The Cybersecurity and Infrastructure Security Agency, Cybersecurity Division held Cyber Storm II, a comprehensive, dynamic cybersecurity exercise, in March 2008. The exercise simulated a large-scale coordinated cyber attack on critical infrastructure sectors including the chemical, information technology (IT), communications, and transportation (rail/pipe) sectors. The exercise addressed the increasingly sophisticated cybersecurity threats that both the public and private sectors face. As the Department's biennial National Cyber Exercise, Cyber Storm II sought to examine the processes, procedures, tools, and organizational response to a multi-sector coordinated attack through and on the global cyber infrastructure. Exercise planning and execution provided the opportunity to establish and strengthen cross-sector, inter-governmental, and international relationships that are critical during the exercise and in actual cyber response situations.
Cyber Storm II exercised government and private sector concepts and processes developed since Cyber Storm I.
Specific objectives of the exercise included:
- Examining the capabilities of participating organizations to prepare for, protect from, and respond to the potential effects of cyber attacks;
- Exercising strategic decision making and interagency coordination of incident response(s) in accordance with national-level policy and procedures;
- Validating information sharing relationships and communications paths for the collection and dissemination of cyber incident situational awareness, response, and recovery information; and
- Examining means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.
Cyber Storm II intended to act as a catalyst for assessing communications, coordination, and partnerships across critical infrastructure sectors. To accomplish this, Cyber Storm II served as a distributed exercise that allowed players around the world to exercise from their own office locations. The exercise control center was located at a DHS facility in the Washington, D.C. metropolitan area. The scenario progressed as players received “injects” via e-mail, phone, fax, in person, and exercise web sites from exercise control. Exercise play simulated adverse effects through which the participants exercised their cyber crisis response systems, policies, and procedures.
The Cyber Storm II scenario was executed by persistent, fictitious adversaries with a distinct political and economic agenda. The Cyber Storm II adversary used sophisticated attack vectors to create a large-scale incident requiring players to focus on response.
Cyber Storm II planners designed the scenario around participants’ individual and collective objectives. Planners developed the scenario over an 18 month planning process during which planners interacted regularly both in-person and virtually. Throughout the planning process, individual organizations and sectors refined objectives for participation in the exercise. Planners built the scenario to accommodate the objectives of the organizations and sectors participating, but not specific vulnerabilities.
Participation in Cyber Storm II included the private sector as well as federal, state, and international governments, including Australia, Canada, New Zealand, and the United Kingdom. Eleven cabinet-level agencies participated in Cyber Storm II, including the Department of Defense and Department of Justice. Nine states fully participated: California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas, and Virginia. Private sector participants were coordinated through Information Sharing and Analysis Centers, Sector Coordinating Councils, and Government Coordinating Councils. Over 40 private sector companies from four critical infrastructure sectors participated in the exercise. Through the interaction between the public and private sectors, the exercise accurately simulated the interdependencies of the world’s cyber and communications networks.
Cyber Storm II addressed the Training and Exercise requirements found in Homeland Security Presidential Directive 8 “National Preparedness.” Coordinated under the Department's National Exercise Program, Cyber Storm II supports the National Strategy to Secure Cyberspace by exercising the national cybersecurity response. It also exercised the standard operating procedures found in the draft Cyber Incident Annex of the National Response Framework.
Applying Lessons Learned
The Department is applying the lessons learned from Cyber Storm II to strengthen the nation’s cybersecurity preparedness and response mechanisms. To achieve this, the Department hosted several post-exercise conferences to discuss the findings from the exercise and finalize an After Action Report. In addition, each participating organization was responsible for assessing its own performance and developing its own plan of action for strengthening its cybersecurity.
The Cyber Storm II Final Report reviews the purpose, scope, planning and execution, scenario, and the significant findings of the exercise.
For additional information on Cyber Storm exercises, contact CEP@hq.dhs.gov.