National Level Exercise 2012 Will Focus on Cyber Attacks Against Critical Infrastructure
April 10, 2012 in Featured
A slide from a FEMA presentation describes some of the key details regarding National Level Exercise 2012.
Public Intelligence
Rather than combating natural disasters or a nuclear detonation in a major U.S. city, this year’s National Level Exercise will focus on cyber threats to critical infrastructure and the “real world” implications for government and law enforcement of large-scale cyber attacks. National Level Exercise 2012 (NLE 2012) is scheduled to take place in June and will involve emergency response personnel from at least thirteen states, four countries, nearly every major governmental department as well as a number of private companies, non-governmental organizations, institutions of higher education and local fusion centers. The exercise will span four FEMA regions and will include scenarios affecting the National Capital Region.
Past NLEs have focused primarily on threats related to terrorism or catastrophic natural disasters. NLE 2010 focused on the hypothetical detonation of an improvised nuclear device (IND) in Las Vegas. NLE 2011 concerned a massive earthquake occurring in the New Madrid Seismic Zone. NLE 2012 will be the first exercise in the series to concern itself primarily with cyber threats. A private sector participant guide released by FEMA states that NLE 2012 “will address cyber and physical response coordination, including resource allocation . . . emergency assistance and disaster relief resources, relative to a cyber event with physical effects.” Another presentation from FEMA adds that the exercise will evaluate government “roles and responsibilities in coordinating national cyber response efforts and their nexus with physical response efforts.”
While the exact scenario for NLE 2012 is not known, the “high level” goals include simulating a situation where there is an “ambiguous threat landscape with multiple adversary types” that produces “physical impacts resulting from cyber attack and cascading effects” that threaten “critical commercial logistics and data, industrial control systems, and associated operations.” NLE 2012 will be unique in that there “will be an emphasis on the shared responsibility among the Federal Government; state, local, tribal nations, and territories; the private sector; and international partners to manage risk in cyberspace and respond together to a cyber event with national consequences.” Due to the “sensitivity of the exercise scenario and the related private sector concerns in terms of media exposure” FEMA has made it clear that the names of private sector participants will not be publicly released.
The exercise will occur amidst a growing climate of panic in Washington regarding the state of U.S. cybersecurity. The FBI’s top cybersecurity official recently resigned stating that the U.S. is fighting a losing war against hackers: “I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.” Former government officials are advocating U.S. Customs “inspect what enters and exits the United States in cyberspace” and calling for prompt action on multiple pieces of cybersecurity legislation passing through the House and Senate.
NLE 2012′s goal of examining physical effects of cyber attacks underscores a comment recently made by the director of the FBI that the “cyber threat” will soon replace terrorism as the country’s highest national security priority. In March, a multi-agency exercise that included the FBI and NSA simulated a cyber attack capable of crippling the New York power grid during a summer heat wave. Last September, the Department of Homeland Security issued a warning to members of the “critical infrastructure community” that the hacktivist group Anonymous had expressed interest in industrial control systems. Computer security researchers have also recently demonstrated a number of techniques for attacking computer systems used in critical infrastructure that reportedly resemble the Stuxnet virus responsible for disrupting Iran’s nuclear program in 2010.
Related Material From the Archive:
- FEMA National Level Exercise 2012 Private Sector Participant Guide
- DHS Coordinates National Level Exercise to Prevent Terrorist Attacks with Federal, State, Local Tribal, Private Sector, and International Partners
- (U//FOUO) FEMA National Level Exercise 2012 Overview Presentation
- National Level Exercise 2010 (NLE 10) Begins Monday
- National Level Exercise 2010 (NLE 10) Exercise Overview
- National Level Exercise 2011 Draft Planning Overview
- (U//FOUO) FEMA National Level Exercise 2011 Overview Presentation
- FEMA Requests Removal of National Level Exercise 2010 (NLE 10) Document
FEMA, “implications of cyber attacks”? You just wasted a lot of money on scare lore.
Person who knows what he is talking about here:
1. Damage from hacks is avoidable with common sense about blocking unused ports, not opening strange executables, caution about what is downloaded and installed, utilization of suitable encryption with suitable algorithm and key size where appropriate for use. You could even run around for years with a way out of date antivirus or no antivirus at all, and never get infected if you simply learn how to spot malware before it is installed. Almost all malware requires some input from the user of some sort to infect your system, and must use a trick to bamboozle you into providing it. Common sense and education about common baiting techniques prevents gullible folks from falling for this.
2. ‘Damage’ from ‘DDOS’ “Attacks” is easily mitigatable via instituting proper network timeouts and settings, and making sure your equipment is actually worth half a penny. Far from the hype about LOIC type tools, LoIC and similar applications are a rather crude technique that is akin to a glorified version of a script designed to sit on a page and click “Refresh” from the browser a thousand times per minute. In other words, LOIC and et al work through ping floods and normal connections to a site, and cause jams by simply causing thousands and thousands of these connections at once. This will cause any el cheapo networking hardware and software to seize up due to stress, resulting in dependent systems experiencing a temporary cease of functionality.
3. Damage from ‘cracking’ into a system is avoidable by using gibberish stings of 20 characters or more as a password, changing passwords every two to three weeks, and by complete avoidance of the practice of storing the passwords in any electronic form, encrypted or not. If they must be stored, use Serpent as the encryption algorithm, not AES.
4. The *means* by which “hacks” are made to gain access to a system are the same all across the board, there is no “China has more advanced hacking techniques then the equally educated college nerd down the street”. Hacking techniques are more or less the same, the only things which make one hacker more “powerful” than another is how many of these techniques the hacker in question knows how to use, and how proficient he is at employing them. So no, FEMA/USG, you cannot assume it is a superpower nation that is hacking you just because someone got through your “advanced firewall”. Anonymous may be “crude”, but that does not mean all basement dwellers lack “finesse”.
5. *Techniques for AVOIDING hacks are the same across the board as well.* Hackers with “finesse” require the same sorts of weaknesses and openings in order to gain access as due “script kiddies”. You will increase the difficulty level of China gaining access to your systems just as much as you would make it hard for a script kiddie just by following my advice above. China is just hackers like anyone else does it, they just have a lot more people hacking at once. Hackers depend largely on error and stupidity of system administrators and human mistake, and there is no hacker for which this *isnt* *very important*. Simply increasing the competence of your staff and following common sense (and dont pretend that you already do, because if you did you would not have made this wasteful report) will do a *LOT* toward keeping out hackers of any sort, stripe or ability.