The Department of Homeland Security (DHS) ran its third cyber-war simulation the week of Sept. 27, linking thousands of participants from the state, federal and private sectors in a weeklong exercise to test how well governments and corporations could handle an actual cyber-attack.
The exercise, dubbed Cyber Storm III, was the latest biennial simulation of its kind, following Cyber Storm I in February 2006 and the second in March 2008.
The federal government is currently reviewing the results, and the after-action report isn’t due until 2011. Work will include soliciting input and experiential information from participants, according to Brett Lambo, director of the Cyber Exercise Program at the National Cyber Security Division within the DHS.
“You solicit that input from across the community, and then we’re currently in the process of compiling it, aggregating it, and also adjudicating it,” he said. “We all have observations and we were all there and we all have things that we’ve seen, but we want to make sure that we’ve been diligent about making sure that we’re reconciling everything so that what we do put out reflects the will of the community.”
According to the DHS, Cyber Storm III is the largest one yet, comprising thousands of players from seven federal departments, 11 states, 12 partner countries and about 60 companies (http://www.dhs.gov/xlibrary/assets/cyber-storm-3-media-fact-sheet.pdf). It took place at the Secret Service headquarters in Washington, D.C., as well as in others locations.
“Cyber Storm is what we call a distributed exercise, so we have an exercise control, and that was 100-odd folks in one location here in D.C., and those people were the exercise planners,” Lambo said.
“String pullers,” as Lambo calls them, ran the exercise while the other participants played their parts as crises were simulated at locations around the world. The goal was to simulate how they’d deal with these situations as if they were really happening. The exercises took place during a regular workday schedule, more or less.
“Obviously we had international partners, and so we did have alternative work schedules for doing stuff overnight,” Lambo said. “We did not go 24/7, but basically, all day, every day, there was constant activity. Most of the players either were dedicated to that activity over the course of the week or knew that that was going to take up most of what they were doing for that week.”
Cyber Storm III was designed to test stakeholders’ ability to identify real-time, ongoing attacks and deal with computer compromises and vulnerabilities. The scenario was meant to simulate today’s sophisticated digital dangers that include targeted attacks. Lambo was unable to divulge details on what Cyber Storm IV will incorporate or when it will be conducted, but he did say there would be an 18-month planning process.
“The exercise — it’s a tool you can use to stress people, to lay yourself bare a little bit to say, ‘Look, we don’t want to find these things out when there’s a real crisis, so let’s try to find where we need to improve in a risk-free environment,’” Lambo said.