This years “Cyber Storm II” Cyber War Games

Posted: September 8, 2008 in 2008, Articles
Tags: :

Starting next week four foreign governments, 18 federal agencies and 40 companies will take part in Cyber Storm II. The weeklong simulation is designed to prepare those participating for cyberattacks. The FBI, the Department of Defense, and the CIA are some of federal agencies that will be involved.

The private sector owns more than three-quarters of the country’s critical infrastructure. A large-scale, successful, coordinated attack could cripple the country’s economy. A cyberattack can originate in one country and pass through several others before reaching its target.

George Foresman, who presided over Cyber Storm I when he was DHS’ undersecretary for preparedness, said Cyber Storm I exposed key issues, including information sharing and action coordination, communication, and problems using manual mode once IT systems are attacked.

“I think cybersecurity events are going to be global events,” he added. “In many ways, all of us have to understand that there is a unification that has to occur between government and [the] private sector not just in the U.S. but across the world.”,cyber-storm-ii-offers-proactive-it-security.aspx

Telstra has been working closely with government and the IT industry to ensure it is ready and resilient to possible cyber attacks as part of its involvement in the international simulated Cyber Storm II exercise being held 11-14 March, 2008.

Participation in Cyber Storm II includes the private sector as well as federal, state, and international governments, including Australia, Canada, New Zealand, and the United Kingdom. Eleven cabinet-level agencies will participate in Cyber Storm II including the Department of Defense and Department of Justice. Nine states have been invited to participate including California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas and Virginia. Private sector participants have been coordinated through the Information Sharing and Analysis Centers, Sector Coordinating Councils, and Government Coordinating Councils. Over 40 private sector companies from the four critical infrastructure sectors will participate in the exercise. It is through the interaction between the public and private sectors that the exercise can accurately simulate the interdependencies of the world’s cyber and communications networks.

Cyber Strom II addresses the Training and Exercise requirements found in Homeland Security Presidential Directive 8 “National Preparedness.” Coordinated under the DHS National Exercise Program, it supports the National Strategy to Secure Cyberspace by exercising the national cyber security response. It also exercises the standard operating procedures found in the draft Cyber Incident Annex of the National Response Framework.

Computerworld Australia reported yesterday that the Australian Attorney General, Robert McClelland joined UK deputy high commissioner Tim Gurney, Australian Federal Police (AFP) commissioner Mick Keelty and ambassadors from the US and Canada to launch the event in Canberra.

The first Cyberstorm event involved nine large IT firms, six electricity utility firms (generation transmission and grid operations) and two major airline carriers. The vendors involved were Cisco, Computer Associates, CSC, Microsoft, Symantec and Verisign.

Hundreds of people are understood to be involved in the New Zealand leg of the exercise and thousands worldwide.

Each organisation involved will be testing its own response to “a series of cyber incidents, culminating in a large-scale attack,” says Paul McKitrick of the Centre for Critical Infrastructure Protection (CCIP), which is co-ordinating the NZ leg of the exercise…

Each organisation involved will have at least one representative in its office and one at Exercise Control (Excon) in the CCIP office in Wellington. They will receive periodic information bulletins (called “injects”) on the fictional events constituting the crisis. They will decide how to react within their own organisation and between organisations, the latter signified by a representative at Excon getting up and walking to another organisation’s table for an exchange of information.

Most of the injects will take the form of messages on paper — “for example ‘your network logs have reported this’,” says McKitrick, but there may also be some “live” simulation of events on visual displays and emails will be exchanged nationally and internationally.

Messages will be headed “Exercise Exercise Exercise — Cyber Storm II” so they are not confused with messages indicating real situations.

Ten “key scenarios” will be played through in the New Zealand leg of the exercise, involving “two or three” industry sectors as well as the individual organisations, McKitrick says.

Cyber Storm II comes two weeks after the Pentagon released an assessment of China’s military might, warning the People’s Liberation Army was intent on expanding its capabilities for cyber warfare. It also comes amid intelligence reports that utilities in several countries have sustained cyber attacks that caused power outages.

It’s all part of Cyber Storm II, electronic war games the US is conducting with its military allies, the United Kingdom, Australia, Canada and New Zealand, who are also its partner in the ECHELON electronic surveillance network.

If you want a good insight into the motivations for setting up the Cyber Storm war games, read this excellent
>New Yorker profile
of Michael McConnell, the US Government’s director of national intelligence.

As the man coordinating the bodies that make up the US “intelligence community”, McConnell was tasked by President Bush with formulating a cyber security strategy after he related the threat to the president in terms he could really relate to.

As the New Yorker puts it: “According to someone who was in the Oval Office, McConnell then said, “If the 9/11 perpetrators had focussed on a single US bank through cyber-attack and it had been successful, it would have an order-of-magnitude greater impact on the US economy.”

According to the US Department of Defence, it receives three million unauthorised probes of its networks every day.

Only a tiny sliver of these approaches are successful – at least we only hear about the really bad exploits, like when the Pentagon last year had to shut down hundreds of computers to contain a hack attack. Here’s an interesting if dubious YouTube video on that subject.

What’s come hand in hand with the post-September 11 attempts to shake up the intelligence community is the use of some very Web 2.0 tools to make spies more efficient.

Again, from the New Yorker:

“In 2006, the community adopted Intellipedia, a secure version of Wikipedia. Blogging is now permitted on internal servers, giving contrarian opinion a voice. There is a new “A-Space”-based on sites such as MySpace and Facebook-in which analysts post their current projects as a way of creating social networks. The Library of National Intelligence is an online digest of official reports that will soon provide analysts who use it with tips, much the way Amazon and iTunes offer recommendations to their customers.”

Imagine if someone figured out how to hack Intellipedia. The threats here are most likely of a different sort – attacks on critical infrastructure such as telephone and electricity are more likely than attempts to steal sensitive information, though the GCSB is taking the threat of this seriously.

Barring a major slip-up in which a simulated attack runs wild we’re unlikely to hear too much about the results of Cyber Storm II until the US Government releases a progress report, as it did after the last war games exercise which New Zealand was involved in to a lesser extent.

That report pointed out many holes in security, in particular the deficiencies in communications strategies when a major cyber attack is identified.

Greg Bickerton, general manager of TelstraClear subsidiary DMZGlobal, says the telco will be using Cyber Storm II to test a service that it hopes will protect clients from emerging threats. “We are taking it very seriously because of the global, sophisticated nature of botnets which are emerging around the world. These are seemingly lying dormant at the moment and one can only summarise they are being prepared in readiness for something like what is being simulated in Cyber Storm II.”

Public Safety Canada is leading Canada’s participation in the Cyber Storm II exercise in keeping with the department’s responsibility for emergency management and national security. Working internationally and exercising across jurisdictions strengthens Canada’s ability to deal with actual emergencies.

In the last Cyber Storm exercise in 2006, the enemy was an anarchistic coalition of “hacktivists” — politically motivated hackers — called the Worldwide Anti-Globalization Alliance, joined by a number of “independent actors.”

In the scenario, the attackers penetrated state health records’ databases, attacked Federal Aviation Administration systems and defaced newspaper sites.

“Key elements of the hacker attack plan were to strike at trusted cyber systems that were used to control both physical infrastructures and digital commerce and services,” says the DHS’ after-action report, released in September 2006. “The attackers focused on maximizing economic harm and fomenting general distrust of big business and government by disrupting services and misleading news media and other information outlets.”

The choice of adversary — which the report stressed “was neither a forecast of any particular threats … currently existing nor an expression of any specific concerns” — raised some eyebrows. Among U.S. military planners, nation states, and in particular China, are considered the actually existing adversaries with the most significant capabilities to launch attacks on, or through, the Internet.

One report, by Washington Post blogger Brian Krebs, said Cyber Storm II will feature a nation-state attacker, but a DHS official familiar with the planning said only that this was “a possibility.”

The official added that the adversary was “more sophisticated” than in 2006. The scenario was “designed to examine the response to some of the threats that are out there in the real world,” he said.

Having a nation-state adversary would make sense, former DHS preparedness chief George Foresman told UPI.

“The top candidates for adversaries would be states, terrorist groups and criminal enterprises” as they were in the real world, said Foresman, who was only involved in the very early stages of planning the event.

Companies taking part include ANZ National Bank, Cisco Systems Inc., which owns much U.S. Internet infrastructure, Dow Chemical, IBM, computer security firm McAfee, software giant Microsoft and Verizon.

Observers have been speculating that the attacks may come from China, which was accused of testing the cyber defenses of the U.S., Germany, and other countries last year. The Pentagon issued a report expressing concerns about Chinese cyber attack capabilities just last week. (See China Makes ‘Most Successful Cyber Attack Ever’ on the Pentagon.) :

The U.S. government will conduct a series of cyber war games throughout next week to test its ability to recover from and respond to digital attacks.

Code-named ‘Cyber Storm II,’ this is the largest-ever exercise designed to evaluate the mettle of information technology experts and incident response teams from 18 federal agencies, including the CIA, Department of Defense, FBI, and NSA, as well as officials from nine states, including Delaware, Pennsylvania and Virginia. In addition, more than 40 companies will be playing, including Cisco Systems, Dow Chemical, McAfee, and Microsoft.

In the inaugural Cyber Storm two years ago, planners simulated attacks against the communications and information technology sector, as well as the energy and airline industries. This year’s exercise will feature mock attacks by nation states, terrorists and saboteurs against the IT and communications sector and the chemical, pipeline and rail transportation industries.

Jerry Dixon, a former director of the National Cyber Security Division at the Department of Homeland Security who helped to plan both exercises, said Cyber Storm is designed to be a situational pressure-cooker for players: Those who adopt the proper stance or response to a given incident are quickly rewarded by having to respond to even more complex and potentially disastrous scenarios. Players will receive information about the latest threats in part from a simulated news outlet, and at least a portion of the feeds they receive will be intentionally misleading, Dixon said.

‘They’ll inject some red herring attacks and information to throw intelligence analysts and companies off the trail of the real attackers,’ Dixon said. ‘The whole time, the clock keeps ticking, and things keep getting worse.’

At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans.

‘The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,’ said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise.

Cyber Storm planners say they intend to throw a simulated Internet outage into this year’s exercise, but beyond that they are holding their war game playbooks close to the vest.

Individuals who helped plan the scenarios all have signed non-disclosure agreements about the details of the planned attacks. They will act as puppeteers apart from the participants, injecting events into the game from a command center at U.S. Secret Service headquarters in Washington, D.C. Meanwhile, players will participate via secure online connections from around the world.

At its most basic, organizers say, the exercise tests the strength of relationships and trust between government officials and the private sector companies that control more than 80 percent of the nation’s critical physical and cyber infrastructure. In Cyber Storm I, the Department of Homeland Security and the participating companies largely kept the exercise a secret until it was virtually completed. In fact, most of the companies that participated in Cyber Storm I did so anonymously, so that that private sector players only knew each other’s respective companies by fictitious business names.

The fact that so many companies have chosen to trumpet their participation in this year’s exercise is a testament to how those trust relationships have grown in the intervening years, said Reneaue Railton, manager of critical infrastructure response for Cisco Systems, a company whose hardware devices help direct a large portion of the traffic on the Internet.

‘All the companies that played did so anonymously,’ Railton said. ‘We didn’t always know who we were contacting.’

Railton, who helped plan the attack scenarios in this year’s exercise, said Cyber Storm II promises to keep all participants on their toes, like an episode of the television show ’24,’ only for an entire work week at a time. Dozens of companies and government agencies from Australia, Canada, New Zealand and the United Kingdom will also participate in the war games and will keep the game in flux around the clock, she said.

The war games will be far more realistic and inclusive for Australia, whose participation in the first Cyber Storm amounted to what a spokesperson for the Australian Attorney General’s department called “a desktop exercise” that did not include any private sector companies.

“This year, we’re setting up an exercise control room and will be sending out injects to the players in both the private sector and the government,” said Daniel Gleeson of the Australia’s Attorney General’s office. “So we’ll be involved in this as it unfolds in real time, rather than just talking about what we’d do in those situations.”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s