[Infowarrior] - DHS releases Cyber Storm report

[Richard Forno]

 INFOWORLD TECH WATCH


http://weblog.infoworld.com/techwatch/archives/007886.html

September 13, 2006

DHS releases Cyber Storm report

The U.S. Department of Homeland Security (DHS) released its public findings
from Operation Cyber Storm, a large-scale tabletop simulation of a
coordinated cyber attack on the government and critical infrastructure that
was held in February, 2006.

The exercise involved US-CERT, the Homeland Security Operation center as
well as the National Cyber Response Coordination Group (NCRCG) and the
Intragency Incident Mnagement Group (IIMG), various ISACs from the
transportation, energy, IT and telecommunications sectors, and 100 private
sector companies including Microsoft and VeriSign.

The report, released by DHS's National Cyber Security Division
(NCSD)Wednesday and while no performance "grade" was assigned, read between
the lines of the public report and the term "Needs Improvement" comes to
mind.

The exercise simulated a large-scale cyber campaign that disrupts multiple
critical infrastructure, as well as simulated "physical demonstrations and
distrubances" to test the ability of government to respond to multiple
incidents simultaneously, even when its not clear that the events are
related (read: 9/11).

So how'd our government do? Not so well.

Among other things, the report found that the NCRCG did not have sufficient
technical experts on staff to respond to the volume of incidents. "As a
result, development of an accurate situational picture was challenging,
albeit in part due to the difficulty of the scenario."

That's kind of like saying "If the test was just easier, I would have done
better!"

In fact, some aspects of the report eerily recall the Government's flawed
response to Katrina -- a disaster that actually postponed the Cyber Storm
Exercise by months.

According to DHS, "observers noted that players had difficulty ascertaining
what organizations and whom within those organizations to contact when there
was no previously established relationship or pre-determined plans for
response coordination and risk
assessments/mitigation. There was a general recognition of the difficulties
organizations faced when attempting to establish trust with unfamiliar
organizations during time of crisis."

Or how about this one:
"Contingency planning for backup or resilient communications methods is a
critical need. While only tested for a few players during the exercise, many
players noted a high reliance of cyber incident response activities on
communication systems that can be,
themselves, vulnerable to attack or failure."

So if Cyber Storm was designed to assess the U.S. government's readiness to
respond to a coordinated physical and cyber attack on critical
infrastructure, the conclusion of this report may be that such an attack, if
launched, may well succeed. From the report:

"Exercise participants noted the overwhelming effects that multiple,
simultaneous, and coordinated incidents had on their response activities."

and...

"The majority of players reported difficulty in identifying accurate and
up-to-date sources of information. Multiple alerts on a single issue created
confusion among players, making it difficult to
establish a single coordinated response. Players noted that the concept of a
single point for information would enable a common framework for all to work
from and likely increase effective response."

To be fair, the exercise wasn't a total wash. As DHS points out, just by
carrying off such a large scale private-public and multinational exercise
creates allows the government to test policies, procedures and
communications should an actual attack occur. It also created vital contacts
within the federal government and between private and public sector
participants.

However, the larger message is that the Federal Government and DHS in
particular are still woefully unprepared for a real "Cyber Storm," should it
ever come.

Most of the "key achievements" listed in the report seem to relate to the
planning and carrying out of the exercise itself, not in the government's
actual performance during the test.

That's like Derek Jeter claiming his key achievement in last night's game
was putting his uniform and cleats on and making it to the ballpark. I don't
think so.

At the very least, the government needs to find a central body to coordinate
response. Right now, it looks like they've got two in name: National Cyber
Response Coordination Group (NCRCG) and the Intragency Incident Management
Group (IIMG). The reality on the ground may be different still. The feds
also need more technical staff, and a scaled up capability to do triage on
emerging incidents.

Or, as DHS says: "Clarifying roles and responsibilities across government,
and clearly articulating expectations between public and private sectors
will enable the advancement of processes and communications architecture to
support the development and maintenance of situational awareness across
sectors."

Huh??