The US Department of Homeland Security (DHS) has completed the first full-scale government-led cyber attack simulation, and officials there called the exercise a “significant milestone”.
DHS officials declined to talk about the results of Cyber Storm, saying they were still evaluating the exercise. But the largest ever US government cybersecurity attack simulation was a “significant accomplishment” for the DHS, says George Foresman, DHS undersecretary of preparedness.
The exercise was part of the DHS goal of preparation: “So that we are ready to meet any type of threat at any time,” Foresman says.
A public report of the results and lessons learned will be released mid-year, says Andy Purdy, acting director of the DHS national cyber security division. DHS will release the results as broadly as possible, with the exception of information deemed too sensitive, Foresman adds.
“At the end of the day, we’re not going to get any stronger, we’re not going to get any better unless we capture the lessons learned, share them among the broadest possible audience and make a full commitment to pushing improvement down the road,” he says.
Cyber Storm, a simulation conducted this month of what the DHS called a “sophisticated” cyber attack, involved 115 organisations in the US, Canada, the UK, Australia and New Zealand. Public agencies and private companies participated, the DHS says.
US government agencies participating in Cyber Storm included the Department of Defence, the Department of Justice, the State Department and the National Security Agency. Among the private companies that volunteered to participate were Microsoft, VeriSign and Symantec.
“The way it’s best described is the DHS is the conductor of an orchestra,” Foresman says. “All of these partners ... are the various musicians playing beautiful music together creating a symphony of preparedness. We’ve made great progress.”
One of the scenarios involved a simulated attack on the computer systems at an electric utility, causing widespread power outages, DHS officials say. In that type of scenario, part of DHS’ job was to notify other utilities of potential threats, Purdy says. The simulations were done on closed networks, so the public internet and other systems weren’t affected.
IT industry participants in the exercise praised the DHS for putting the simulation together. “What we’re going to take away is a lot of lessons learned,” says Jerry Cochran, a senior security strategist for Microsoft. “The more we can exercise, the more we can test things, the better we’re all going to get.”
Cybersecurity vendors have already begun their own review of the exercise and will share the results with each other, says Michael Aisenberg, director of government relations at VeriSign. “That will help us do a better job,” Aisenberg says.
The DHS should get a “lot of credit” for reaching out to the private sector during the exercise, adds John Sabo, director of security and privacy initiatives at CA. “This is really just the first step,” Sabo says. “We need ongoing exercises, ongoing communication and information.”