Cyber Storm puts US to the test
WASHINGTON (AP) - January 31, 2008 The surprising culprit? The players themselves, the same
government and corporate experts responsible for detecting and
fending off attacks against vital computer systems, according to
hundreds of pages of heavily censored files obtained by The
Associated Press. Perplexed organizers sent everyone an urgent
e-mail marked "IMPORTANT!" instructing them not to probe or
attack the game's control computers.
"Any time you get a group of (information technology) experts
together, there's always a desire, 'Let's show them what we can
do,"' said George Foresman, a former senior Homeland Security
official. "Whether its intent was embarrassment or a prank, we had
to temper the enthusiasm of the players."
The exercise was a big deal for all concerned.
The $3 million, invitation-only war game simulated what the U.S.
describes as plausible attacks over five days in February 2006
against the technology industry, transportation lines and energy
utilities by anti-globalization hackers. The government is
organizing a multimillion-dollar "Cyber Storm 2," to take place
in early March.
Among the mock disasters confronting officials in the previous
exercise: Washington's Metro trains shut down. Seaport computers in
New York went dark. Bloggers revealed locations of railcars with
hazardous materials. Airport control towers were disrupted in
Philadelphia and Chicago. Overseas, a mysterious liquid was found
on London's subway.
The list of fictional catastrophes - which also included
hundreds of people on "No Fly" lists suddenly arriving at airport
ticket counters - is significant because it suggests what kind of
real-world trouble keeps the White House awake at night. Railway
switches failed. Planes flew too close to the White House. Water
utilities in Los Angeles were compromised.
The Homeland Security Department ran the exercise, with help
from the State Department, Pentagon, Justice Department, CIA,
National Security Agency and others.
Imagined villains included hackers, bloggers and even reporters.
In one scenario, after mock electronic attacks overwhelmed
computers at the Port Authority of New York and New Jersey, an
unspecified "major news network" airing reports about the
attackers refused to reveal its sources to the government. Other
simulated reporters were duped into spreading "believable but
misleading" information that confused the public and financial
markets, according to the government's documents.
The upcoming "Cyber Storm 2" in March also will simulate
electronic attacks against chemical plants and communication lines,
and include targets in California, Colorado, Delaware, Illinois,
Michigan, North Carolina, Pennsylvania, Texas and Virginia.
"They point out where your expectations of your capabilities
may be overstated," Homeland Security Secretary Michael Chertoff
told the AP. "They may reveal to you things you haven't thought
about. It's a good way of testing that you're going to do the job
the way you think you were. It's the difference between doing
drills and doing a scrimmage."
The AP obtained the Cyber Storm internal records nearly two
years after it requested them under the Freedom of Information Act.
The government censored most of the 328 pages it turned over,
marked "For Official Use Only," citing rules against disclosing
sensitive information. The government is still reviewing hundreds
more documents before they can be turned over to the AP.
"Definitely a challenging scenario," said Scott C. Algeier,
who runs a cyber-defense group for leading technology companies,
the Information Technology Information Sharing and Analysis Center.
For the participants - including government officials from the
United States, England, Canada, Australia and New Zealand and
executives from technology and transportation companies - the mock
disasters came fast and furious: hacker break-ins at an airline;
stolen commercial software blueprints; problems with satellite
navigation systems; trouble with police radios in Montana; school
closures in Washington, Miami and New York; computer failures at
border checkpoints.
The incidents, designed to tax responders, were divided among
categories: computer attacks, physical attacks and psychological
operations.
"We want to stress these players," said Jeffrey Wright, the
former Cyber Storm director for the Homeland Security Department.
"None of the players took 100 percent of the correct, right
actions. If they had, we wouldn't have done our job as planners."
How did they do? Reviews were mixed. Companies and governments
worked successfully in some cases. But key players didn't
understand the role of the premier U.S. organization responsible
for fending off major cyber attacks, called the National Cyber
Response Coordination Group, and it didn't have enough technical
experts. Also, the sheer number of mock attacks complicated
defensive efforts.
The little-known Cyber Response group, headed by the departments
of Justice and Homeland Security, represents the largest government
departments, including law enforcement and intelligence agencies.
The 2006 exercise had no impact on the real Internet. Officials
said they were careful to simulate attacks using only isolated
computers, working from basement offices at the Secret Service's
headquarters in downtown Washington.
---
On the Net:
Homeland Security Department: http://www.dhs.gov
Justice Department:http://www.usdoj.gov