An Approaching Cyber Storm Includes New Threats

March 2012
By Max Cacas, SIGNAL Magazine

The upcoming international cybersecurity drill responds to ever-changing online infrastructure dangers.

The U.S.-led global cybersecurity exercise known as Cyber Storm will sport a new look and format when it takes place later this year. The changes reflect the constantly deviating nature of the threats posed daily to the world’s cyber infrastructure.

“We’ve long since left the notion of a purely destructive hacker in our rear-view mirror. We’re all organizing, training and equipping to meet challenges that are sophisticated, and to do that, we’ve been developing capabilities of our own that are fairly sophisticated,” says Brett Lambo, director of the Cybersecurity Exercise Program with the Department of Homeland Security’s (DHS’s) National Cyber Security Division.

Cyber Storm exercises have been conducted approximately every two years since 2006. All have been organized and conducted under the aegis of the DHS’s Office of Cybersecurity and Communications, National Cyber Security Division. These are primarily policy-driven tabletop exercises, and do not involve the injection of malicious digital code into a working network. Rather, participants rely on text messages or email as a means of communicating changes in the test scenario.

Lambo is planning the fourth iteration of the exercise, returning a second time in the role as chief architect and game master. After reviewing how much things have changed since Cyber Storm III, including cyber threats faced by exercise participants, it was time for a new approach, he reports.

For the fourth Cyber Storm, the format will feature an ongoing series of events, not just one main event, and the series of events will be broken up by different constituency groups. Lambo explains that this could be a building-block event, where the initial event would shape the nature and prosecution of subsequent events in the middle and latter stages of Cyber Storm IV. The building blocks, he says, will be based on specific cybersecurity topics and the interests of the varied constituencies represented by the diverse roster of participants in Cyber Storm.

The 2012 edition of Cyber Storm once again will include a wide-ranging group of representatives from private industry and local, state, federal and international government, according to Lambo. He explains that the broad spectrum of active participants is part of the “method to the madness” of the Cyber Storm exercise, especially in its new format.

“We can work a bit more intimately with each other if we do these things in smaller, bite-sized pieces,” he continues, as opposed to a single, monolithic, multiday event. “In that way, we, as the sponsors of the exercise, get a chance to delve a little deeper with a particular constancy and go a little broader,” in using the exercise as a means to explore specific cybersecurity topics.

The Pentagon is a critical partner in the planning and execution of Cyber Storm IV. The Defense Department’s policy issued last year named cyberspace as its newest operational domain, and Lambo’s unit works daily with the Defense Department to help integrate its cyber defense activities.

“We all have places where we have complementary capabilities, and we all have places where our mission spaces might diverge. That doesn’t change fundamentally what we do, or how we approach what we do. It’s a big pool, and we all have different responsibilities,” Lambo states.

He is hopeful that the DHS can invite even more participants to be a part of Cyber Storm IV. “This is an interconnected world, and this is an interconnected constituency. The cast of characters doesn’t change that much; it just gets bigger,” he notes, referring to the relatively small but growing worldwide community of cybersecurity experts and practitioners who are the frontline in protecting cyberspace.

Cyber Storm IV is designed to be complementary to the more domestically focused National Level Exercise (NLE), a four-month emergency management exercise involving the DHS, multiple federal agencies and state and local governments. It will have a cybersecurity component.

“We’ve tried hard not to overlap with them,” Lambo explains, referring to the group planning the NLE, but,” he adds, “to the extent that they’ll need cyber expertise, we’re going to be there for them.”

Details of the exercise still are being developed and are heavily classified until after the completion of the exercise. However, Lambo is clear in explaining that change will be a centerpiece of this year’s program.

Unlike the exercise two years ago, Cyber Storm IV will not have a formal beginning. Lambo explains that once planning is completed in the spring, “We will start rolling out these exercises, small and large, but nothing like you saw in September of 2010.”

Two years ago, seven federal departments, 11 states, 12 countries and 60 private-sector companies from around the world participated in Cyber Storm III. The exercise was a tabletop cybersecurity endeavor designed to test policy and operational response to an initial core cyberattack scenario. Participants responded to simulated attacks focusing on the Internet’s Domain Name System (DNS) and on the so-called Internet chain of trust, which is the system of digital certificates exchanged across the Internet that confirms packets of data are originating from a trusted source.

During the Cyber Storm III exercise, participants were asked, over a four-day period, to respond to injects, which are specific events reflecting dynamically changing conditions for the exercise. The injects changed again in later phases, depending on the participants’ responses. Again, the exercise did not include injecting malicious digital code into a network; it relied on the exchange of text messages and email among participants.

The goal of Cyber Storm III was to test whether the Internet’s technical architecture and chain of trust could, in effect, be turned on itself and used by outside forces to attack and bring it down, according to Lambo.

Lambo and his DHS colleagues report that, in addition to testing the capabilities of cybersecurity policies and procedures on the part of respective constituency groups, Cyber Storm tests how well those groups work with one another. Collaboration is one of the broad themes that they hope to repeat in Cyber Storm IV.

The point of the exercise is to take what already is in place and give it a road test, and to see how well those procedures and those relationships are working, Lambo emphasizes.

Based on his experience managing the Cyber Storm III exercise, Lambo believes one of the most valuable outcomes is that the collective cybersecurity community benefits from the lessons learned. In July, his office released its final report on Cyber Storm III, a 30-page document outlining key findings and detailing everything from initial planning for the test to long-range, after-action analysis of the outcome.

As a result of these findings, Lambo says, “Our procedures will be more robust, and the way we coordinate with each other will be more regular and ongoing. So, you’ll see more activity in response to these actions as those plans and procedures get matured.”

For the DHS, he says Cyber Storm also offers a unique way to test rigorously the National Cyber Incident Response Plan (NCIRP). This policy document details how the nation will prepare for, and deal with, a cyberattack. It addresses not only the work of the DHS and its constituent agencies, but also the roles and responsibilities of other cabinet-level agencies. It also focuses on how the federal government is expected to respond to the needs of citizens and private businesses, as well as those of foreign governments that increasingly rely on the public Internet.

Because of the international focus of the Cyber Storm exercises, the test provides a regular opportunity to measure how the NCIRP relates to the global cybersecurity community. The top finding in the final report on Cyber Storm III suggests that the NCIRP provides “a sound framework for cyber-incident response; however, the supporting processes, procedures, roles and responsibilities outlined in the Plan require maturity.” Lambo says this finding is important, given the rapidly changing nature of the threats to cybersecurity.

In reflecting on the outcome of Cyber Storm III and how it is shaping his master plan for Cyber Storm IV, Lambo says he is satisfied that many of the core policies driving many U.S. cybersecurity strategies have been verified, with some work still to be done.

“We were really able to validate that we were being right-headed in the ‘what’ we were trying to spell out in these plans. And where we really needed to put the meat on the bones is in the ‘how.’ And so the takeaway from Cyber Storm III is that the framework we have is directionally sound.”

Lambo adds that one other challenge is developing new and improved ways to sift through the volumes of information that now can be gleaned about network security and create new tools that can improve response to cybersecurity incidents and threats.

DHS “Cyber Storm III: Final Report”:

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.