Details of Cyber Storm War Games Released

I Don't Believe in Imaginary Property writes "Apparently, the participants in the U.S. 'Cyber Storm' war games are familiar with the Kobayashi Maru, because some of them tried to cheat by hacking the games themselves. They also prepare for some very interesting scenarios. Among other things, the organizers are worried about having too many people on the 'No Fly' list show up at an airport, finding 'mystery liquids' in the subway, and having bloggers reveal the classified location of railcars with hazardous materials. The Department of Homeland Security has already analyzed the results of the games, and plans to hold 'Cyber Storm 2' in March."

Re:Good Gravy

[Chandon Seldon]

No. Recognizing fictional references is an example of "cultural literacy". When the reference is a popular TV show, it's more like "basic cultural literacy".

In Real Life...

[Republican Gun]

...there are spies, profiteers, and anarchists that would do things like that. So I guess it was a successful experiment to see what just might happen.

Someone has to know where the trains are

[jd]

Otherwise, how will you conduct evacuations, correct containment procedures, etc? Emergency service personnel are massively underpaid and under-equipt, sometimes under-trained as well, and usually suffering from mental disorders or addictions, making them more than a little vulnerable. Anyone who has been to a security briefing knows these are the very people you're advised to watch out for as the greatest potential security risks. So, either massive population centres are in extreme danger from emergency services not being suitably aware, OR massive population centres are in extreme danger from emergency services being aware.

Seems to me that the two cases would have equal consequences and equal risk levels, and that no other individual could possibly modify those values significantly, reducing the security through obscurity to someone's job security through obscurity. Tell me, why should I care about this person's job more than I care about any potential risk to my wellbeing?

Frightning...

[Lumpy]

I love how the Feds find uncensored and uncontrolled free press a "threat".

Reading that article really opens eyes as to the real inside of our government. The founding fathesr have got to be spinning at 30-40 thousand RPM in their graves by now.

Why does did sound like the plot to war games 2?

[Joe The Dragon]

Why does did sound like the plot to war games 2?
http://en.wikipedia.org/wiki/WarGames_2:_The_Dead_Code [wikipedia.org]

the movie has a system that sounds alot like the one talked about hear.

 

Re:This crap always amazes me

[mwlewis]

So, to summarize your post:

A successful exercise must consider every possible threat. They didn't think about every possible threat. It's not possible to think of every possible threat. An exercise that doesn't consider every possible threat doesn't help anything at all

WTF?

You obviously missed the whole point, which was really to work on the cooperation and communication. They weren't testing specific countermeasures, but stressing the people and the organizations involved to see what happens. Even if it weren't, being more prepared or knowledgeable about some threats is better than being knowledgeable than no threats.

No Fly Nonsense has been Squared.

[Erris]

There are not to many people in the airport, there are too many people on no fly lists. Technically, one person is too many because proscriptions violate your right to due process of law as outlined in the bill of rights. There are 750,000 people slandered as fellons by these lists, so many that it's possible that too many of them could come to the airport one day and overwhelm the TSA agents there. I'm not sure what the real problem is, because people on the no fly lists are never arrested [schneier.com].

To recap, there are so many people on a secret, illegal list of terrorists who are so dangerous that they can't fly AND they are let go immediately AND there are not enough guards for them. Only someone working for Homeland Defense could worried about the details of such an idiotic task.

Re:Hacking the game is cheating?

[Tomy]

I've always believed the biggest obstacle to any creative endeavor in general is Functional Fixedness [wikipedia.org], the bias that limits us to sort of only playing by the rules. I was at a party once and my psychology professor demonstrated it for me with a challenge to everyone at the party that he could drink wine from one of the unopened bottles of wine on the table without damaging the glass or cork in any way. Once everyone had given up guessing how he would do it, he turned the unopened bottle upside down, and poured wine from an opened bottle into the depression in the bottom of the unopened bottle and drank it. Our cognitive bias kept us from thinking outside the box, or bottle as it may be.

Re:Hacking the game is cheating?

[glwtta]

Well, the point of war games is to simulate real-life scenarios, so cheating is not constructive, no matter how clever it is.

Re:Hacking the game is cheating?

[glwtta]

That's a very naive view of the world.

Which is a little odd, since I only expressed a view of an exercise.

An exercise that makes you reconsider the rules of the game is very important in the real world, where you have to expect the unexpected.

Which is all well and good, but there is plenty of other types of exercises that are equally as useful. Besides, in your example it sounds like they were using perfectly legitimate tactics that were deemed outside the scope of some fairly specific exercise, whereas here, TFA makes it seem like they were just screwing with the monitoring systems for poops and giggles. Even taking into account all the vagaries of the real world, that is not productive.

Re:Frightning...

[plover]

It looks like you're making a basic mistake. Don't confuse recognizing a "threat" with the outlawing of it.

In the real world, almost anything could be a threat. Your child could knock a salad fork off the table, and it could land tines-up wedged into a crack in the floor, and you could then slip from your chair trying to pick it up, and put your eye out. By means of an implausible scenario, the fork has become a threat. But you don't address such a threat by outlawing salad forks, or all dining implements, or feeding your children only spoon food. Instead you analyze the risk of having salad forks on your dining room table, and realize it's silly to worry about such ridiculous scenarios.

For a variant, consider placing steak knives on the table. Now, if your child were to knock one off it becomes somewhat more serious. Perhaps you mitigate the risk by sensibly not placing sharp knives within reach of your child; but you don't outlaw knives from the kitchen nor do you stop eating steak. You simply keep them out of your child's reach.

Now move to a slightly more sinister threat or risk, that of a free press or possibly an extremist group publishing the location of every chlorine tanker in America. Could that be a threat to our security? Of course, it might even herald the initial coordination of a nationwide attack. But just like the above stories, you don't outlaw bloggers or their right to publish (nor can you.) Instead you look at potentially dangerous objects or information, you analyze the potential risks, and you find a way to mitigate them. Step 0 might sensibly be "don't publicly publish lists of hazardous tankers" except to those persons with a need to know. Step 1 might be to keep any such lists as small as possible -- the Seattle fire department doesn't need to have the schedule for the Atlanta chlorine train. Step 2 might be to publish a generic set of instructions, "How to safeguard chemical tankers". Step 3 might be a communications plan to the rail lines informing them of a security breach. And so on.

Almost anything can be a threat. What defines an appropriate reaction is recognition of the risks, planning and mitigation strategies. Over the top reactions like saying "OMG they're trying to silence the press and Jefferson is rolling in his grave" are completely missing the point. Nowhere in TFA are they even suggesting they suppress the blogs; they're just recognizing a potential threat, and figuring out what plans (if any) they need to make.

Re:How To Play??

[charlesnw]

The cyber storm war game is not about penetration testing. Its about response coordination. The US government has plenty of people who network in the security community and keep up on exploits etc. They have SNORT and SHADOW and who knows what other IDS systems all over the net watching for new exploit code.

The key element of these war games is to test response capabilities. Testing existing exploits would be pointless. An exploit could come out tomorrow that allows someone to control every Cisco router on the planet. Would that cause problems? You bet. At that point entities which have a tested and rehearsed security response plan will fare better then does who don't. Also organizations which have handled security incidents before will also fare better.

Re:War cannot be 'cheated'.

[gr8scot]

You cannot 'cheat' at war. Anything goes, that is the point. So, the only 'cheating' that could occur in a wargame, would be doing something unsafe. Say like using live ammunition rather than blanks.

The point of wargames is to prepare for possible situations, and train people how to react to them. If you fail to anticipate a situation, you have a weakness that can be exploited.

I agree in general, but not with this particular cheat.
Michael Chertoff, in Wired:

"They point out where your expectations of your capabilities may be overstated," Homeland Security Secretary Michael Chertoff told the AP. "They may reveal to you things you haven't thought about. It's a good way of testing that you're going to do the job the way you think you were. It's the difference between doing drills and doing a scrimmage."

I don't see the article saying that particular computer vulnerability was previously unknown. In fact, requesting that everybody not target the server suggests that the particular exploit is a known weakness, thus use of it is redundant to the organizers & lazy on the part of the cheaters, not insightful & informative & funny, & all-around, it's definitely not worthy of the prize. Of course, somebody among the organizers probably thought of that, and somebody else really should have listened more attentively.
Wired:

Perplexed organizers sent everyone an urgent e-mail marked "IMPORTANT!" instructing them not to probe or attack the game's control computers.

"Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'" said George Foresman, a former senior Homeland Security official. "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players."

The exercise was a big deal for all concerned.

The $3 million, invitation-only war game simulated what the U.S. describes as plausible attacks over five days in February 2006 against the technology industry, transportation lines and energy utilities by anti-globalization hackers. The government is organizing a multimillion-dollar "Cyber Storm 2," to take place in early March.

They offered $3 million to the winner, left playing by the rules to "the honor system," and the organizers were "perplexed" that somebody cheated? That is stupid! They'll need to make it an "invitation, to use our-crippled-terminals-only war game" next time, and simulate the whole thing on an isolated LAN, if they want that kind of controlled simulation. Or, they can just repeat the same mistake, I guess, and hope it works better this time.