Cyberattack Preparation Addresses Multiple Threats

February 2011
By Rita Boland, SIGNAL Magazine


A Cyber Storm III exercise participant briefs Department of Homeland Security Deputy Secretary Jane Holl Lute during the exercise kickoff at U.S. Secret Service headquarters in Washington, D.C. Participants included representatives from seven Cabinet-level departments, the White House, law enforcement and intelligence communities, 11 states, 12 international partners and 60 private-sector companies.

Federal agencies, states and industry weather Cyber Storm to improve the response to and mitigation of network menaces.

Participants in a biennial U.S. Department of Homeland Security cybersecurity exercise evaluated the relevance of the U.S. national response plan in an event that featured more players than ever before. Representatives from federal and state government, the private sector and foreign countries all worked together to examine the United States’ ability to handle cybercrises. The personnel also enjoyed the privilege of being the first to employ and review a new center dedicated to coordinating actions during a serious real-world incident.

Held in September 2010, Cyber Storm III was the primary vehicle to exercise the National Cyber Incident Response Plan (NCIRP)—the recently created blueprint for cybersecurity incident response. The plan examines the roles, responsibilities, authorities and other key elements of the nation’s cyberincident response and management capabilities. Evaluations by participants will help the government refine the document moving forward.

Brett Lambo, the director of the cyber exercise program in the National Cybersecurity Division at the Department of Homeland Security (DHS), says that an objective of Cyber Storm III was to look at the NCIRP to see how the nation’s different sectors work collaboratively and how to manage an incident from a cyber perspective. “We really wanted to get a window into how the how was working,” he explains.

Cyber Storm III assisted officials with determining whether the plan facilitated interagency cooperation and brought together the right people in real time, as well as if industry’s roles were identified correctly. Government and industry offer different capabilities, and the groups must find the best way to combine their resources to secure cyberspace. Lambo states that the exercise aimed to test the NCIRP to ensure the right blending took place at the right times. “We’re over the moon about how well the exercise was able to get at those objectives,” he says.

Cyber Storm is an objectives-based exercise. The planning process begins by gathering representatives of the organizations that need and want to be involved and determining training goals. Lambo says that groups want to know the state of their operations and to see their programs stressed in a risk-free environment. For example, one federal agency might want to find out how well it could provide information to the U.S. Computer Emergency Readiness Team (US-CERT). Or, a company may want to determine if the information it provides the government is valuable.

The exercise is designed to allow participants to coordinate from the level of powerful decision makers down to that of tactical operators. At the “very high level,” according to Lambo, the objective of Cyber Storm is to see how well the nation is prepared to respond to a cyberattack. “That’s what we’re trying to do with these exercises ... We’ve got a duty and mandate to be able to manage a cyberincident,” Lambo says. However, at the operational level, the objectives are to examine plans and procedures, the maintenance of concepts of operation (CONOPs) and public-private-interagency coordination.

Though the DHS will not release details of the exercise scenario, and has not announced results or lessons learned, the event did incorporate targeted attacks that used the Internet’s elements against itself. Planners included known, credible technical capabilities of enemies and exploitation of actual cyberinfrastructure vulnerabilities. Players had to identify the attack and mitigate the problems in real time as well as determine possible consequences to compromised systems. They also had to handle more than 1,500 data injects—pieces of information revealed during the exercise—to test skills. Lambo explains that over time, cyber capabilities have evolved, enabling planners to ask very specific questions such as those regarding CONOPs and put the right factors in place to try to find the answers.

Lambo and other planners developed a scenario for this year that differed from previous Cyber Storms by putting in layers of problems that enabled participants to link their objectives. The result was the simulation of a truly national-level incident. Lambo explains that fundamental problems surfaced for various participants, but each issue manifested itself differently depending on what each constituent base needed. Planners focused on presenting a core scenario that supported the requirements of different organizations.

One of the facets examined was the employment of the National Cybersecurity and Communications Integration Center (NCCIC). “The NCCIC is the center of gravity for coordinating response to an incident,” Lambo says. It serves as the hub for national cybersecurity collaboration. Because the center was inaugurated in October 2009, a down year for Cyber Storm, this year’s exercise marked the first opportunity to include the center in the training. Officials with the DHS had specific processes and procedures they wanted to test within the NCCIC during Cyber Storm. Different agencies and groups stationed representatives inside the center for the event, enhancing coordination efforts.


U.S. Secret Service Director Mark Sullivan addresses participants in Cyber Storm III. The goal of the exercise was to examine and strengthen collective cyber preparedness and response capabilities across government and industry.

Cyber Storm thoroughly stressed the center. “The NCCIC was really ground zero in this exercise,” Lambo states. Participants practiced coordination with others outside the center, so people in other locations gained an understanding of the information the center would push out, and those on the inside learned what information they would receive. Who sits where during a real-world event will depend not so much on employers as on where skills are needed. In that vein, the Defense Department and the DHS have entered into an agreement to send staff to the NCCIC, and the DHS will send staff to U.S. Cyber Command.

The varied participants of Cyber Storm III made the exercise a useful tool for testing the NCCIC’s coordination capabilities. Federal-level participants included the departments of Homeland Security, Commerce, Defense, Energy, Justice, Transportation and Treasury as well as White House, intelligence and law enforcement officials. Eleven states were represented in the exercise, two more than in Cyber Storm II. California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas and Washington all joined in, as did the Multi-State Information Sharing and Analysis Center.

In addition, several private-sector information sharing and analysis centers (ISACs) and sector coordination councils played a role along with 60 companies, up from 40 in 2008, from fields such as banking and finance, chemical, communications, dams, information technology, industrial base, nuclear, transportation and water. International partners from Australia, Canada, France, Germany, Hungary, Italy, Japan, the Netherlands, New Zealand, Sweden, Switzerland and the United Kingdom rounded out the group.

Though many federal exercises include private and international participation, events focused on cybersecurity especially need these diverse personnel. The government owns virtually none of the United States’ information technology infrastructure, and crucial services provided by private industry in a variety of areas could be disrupted during a cyberincident. Overall, the Cyber Storm series is designed to simulate large-scale cyberattacks on the country’s infrastructure and key resources with a goal to evaluate the collective cyber preparedness and response capabilities against realistic national-level events.

Deciding who participated in Cyber Storm III depended on two criteria. “The first answer is we really take volunteers,” Lambo says. States especially are taken on a voluntary basis because while understanding who is prepared is important to the federal government, some simply might not have the resources to take part. The private sector also participates by volunteering. Fortunately for planners, many want to join the event. “The community is pretty well aware of it now,” Lambo explains. “We’re not going out to present something foreign.”

Other organizations fall into a second category of mandatory participants. “Certain agencies have to be involved,” Lambo states. “These are organizations that on a daily basis have a direct operational role in cyberincident response.” He says planners have not had to resort to strong-arming tactics because those groups know they should be involved for their own good.

Over the years since the first Cyber Storm, participants have grown relationships with one another and put in place additional tools, allowing planners to develop more specific objectives. As the United States becomes more technologically sophisticated, national capabilities improve, and exercise executors can test harder. “You use an exercise to lay yourself bare a little bit,” Lambo explains.

Because of this, planners have not yet established firm plans for Cyber Storm IV. They plan to build on the benefits of Cyber Storm III, then fulfill their obligation to push the envelope as far as they can for the next round.

The DHS has been working over the years to foster a relationship between the public and private sectors through Cyber Storm and other efforts. Much of the capability to do forensic analysis and situational awareness is possessed by the owners and operators of cyberinfrastructure, and the government requires them to manage an incident effectively. Lambo explains that the federal government strives to do its best to protect against cyberthreats, but that if the exercise only included federal participants, it would miss half the equation.

In addition to reaching out to individual companies, the government is working with organizations such as the Information Technology (IT) ISAC, which took part in the recent exercise. The IT-ISAC is a nonprofit  organization that reports, exchanges and analyzes threats to the information technology sector in terms of both electronic incidents and how to counteract them; performs risk management; and manages and mitigates problems. The center has participated in all the Cyber Storm events. Scott Algeier, the executive director of the IT-ISAC, explains that his organization marketed the most recent exercise to members and played individually through its own operations center.

The event enabled IT-ISAC personnel to examine their crisis coordination with members of the US-CERT and the NCCIC and to test the nonprofit’s CONOPs. The IT-ISAC also was able to determine how well it interacts with its own members as well as with the DHS and other security partners. “We need to practice so we maintain our sharpness, so we know we have the capability to respond,” Algeier says. Where the IT-ISAC falls short, personnel will fix the problems, “so we don’t make the same mistake again,” he adds. The center identified areas for improvement in its CONOPs and operations center that it plans to resolve. It also evaluated the strengths and weaknesses of its own alert level system during the exercise and will spend time working on that in the future.

Algeier emphasizes the need for industry collaboration with government, explaining that because the industry owns and operates the information infrastructure, the government needs its assistance. “They don’t own anything ...” he says. “What the government does have is intelligence. That’s good for the private sector.” The public-sector information enables industry to perform mitigation activities and to identify servers to shut down, signatures to develop, virus programs to update and malware to remove.

According to Algeier, the Cyber Storm III scenarios were complex enough to enable the IT-ISAC to test its analytical capabilities. It also helped the center look at how it will work with the Unified Coordination Group that was established under the NCIRP. The group is a collection of industry and government leaders who come together during an event to make response decisions.

The exercise is completely simulated, so no actual disruptions take place. After planners understand everyone’s goals, they develop the situation for the event, and create the attacks by telling people where and what the problems are. Though planners and executors follow a script, they also leave room for dynamic play so if participants respond in a manner different from the expected, the exercise can change on the fly.

Participants operate from their normal business locations, increasing the reality of the exercise. By sitting where they sit every day, players learn how to work with the others involved in cyberdefense and response activities who are operating from their regular spots. This is important not only to prepare for a catastrophic event, but also to help prevent one from occurring. “There’s never a day where nothing’s happening,” Lambo says. He adds that a problem might seem minor, but if that same minor issue occurs in many places, it could have a major impact. And that is what exercises such as Cyber Storm are designed to prevent.

DHS National Cyber Security Division:


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.