Cyber Storm II Set To Begin

mr sanjeev notes that Computerworld is running a story about Cyber Storm II, set to run from March 11th until the 14th. The exercise will test the security of the US, Australia, the UK, New Zealand, and Canada. The organizers' goals are to test preparedness and responsiveness in relation to real-time threats. The previous Cyber Storm test identified "eight specific areas in need of improvement." We recently discussed the details of the tests themselves. From Computerworld: "Security experts said the first Cyber Storm event last year improved participants' understanding of who to call in the event of an attack, but did not identify specific vulnerabilities in the nation's computer systems. 'What they're trying to do is highlight the inefficiencies in the process,' according to Marcus Sachs, deputy director with research group SRI International's Computer Science Laboratory. 'They're not really looking for technical solutions.'"

Re:How did the first one help?

[PopeRatzo]

Friend, it's all a PR exercise. In the next seven months, we're going to be hearing about every possible type of attack. If you were to judge the state of the world by the media coverage in the coming months (thanks to a lazy, complicit press), you would think that every other human living on earth is a satanic terrorist, looking to kill your babies.

History books will look back on our current confluence of Terrorism and War as a type of madness. It will judge harshly the weak-hearted "leaders" who used fear to govern.

One thing, though: The past seven years has certainly changed my opinion of the Second Amendment. And I choose to extend the "right to bear arms" to the "cyber" type, including the best crypto I can find. Maybe not to use every day, but to keep for the inevitable.

Re:How did the first one help?

[lunartik]

It is not a PR exercise (well, maybe it is, I haven't read TFA), these types of scenarios are used all the time for crisis testing. I used to help run part of a major multi-national's crisis team, and the main goal in table-topping various disaster scenarios is not to drum up some mass paranoia, or even to exercise more likely minor events. The goal is to come up with something large enough to involve all, or most, members of the team. Too often people are tasked with a crisis function on top of their "real" job, and it is something they will hardly ever be called upon to perform. So you pull them together, give them a scenario, and basically you role-play it. The idea is that they need to become familiar with their specific role, what the other members roles are, and the decision-making and communication structure. Afterwards, you assess how it went, and make suggestions for improvement. We did this all the time. It generally had nothing to do with terrorism (weather or infrastructure failures were more likely scenarios, but sometimes terrorism, crime or political instability were used).

Re:pointless

[lunartik]

Most commenters seem to miss the point of what they are doing. It doesn't sound like they are getting together and probing each others networks, or getting involved in this in very minute technical details (but they could be). That is not what these sorts of exercises are usually about. The article says that the first exercise "involved nine large IT firms, six electricity utility firms (generation transmission and grid operations) and two major airline carriers. "

In fact, the article calls this a "hacking exercise" but says:

A Cyber Storm report was released following the exercise in February last year which identified eight specific areas in need of improvement.

These included better inter-agency coordination, the formation of a training and exercise program, increased coordination between those involved in cyber incidents, the development of a common framework for response and information access, as well as the development of a strategic communications and public relations plan.

Security experts said the first Cyber Storm event last year improved participants' understanding of who to call in the event of an attack, but did not identify specific vulnerabilities in the nation's computer systems.

What they were likely doing was role-playing major systems getting corrupted, altered or going off-line. There is a non-technical side to such an event that needs to be thought about and practiced. When a crisis happens, there will be a period of chaos, which you quickly need to get under control and then fix. Say you were an airline, and air traffic systems went out. What do you do with your planes? Your passengers? Who is your contact at the Federal government? Who do they report to? Who are they speaking for? What assistance can they provide? Who are your contacts at other airlines? Who is in charge of communicating with the airports? Does finance have money available to put passengers in hotels if necessary? Who in finance is can make those decisions? Who are your contacts at the hotels? What assistance will they provide? What are our plans for handling major schedule disruption? How long would it take to get the planes back online and normal service resumed?

If the exercise tells you that your systems have been infiltrated, you could imagine similar questions raised.

The idea is to get people thinking about what their specific role is and understanding it. We always told people there are no wrong answers, they are not graded. The facilitator guides the exercise and observes how well things go, and makes recommendations afterwards.