Cyber Storm finds weaknesses

Experts disagree over reasons why government is ill-prepared for cyberattacks

Cyber Storm Exercise Report

Related Links

The Homeland Security Department’s Cyber Storm exercise earlier this year uncovered critical problems with the government’s ability to handle large-scale cyberattacks, from difficulties with coordination to problems with information sharing. For many in industry, those results are not surprising.

The findings in the official report on the exercise, released Sept. 13, “affirm what many of us already knew was a problem,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance.

The problems that Cyber Storm illuminated are familiar, but the reasons for them are not so clear. Analysts and industry representatives disagree on the reasons for the government’s poor performance and the benefits that could be gleaned from the experience.

Cyber Storm was a $3 million, four-day tabletop exercise conducted in February by DHS’ National Cyber Security Division. Its goal was to test whether the nation’s critical infrastructure could withstand major cyberattacks. Cyber Storm involved more than 100 public and private agencies and corporations in more than 60 locations in five countries, making it one of the largest cybersecurity exercises ever conducted.

Kurtz called for programs that mitigate attacks, adding that the government should develop an early warning system. Such programs are considered essential for improving security. He said Cyber Storm revealed poor leadership as one of the biggest problems because it led to a lack of coordination.

“The government has shown little strategic direction of leadership when it comes to ensuring the resiliency and integrity of our information infrastructure,” said Kurtz, who praised Greg Garcia’s appointment to DHS’ long-vacant position of assistant secretary for cybersecurity and telecommunications.

But Alan Paller, director of research for the computer security certification firm SANS Institute, disagreed with Kurtz’s assessment.

“There is a belief among some circles that this is a policy and process problem when the reality is that this is a people and technology problem,” Paller said.

He emphasized the importance of spending more money on protecting critical infrastructure by adding employees.

“The essential problem is there aren’t enough people who are technically skilled and trust each other,” he said.

Almost all the experts said the exercise was beneficial for different reasons.

Tiffany Jones, regional manager for North and Latin American relations at Symantec, said the most important lesson from Cyber Storm might be finding out what could go wrong in a real attack.

“A lot of people forget that the reason why the exercise exists is to identify where the problems are,” she said. “The really important thing isn’t the results of this Cyber Storm but the results of the next.”

Symantec was involved with the exercise, working with the Information Technology Information Sharing and Analysis Center.

“I think the benefit of the exercise was that a group of some of the best and brightest in the country got to know each other,” Paller said.

Cyber Storm on a tabletopThe Cyber Storm exercise in February revealed several problems that slowed response times to cyberattacks and affected coordination among international and national government agencies and private industry. Here are some of the major problems.

  • Organizational coordination: Agencies and private-sector organizations struggled to share information, mostly because the private-sector entities could not properly connect to the National Cyber Response Coordination Group. The coordination group had too few technical employees to provide support.
  • Contingency planning: Organizations taking part in the exercise didn't always know who to contact to coordinate planning. They also needed to resolve trust issues.
  • Correlating multiple incidents: The lack of information sharing impeded organizations' ability to correlate multiple attacks to understand trends and offer support in response to such attacks.
  • No common framework for information: At times, organizations faced "an absence of information and, at others, an overabundance," according to the exercise's official report. Many organizations found it difficult to discern accurate and up-to-date information. In addition, multiple alerts about a single problem bogged down coordinated response times.
  • — Wade-Hahn Chan

    The 2015 Federal 100

    Meet 100 women and men who are doing great things in federal IT.

    Featured

    • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

      Can MOOCs make the grade for federal training?

      Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

    • Shutterstock image (by edel): graduation cap and diploma.

      Cybersecurity: 6 schools with the right stuff

      The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

    • Rick Holgate

      Holgate to depart ATF

      Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

    • Are VA techies slacking off on Yammer?

      A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

    • Shutterstock image: digital fingerprint, cyber crime.

      Exclusive: The OPM breach details you haven't seen

      An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

    • Stephen Warren

      Deputy CIO Warren exits VA

      The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

    • Shutterstock image: monitoring factors of healthcare.

      DOD awards massive health records contract

      Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

    • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

      Sweating the stolen data

      Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

    • FCW magazine

      Let's talk about Alliant 2

      The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above