The ability to share critical information between public and private sectors during a cyberattack remains a challenge, due in part to inconsistent procedures used by companies and agencies to respond to threats, according to those who participated in a recent simulation of an international cyberattack.
Comment on this article in The Forum.The exercise, called Cyber Storm II and which the Homeland Security Department staged in March, was the largest exercise of its kind, involving more than 40 companies, 18 agencies, nine states and five countries. A panel of participants discussed lessons learned from the exercise during the RSA security conference in San Francisco this week.
"Information sharing is still critical," said Randy Vickers, associate deputy director within the DHS national cybersecurity division of the U.S. Computer Emergency Readiness Team. "We're not doing well at this across sectors."
As part of the exercise, participants responded to simulated threats launched through e-mails, phone, faxes, Web sites and in-person contacts. They then were expected to implement internal crisis response systems and follow policies and procedures to deal with the attacks, which crippled control systems, telephone and Internet service. The ability to communicate across industries is critical, the panel said, because the attacks can affect different kinds industries, agencies and operations.
Before organizations can share information, officials must improve protocols for responding to cyber threats.
"[We] need to integrate communication around cybersecurity within companies," said Christine Adams, a senior information systems manager with Dow Chemical Co. Ten chemical companies participated in Cyber Storm II. No chemical company participated in the first Cyber Storm exercise held in February 2006.
"When the DHS threat level changed, some individuals said, 'So what?'…And when [systems were] compromised, people looked around and said, 'Who has the [authority] to gain access?'" Adams said. "The time of crisis is not the time to find that information out."
DHS won't release the after-action report with detailed analysis of Cyber Storm II results until the end of the summer.