U.S. testing defenses with simulated cyberattack (CNET):
The U.S. government has launched a full-scale simulated cyberattack to gauge how the country might fare in the real thing.
Sponsored by the Department of Homeland Security, Cyber Storm III kicked off yesterday for a three-day series of simulated events designed to exploit holes in the nation’s cybersecurity system.
Specifically, the exercise will “inject” more than 1,500 different types of threats to examine the ability of the people involved to prepare for cyberattacks, make the correct decisions to respond to them, and share sensitive information with the right parties.
“In Cyber Storm III, we’re kind of using the Internet to attack itself,” Brett Lambo, director of DHS’s Cyber Exercise Program, told reporters in a pre-test briefing, according to AFP. “At a certain point, the operation of the Internet is reliant on trust–knowing where you’re going is where you’re supposed to be. We’re going to try to compromise that chain of trust by attacking something that’s fundamental to the operation of the Internet.”
Lambo revealed that one of the simulations would compromise the encrypted digital certificates that verify identities online, while another would introduce issues into the DNS (domain name system) that pairs domain names with IP addresses.
Further, Cyber Storm III will incorporate certain aspects of the government’s new National Cyber Incident Response Plan, a basic blueprint to determine who does what in case of a cyberattack. It will also be Washington’s first chance to test the new National Cybersecurity and Communications Integration Center (PDF), which was set up last fall to act as a hub for coordinating cybersecurity.
Cyber Storm III will challenge a diverse group of thousands of people, including representatives from seven Cabinet-level departments along with the White House, intelligence agencies, 11 state agencies, 12 international partners, and 60 private sector companies.
U.S. mounting first test of cyber-blitz response plan (Reuters):
The United States is launching its first test of a new plan for responding to an enemy cyber-blitz, including any attack aimed at vital services such as power, water and banks.
Thousands of cyber-security personnel from across the government and industry are to take part in the Department of Homeland Security’s Cyber Storm III, a three- to four-day drill starting Tuesday.
The goals are to boost preparedness; examine incident response and enhance information-sharing among federal, state, international and private-sector partners.
“At its core, the exercise is about resiliency — testing the nation’s ability to cope with the loss or damage to basic aspects of modern life,” said a release made available at DHS’s National Cybersecurity and Communications Integration Center in Arlington.
The simulation tests the newly developed National Cyber Incident Response Plan, a coordinated framework ordered by President Barack Obama.
The plan is designed to be flexible and adaptable enough to mesh responders’ efforts across jurisdictional lines. Refinements may be made after the exercise, DHS officials said.
The test involves 11 states, 12 foreign countries 60 private companies.
Six cabinet-level departments are taking part beside Homeland Security: Defense, Commerce, Energy, Justice, Treasury and Transportation, as well as representatives from the intelligence and law-enforcement worlds.
FACT SHEET: Cyber Storm III (Department of Homeland Security):
Cyber Storm III Scenario
The Cyber Storm III exercise scenario reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself—with the goal of compromising trusted transactions and relationships.
The scenario will incorporate known, credible technical capabilities of adversaries and the exploitation of real cyber infrastructure vulnerabilities, resulting in a range of potential consequences—including loss of life and the crippling of critical government and private sector functions.
Throughout the exercise, the goal of exercise players will be to identify, in real time, the ongoing attack and mitigate the compromises and vulnerabilities that allowed it to occur, as well as possible consequences to compromised systems. At its core, the exercise is about resiliency—testing the nation’s ability to cope with the loss or damage to basic aspects of modern life.
o Administration-Wide—Seven Cabinet-level departments including Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury, in addition to the White House and representatives from the intelligence and law enforcement communities.
o Eleven States—California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, as well as the Multi-State Information Sharing and Analysis Center (ISAC)—compared to nine states in Cyber Storm II.
o 12 International Partners—Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom—compared to four international partners in Cyber Storm II.
o 50 Percent More Private Sector Partners—We will have 60 private sector companies playing in Cyber Storm III, up from 40 in Cyber Storm II; several will participate on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water Sectors as well as the corresponding Sector Coordinating Councils and ISACs to identify private sector participants.