DHS Publishes Report on Operation Cyberstorm

uniquebydegrees writes "InfoWorld reports that the Department of Homeland Security has released the findings of Operation Cyber Storm, a large-scale simulation of combined cyber-physical attacks on U.S. critical infrastructure. From the article: 'According to DHS, "observers noted that players had difficulty ascertaining what organizations and whom within those organizations to contact when there was no previously established relationship or pre-determined plans for response coordination and risk assessments/mitigation. There was a general recognition of the difficulties organizations faced when attempting to establish trust with unfamiliar organizations during time of crisis."'"

Translated from bureaucrat to English

[Tackhead]

Bureaucrat:

> "observers noted that players had difficulty ascertaining what organizations and whom within those organizations to contact when there was no previously established relationship or pre-determined plans for response coordination and risk assessments/mitigation. There was a general recognition of the difficulties organizations faced when attempting to establish trust with unfamiliar organizations during time of crisis."

English:

"Situation Normal, All Fucked Up."

Ah! I thought it meant...

[jd]

"We're all hopelessly paranoid, making trust impossible, and rigidly stratified, making flexible response or communication impossible, oh and so totally self-centered that the mere notion of cooperation causes outbreaks of hives".

Come to think of it, that's what your translation says, too.

Re:

[legoburner]

you forgot 'Needs more funding for conclusive results'. Go bureaucracy!

You nailed it!

[gettingbraver]

And this one's a classic:

> "Clarifying roles and responsibilities across government, and clearly articulating expectations between public and private sectors will enable the advancement of processes and communications architecture to support the development and maintenance of situational awareness across sectors.

Here's the translation: We don't know who is going to do what, or how they are going to do it. So, we need a study (which will be done after the election and the campaign contributions are

Shouldn't government agencies be a bit paranoid?

[s20451]

We're all hopelessly paranoid, making trust impossible, and rigidly stratified, making flexible response or communication impossible, oh and so totally self-centered that the mere notion of cooperation causes outbreaks of hives

Hello, FBI? Mid-level functionary from FEMA here. Nasty computer virus we're having, eh? Yeah, I haven't had power for a week either ... no, I can't get money out of the bank machine either. But the good news is that the price of bread is down to ten cigarettes here in Wichita ...

Depends on the paranoia

[jd]

STU III [fas.org] is your friend in these situations. No authorized key, no communication. Which means that if your inter-department phones are STU III-grade, then you technically don't need to know who is on the other end, you only need to know that the keys are solely provided to authorized people. Everything else can be inferred through your normal web of trust.

...They do have a web of trust, right...?

Re:

[dgatwood]

From that page, the manufacturing contract is guaranteed through 1999. Guess the DHS is screwed.

Re:

[grcumb]

"Situation Normal, All Fucked Up."

DHS: they're not Really Ready [livejournal.com] for anything, are they?

Re:

[azrider]

I have been involved in disaster management for 15 years. As a ham radio operator (and appointed emergency coordinator) we perform emergency drills. My crew goes out of it's way to throw monkey wrenches into the drill. While FEMA (under DHS) and some of the local agencies are not up to the task, there are people who are there. Todd Bordeaux N7TWF

Re:

[trentblase]

As a ham radio operator...My crew goes out of it's way to throw monkey wrenches into the drill

So you install BPL in the area?

Sounds Interesting

[susano_otter]

At least according to the blurb, it sounds like the organizations involved will probably be working on ways to communicate with each other better in times of crisis, probably by developing trust relationships ahead of time.

Assuming that's the case, it's exactly the kind of improvements we should expect to see from government agencies: identifying weaknesses, and working to eliminate them.

So, kudos to DHS, and may they successfully apply the lessons learned from this exercise.

Re:Sounds Interesting

[Jeremiah Cornelius]

I don't want an effective Secret Police.

It wasn't what the U.S. signed on for in 1776 or 1789.

Re:Sounds Interesting

[susano_otter]

Actually, I think there's a lot of merit to the philosophy of "ineffective government". And it's definitely the case that the system of government we signed up for was designed to be as ineffective as possible without being completely useless.

However, in so far as we have government at all, I would prefer that it was able to act effectively in times of crisis.

I mean, think how much better off we'd be if FEMA, the State of Louisiana, and the City of New Orleans had thought to work out trust relationships and clear contingency plans and handoff of responsibilities, prior to the arrival of a giant fucking hurricane, yeah?

Besides, America has probably the most un-secret "secret police" of any nation in the world (unprovable conspiracy theories aside).

Also, the article isn't about the "secret police", but about the woefully feeble capabilities of government infrastructure agencies in general, to survive and recover from "cyber" attacks. You might want to save your "secret police" objections for an article about actual "secret police".

Re:

[jamstar7]

Actually, I think there's a lot of merit to the philosophy of "ineffective government". And it's definitely the case that the system of government we signed up for was designed to be as ineffective as possible without being completely useless.

I wholeheartedly agree. The Founders knew what they were talking about when they insisted on keeping the Federal government relatively weak and ineffective. They had a severe distrust of centralised power, and with good reason. They'd just won a revolution from a

Re:

[geekoid]

"What's wrong with the local authorities, the people closest to the 'action' calling the shots? "

there are probably untrained to assertain a priority to recovery.
You need experts. You also need the local politicians to scream, yell, point, and gather attention of the media and point out every single problem you run into to focus responisbility on FEMA.

In New Orleans there wan't anyone on the ground capable to call the shots.

Re:

[jamstar7]

"What's wrong with the local authorities, the people closest to the 'action' calling the shots? "

there are probably untrained to assertain a priority to recovery.

This training only exists at a Federal level?

You need experts. You also need the local politicians to scream, yell, point, and gather attention of the media and point out every single problem you run into to focus responisbility on FEMA.

These experts only exist on a Federal level? And aren't a lot of our problems due to the tendency of every

Re:

[susano_otter]

Decentralization only works if there is good communication between the various parts that make up the whole.

According to this article, the chief lesson of the exercise was that the different parts did not communicate effectively in times of crisis, and that this put the whole at risk.

The recommendation, then, is to improve communication between the separate parts, not to centralize their functions.

Re:

[radtea]

It wasn't what the U.S. signed on for in 1776 or 1789.

Yeah, but look at what you've got: a government that is basing its whole policy on "security" and asking "are we more secure?" "Do you feel more secure?" "Would the other party be able to make you feel as secure as we do?"

It's like they've forgotten what that statue in New York Harbour is named.

And like they've forgotten what some radical left-wing terrorist-sympathizer said: "Is life so dear, or peace so sweet, as to be bought at the price of warren

Re:

[Jeremiah Cornelius]

You rock.

Re:

[gettingbraver]

That's something an agency PR person would say!

Re:

[susano_otter]

That's something an agency PR person would say!

Then, on the principle that anyone who denies being a Templar must surely be a Templar, I will say nothing more of the matter, but leave it up to you to judge the issue on its merits rather than your prejudices.

Re:

[Dragonslicer]

Don't worry. If there's one thing our government is really good at, it's taking the best, most carefully thought out plans and turning them into a complete disaster when it comes to implementation.

If there's a second thing our government is really good at, it's debating the best, most carefully thought out plans until the next election, then completely forgetting about the whole thing.

Re:

[susano_otter]

Being of an optomistic and cheerful turn of mind, and at the same time having a realistic opinion of man's flawed nature, I happen to think these characteristics of our government as features rather than bugs.

Senator Ted Stevens is not a truck.

[megaditto]

But at least our pipes are secure. Oil pipes.

Re:

[abandonment]

but the internet's made out of pipes though, no? shouldn't it be the same thing to secure it?

you mean that govt's been lying to us?

Parsing error. Does not compute.

[Kesch]

FTFA:

As DHS points out, just by carrying off such a large scale private-public and multinational exercise creates allows the government to test policies, procedures and communications should an actual attack occur.

This, combined with the submitter's bad line:

a large-scale simulation of combined cyber-physical attacks on U.S. critical infrastructure

Honestly, what's with all hyphenated oxymorons? Normally I'm not a Grammar Nazi, but it feels like the left-right side of my grammar center just got a swift kick in the nuts.

Finally, I found it funny that at the bottom of TFA they had links such as "Digg this!"
However, they also had a "Slashdot this!"

To which I reply. "You keep using that word, I do not think it means what you think it means."

Re:

[Simon Garlick]

Honestly, what's with all hyphenated oxymorons? Normally I'm not a Grammar Nazi, but it feels like the left-right side of my grammar center just got a swift kick in the nuts.

They're called compound adjectives and if you actually were a Grammar Nazi, you'd know that.

Re:

[dgatwood]

The terms "private-public" and "cyber-physical" are not compound adjectives... or at least not proper ones. A proper compound adjective is one in which one adjective gives additional meaning or clarification to the other one; the hyphen is added to show the reader that the words do not independently modify the noun. In this case, one adjective directly contradicts the other one, thus, they can neither independently modify the noun nor modify each other. This construction makes no sense. If I wrote somet

I presume I wasn't the only one who misread...

[the_tsi]

"DHS Publishes Report on Operation Cybertron"

The terrorists are after our energon cubes.

Re:

[chris_eineke]

These treacherous decepticons!

Energon Cubes

[TubeSteak]

The terrorists are after our energon cubes.

Being cube shaped, they must be transported in trucks which makes them vulnerable, instead of being moved around through a series of (secure) tubes.

How am I supposed to be surprised?

[cultrhetor]

The FBI can't even get a modern computer to the majority of it's employees. FEMA "misallocated" (read: got suckered out of mucho money) more money than Bill Gates can come up with. DOT engineers have to fill out fifteen forms to receive a box of pencils. The IRS has to rely on outside collection agencies to retrieve back taxes. Veterans' benefits have been slashed - by a government - which claims to support our troops - creating more disabled veterans because of a war we had no business fighting (Iraq). The federal deficit is in the trillions, yet we cut taxes. How the hell am I supposed to be surprised that they can't maintain computer system security?

So You're Saying It Was A ClusterFuck?

[littlewink]

Sometimes it helps to simplify.

Please, enough is enough.

[jfz]

It may be too late at this point but can we please ban the word "[cC]yber" from use in the U.S. government? This can go for any other stupid, vague, technology fantasy land word as well. This kind of nomenclature just helps make us look like ignorant idiots the world over. Not that we needed it in that department.

Re:

[dan828]

OK fine. Next year we'll call it "Operation eStorm" instead.

DHS Press Release

[Anonymous Coward]

Link to the actual DHS press release: http://www.dhs.gov/dhspublic/display?content=5431/ [dhs.gov]

Re:

[webmistressrachel]

Broken - sorry dissappoint but my post below was being typed whilst you posted this likn, and I'm still frustrated by the article's lack of sources.

Re:

[frdmfghtr]

Try here...

http://www.dhs.gov/dhspublic/interapp/press_releas e/press_release_0993.xml [dhs.gov]

I was just there and downloaded the 20-page report from

http://www.dhs.gov/dhspublic/interweb/assetlibrary /prep_cyberstormreport_sep06.pdf [dhs.gov]

References?

[webmistressrachel]

Rather surprising to me that TFA does not cite or link to the source of the quotes at all.

Could somebody please post this, if it exists?

Personally, I find it hard to take any government

[ScrewMaster]

program seriously when it has the word "Cyber" in it. Sure, I realize that the original Terminator was a Cyberdyne Systems Series 800 Model 101, and that sounded really cool at the time. It doesn't anymore. They need to find another prefix for their project names.

Re:

[lostboy2]

Heh. Personally, my favorite is Yoyodyne [wikipedia.org]. More tech-related things should use the yoyo- prefix. Darn -- Yoyosoft [yoyosoft.com] is already taken.

Re:

[ScrewMaster]

Hm ... Project YoyoStorm. I like it.

When in danger or in doubt...

[jpellino]

... run in circles, scream and shout.

So everything's normal then?

Very funny and BS

[mrkitty]

All one needs is 10-30k machines ddosing the root name servers for 2-5 days. Positive conclusions my ASS.

Root servers are not the softest DNS target

[karl.auerbach]

Actually the DNS root servers are a fairly resiliant target.

The reason is that their data is so small - only about 250 names, the whole thing compresses down to less than 20K bytes - that it is well cached (and privately replicated.)

I've traced root server queries and most sites that don't reboot their resolvers will generate usually no more than a few hundred queries to the roots per month. If root servers stopped responding, most people would live out of their ISP's resolver caches for a long time, many

Re:

[account_deleted]

Comment removed based on user account deletion

Blatant Karma Whoring

[morgan_greywolf]

Here's a link to the Operationg Cyberstorm Report [dhs.gov] on the DHS web site.

Re:

[sane?]

The sample scenario gave me a chuckle.

Hackers are supposed to hammer a HIPAA data to hold medical authorities to ransom - which of course in the scenario they 'beat off'. Yay for the good guys.

In reality of course they'd slip in, copy the details of anyone with a particularly embarassing illness, then blackmail THEM to stop release of the data. In reality the government probably wouldn't have a clue.

If this is indicative of the general standard of 'Cyber Storm' they need more help in understanding the

easy

[DragonTHC]

anyone can lookup a netblock with arin.net

then simply call the phone number of the network owner.

that is easy.

the government is so caught up in buying expensive shit to solve non-existant problems, they have forgotten basic net troubleshooting.

Does this suprise anyone?

[DocOmega]

It is the nature of both military and government in general (esp. military) to operate under a chain of command. When this link is broken, no one is used to thinking for him/herself. When we teach "yes sir, no sir", we do a disservice to the critical thinking and independent decision making that would have helped out here.

Re:

[Anonymous Coward]

You don't actually know how the military works do you? Do you really think that they just want robots? In the middle of a firefight or emergency do you think that they have to call home to Momma to figure out what to do? If anything you are expected to be able to take independent action that will complement the actions of others to win. Strict zombie control gets you the Iraqi army not the US one.