‘Cyber Storm III’ Tests U.S. resilience Under Cyber Attack

A Cyber Storm III exercise participant briefs Department of Homeland Security (DHS) Deputy Secretary Jane Holl Lute during the exercise kickoff at U.S. Secret Service headquarters in Washington, D.C. Photo: DHS

The U.S. Department of Homeland Security (DHS) launched today the ‘Cyber Storm III’, a drill testing the nations’ resilience under a simulated, deliberate international cyber attack aimed at the hubs of government, infrastructure and business.

The three day exercise is the third and largest in a series of annual cyber attack drills conducted outside the defense community. The current event involves more participants that past years, form the federal, state, and commercial sectors. Among the ‘defenders’ are players from seven government departments, 11 states, 12 different countries and 60 private sector companies. The exercise is managed by the DHS’s National Cyber Security Division (NCSD).

The cabinet-level departments participating in Cyber Storm III are from Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury. In addition, the White House and representatives from the intelligence and law enforcement communities will also attend the event. Eleven states are taking part – California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas and Washington. Among the participant countries are Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (only four foreign nations participated in Cyber Storm II last year). DHS selected 60 companies from the private sector, to assess the effect of potential cyber attack on commercial services sectors, such as Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water.

The scenario developed by NCSD incorporates known, credible technical capabilities of adversaries and the exploitation of real cyber infrastructure vulnerabilities, resulting in a range of potential consequences – including loss of life and the crippling of critical government and private sector functions. By coincidence, such capabilities have surfaced in recent weeks, with the distribution of a new malicious code called Stuxnet, spreading through industrial systems and infrastructure networks. Such code has the potential to penetrate highly protected systems, including networks that are completely isolated from the internet, to conduct espionage, disruption or deliberate attack.

The ‘defenders’ could face over 1,500 separate events; some will be subtle, with only few hints indicating ongoing penetrations into computerized systems. Other events will be more dramatic, demonstrating the resulting effects to compromised networks. They will have to identify the ongoing attack in real time, mitigate the compromises and vulnerabilities that allowed it to occur, and deal with the possible consequences to compromised systems. “At its core, the exercise is about resiliency – testing the nation’s ability to cope with the loss or damage to basic aspects of modern life.” DHS officials explain, adding “the Cyber Storm III exercise scenario reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself – with the goal of compromising trusted transactions and relationships.”

Cyber Storm III provides the DHS with the first opportunity to assess and strengthen cyber preparedness and resilience of the nation’s critical infrastructure and key resources (CIKR) – evaluating how the collective cyber preparedness and response capabilities perform against realistic cyber attack. It will also provide the first opportunity to assess the newly-developed National Cyber Incident Response Plan (NCIRP) – a blueprint directed by President Barack Obama, for cybersecurity incident response. The exercise will examine the roles, responsibilities, authorities, and other key elements of the nation’s cyber incident response and management capabilities and use those findings to refine the plan. It will also test the new, National Cybersecurity and Communications Integration Center (NCCIC) inaugurated in October of 2009, which serves as the hub of national cybersecurity coordination.