Earlier this month, New Zealand completed its second Cyber Storm. Sponsored by the US Department of Homeland Security. Cyber Storm II gathered together about 2,500 people from New Zealand, Australia, Canada, the United Kingdom and the US to play out several cyber attack scenarios in which critical parts of the infrastructure were disabled by computer threats.
Although the results of Cyber Storm II are not expected to be made public until August, some of the participants shared their thoughts on the experience at the RSA Conference in San Francisco this week.
Paul McKitrick, manager of New Zealand's Centre for Critical Infrastructure Protection sat down with IDG News at the conference to talk about Cyber Storm II:
What was the extent of New Zealand's participation in Cyber Storm II?
McKitrick: We had about 30 organisations from the private sector in New Zealand. We had 10 government departments participate. And we had four sectors that we focused our scenarios around: they were banking, energy — and it was more around the power distribution companies — government, and IT and telco.
How did that compare with last time?
Last time it was six private sector organisations and six government departments. Last time it was pretty much a table top exercise. Cyber Storm II was real time over three days: 72 hours live play.
How prepared is New Zealand for a cyber attack?
I think we're prepared, but we can always improve. This identified opportunities where we can streamline our approach to things. Even in the planning process, organisations got so much from the fact that an organisation would talk to one of its teams, saying, "Right this is the scenario we're looking at, how would this affect you?" And they would say, "Oh we're not too sure, actually. We might do X, Y, or Z," And they'd say, "What standard operating procedure would you use?" and they'd hear "Well we actually don't have one."
So there were things that they were doing before the exercise internally that helped realign their processes.
What did you learn from this?
The benefit of exercising. In my mind it's going to be one of the key ways we meet our mandate in New Zealand. It gives people a way to shine in some respects. Your guys that are on the front lines quite often they don't get tested. They're bogged down with the day-to-day, business-as-usual things. This is a chance to really push them and give them a chance to step up.
You can plan and plan and plan, but unless you are testing these plans, you don't know if they're going to work.
New Zealand is smaller than the other countries that participated in Cyber Storm. Did that make the exercise different from your perspective?
We can do things differently. Having those official back-channels into an organisation, we can do that very effectively and that works. In a big country like America it's very hard to do that. Here in the US people move around a lot more, so they may not last as long [at their current jobs]. Whereas in New Zealand, things are probably a bit more stationary. Or when people do move, they've gone from one critical infrastructure organisation to another, so they're still in the game.
NZ used 'red team' to stage DNS attacks
McKitrick was also interviewed by ZDNet at the RSA conference, revealing New Zealand was the only country involved in the exercise to set up a "red team" to mount attacks on infrastructure. Here they were used to mount simulated denial-of-service attacks on call centres. McKitrick told ZDNet.co.uk the red team sent emails, made phone calls and sent IDS systems alerts to see how the opposite team would respond. The red team "flooded call centres with emails, and then made 20 or 30 calls in a three-minute space, which is a lot for New Zealand. They put a lot of pressure on them." He said that there was "always an element of fudging" in any simulation but Cyber Storm II still tested the New Zealand objectives. "We got zero-day takes off everything," said McKitrick. A zero-day attack is where the organisation being attacked has no time to prepare.