The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency, Cybersecurity Division held Cyber Storm III, a comprehensive and dynamic cybersecurity exercise, September 27 through October 1, 2010. Cyber Storm is DHS’s capstone national-level exercise. This biennial event represents the nation’s most extensive cybersecurity exercise of its kind and is part of an ongoing effort to assess cybersecurity preparedness; examine incident response processes, procedures, and information sharing mechanisms; and identify areas for improvement absent the consequences of an actual incident.
Cyber Storm III included participation from eight Cabinet-level departments, 13 states, 12 international partners, and 60 private sector companies and coordination bodies. Together, these entities participated in the design, execution, and post-exercise analysis of the largest, most comprehensive government-led, full-scale cyber exercise to date.
Cyber Storm III's objectives were designed to assess the nation's response to cyber incidents. The assessment informed DHS's preparedness and resiliency planning, thereby strengthening the nation's capacity to respond to a cyber incident.
The exercise's specific objectives were to:
- Identify and exercise the processes, procedures, relationships, and mechanisms that address a cyber incident;
- Examine the role of DHS and its evolving National Cyber Incident Response Plan (NCIRP);
- Assess information sharing issues;
- Examine coordination and decision-making mechanisms; and
- Practically apply elements of ongoing cyber initiatives, such as the Cyberspace Policy Review and findings from past exercises.
Cyber Storm III was a distributed exercise that allowed players around the world to participate from their office locations. The exercise control center was located at a DHS facility in the Washington, D.C. metropolitan area. The scenario progressed as players received "injects" via e-mail, phone, fax, in person, and exercise web sites from exercise control. Exercise play simulated adverse effects through which the participants executed their cyber crisis response systems, policies, and procedures.
The exercise gave the cyber incident response community a safe venue to coordinate practice plans, response mechanisms, and recovery tasks. Most importantly, the exercise provided participants with the opportunity to learn about their strengths and any areas that might need improvement. Participants are incorporating those observations into operations in order to help reduce cyber risks posed to the nation.
To create the Cyber Storm III scenario, DHS organized a Scenario Team, leveraging the engagement and technical expertise of participating operators. In collaboration, DHS and exercise participants developed Cyber Storm III’s core scenario conditions and advised further scenario customization efforts throughout the planning process. The Scenario Team contributed to coordinated scenario development, creating a forum to vet, discuss, and achieve consensus on core scenario conditions to be applied to participating organizations.
The use of core scenario conditions as the basis for all targeted attacks ensured the exercise represented a comprehensive national and internationally Significant Cyber Incident. In developing these specifics, team members incorporated Cyber Storm III goals and objectives, previous exercise findings, and previous observations into scenario design while still adhering to the exercise construct.
During Cyber Storm III, players responded to a series of simulated, targeted attacks, resulting from compromises to the Domain Name System (DNS) and the Internet chain of trust (i.e., validity of certificates and Certificate Authorities). Because of the reliance on DNS and the chain of trust for a wide range of Internet functions, transactions, and communications, the adversary challenged players’ ability to operate in a trusted environment, complete trusted transactions, and support critical functions. In addition, the adversary used these compromises to carry out a variety of targeted attacks against private sector companies, select critical infrastructure sectors, public sector enterprises, and international counterparts. The scenario construct ensured all exercise players felt the effects the core scenario created.
Cyber Storm III included participation from eight Cabinet-level departments, 13 states, 12 international partners, and 60 private-sector companies and coordination bodies. Participation focused on the information technology (IT), communications, energy (electric), chemical, and transportation critical infrastructure sectors and incorporated various levels of play from other critical infrastructure sectors. In addition, Cyber Storm III included the participation of states, localities, and coordination bodies, such as Information Sharing and Analysis Centers (ISACs) and international governments to examine and strengthen collective cyber preparedness and response capabilities. During the exercise, the participant set included 1,725 Cyber Storm III–specific system users.
Cyber Storm III addressed the Training and Exercise requirements found in Homeland Security Presidential Directive 8 “National Preparedness.” Coordinated under DHS’s Cyber Exercise Program, Cyber Storm III supported the National Strategy to Secure Cyberspace by exercising the national cybersecurity response. It also exercised the interim version of the National Cyber Incident Response Plan (NCIRP) and operations at the National Cybersecurity and Communications Integration Center (NCCIC).
Applying Lessons Learned
The Department is applying the Cyber Storm III observations to further strengthen the nation’s cybersecurity preparedness and response mechanisms. DHS worked in close partnership with public and private sector stakeholders to capture all relevant information in the Final Report. In addition to the Cyber Storm III Final Report, many participants developed their own internal summary and observation reports.
The Cyber Storm III Final Report reviews the purpose, scope, planning and execution, scenario, and the significant findings of the exercise.
For additional information on Cyber Storm exercises, contact CEP@hq.dhs.gov.