lines of the public report and the term "Needs Improvement" comes to mind. The exercise simulated a large-scale cyber campaign that disrupts multiple critical infrastructure, as well as simulated "physical demonstrations and distrubances" to test the ability of government to respond to multiple incidents simultaneously, even when its not clear that the events are related (read: 9/11). So how'd our government do? Not so well. Among other things, the report found that the NCRCG did not have sufficient technical experts on staff to respond to the volume of incidents. "As a result, development of an accurate situational picture was challenging, albeit in part due to the difficulty of the scenario." That's kind of like saying "If the test was just easier, I would have done better!" In fact, some aspects of the report eerily recall the Government's flawed response to Katrina -- a disaster that actually postponed the Cyber Storm Exercise by months. According to DHS, "observers noted that players had difficulty ascertaining what organizations and whom within those organizations to contact when there was no previously established relationship or pre-determined plans for response coordination and risk assessments/ mitigation. There was a general recognition of the difficulties organizations faced when attempting to establish trust with unfamiliar organizations during time of crisis." Or how about this one: "Contingency planning for backup or resilient communications methods is a critical need. While only tested for a few players during the exercise, many players noted a high reliance of cyber incident response activities on communication systems that can be, themselves, vulnerable to attack or failure." So if Cyber Storm was designed to assess the U.S. government's readiness to respond to a coordinated physical and cyber attack on critical infrastructure, the conclusion of this report may be that such an attack, if launched, may well succeed. From the report: "Exercise participants noted the overwhelming effects that multiple, simultaneous, and coordinated incidents had on their response activities." and... "The majority of players reported difficulty in identifying accurate and up-to-date sources of information. Multiple alerts on a single issue created confusion among players, making it difficult to establish a single coordinated response. Players noted that the concept of a single point for information would enable a common framework for all to work from and likely increase effective response." To be fair, the exercise wasn't a total wash. As DHS points out, just by carrying off such a large scale private-public and multinational exercise creates allows the government to test policies, procedures and communications should an actual attack occur. It also created vital contacts within the federal government and between private and public sector participants. However, the larger message is that the Federal Government and DHS in particular are still woefully unprepared for a real "Cyber Storm," should it ever come. Most of the "key achievements" listed in the report seem to relate to the planning and carrying out of the exercise itself, not in the government's actual performance during the test. That's like Derek Jeter claiming his key achievement in last night's game was putting his uniform and cleats on and making it to the ballpark. I don't think so. At the very least, the government needs to find a central body to coordinate response. Right now, it looks like they've got two in name: National Cyber Response Coordination Group (NCRCG) and the Intragency Incident Management Group (IIMG). The reality on the ground may be different still. The feds also need more technical staff, and a scaled up capability to do triage on emerging incidents. Or, as DHS says: "Clarifying roles and responsibilities across government, and clearly articulating expectations between public and private sectors will enable the advancement of processes and communications architecture to support the development and maintenance of situational awareness across sectors." Huh?? --~--~---------~--~----~------------~-------~--~----~ TELECOM-CITIES Current searchable archives (Feb. 1, 2006 to present) at http://www.mail-archive.com/[email protected]/ Old searchble archives at http://www.mail-archive.com/[email protected]/ -~----------~----~----~----~------~----~------~--~---
