recommended reading

DHS' Cyber Storm III to test Obama's national cyber response plan

ATLANTA -- The Homeland Security Department's third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the Obama administration, said industry and government participants in the simulation exercise during a conference on Tuesday.

Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact.

"The national cyber response plan will be an offshoot of a lot of the findings that came out of Cyber Storm I and II that will formalize the roles and responsibilities," said Brett Lambo, director of the cyber exercises program in DHS' national cybersecurity division. He participated on an afternoon panel at the GFirst conference in Atlanta hosted by the department's U.S. Computer Emergency Readiness Team. "It's not a direct cause-and-effect relationship, but a lot of questions bubbled up [from the exercises]," followed by the announcement along with President Obama's 60-day cyber review that a response plan should be developed.

Details of the national cyber response plan are still being finalized through weekly meetings with stakeholders from federal government and industry. An initial report is scheduled to be released in November, less than a year before Cyber Storm III kicks off, said Robert Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks, who is among the industry representatives involved in both the plan's development and the Cyber Storm exercises.

"Right now, there's arm-wresting happening -- identifying roles and responsibilities; determining what information needs to be shared, to whom and when," Dix said. "This is a fairly large group with varying levels of experience in different topical areas all making important contributions."

In the first Cyber Storm, DHS used simulated attacks to bring down parts of the Internet and test the abilities of different sectors to recover their networks. In the simulated Cyber Storm II, the Internet was used as an attack vector for spreading malicious software and other cyber threats through computer systems. DHS is now discussing with state and local government and industry what form Cyber Storm III will take.

DHS hopes Cyber Storm III will provide an opportunity to enhance methods for information sharing; better define roles and responsibilities, and bring all sectors with a stake in information security to the table to inform the effort.

"These are not technology issues; they're policy issues," Lambo said. "And these are the things we're going to try to enforce through Cyber Storm III."

Tests likely will target control systems that support the country's critical infrastructure, such as the electric grid and transportation systems, Dix said. Homeland Security also will call upon subject matter specialists to develop the manufactured cyberattacks. "With all due respect, these are some of the creepy minds that are able to conjure up these scenarios that are real world likelihoods," Dix said.

While tests in the previous Cyber Storm exercises were customized to the participating markets, with various sectors defending their computer systems against different types of attacks, DHS plans to have participants in Cyber Storm III "fighting the same fight" against a common threat that might manifest itself differently across different organizations, Lambo said. He compared the strategy to the Conficker worm, which rapidly installed malicious software on computers running the Microsoft operating system and posed a contrasting threat for critical infrastructure organizations envisioning the shut-down of services versus federal agencies fearing the loss of sensitive information.

One objective of Cyber Storm III is to harmonize the various alert level systems used in government and the private sector so that all stakeholders at least speak the same language.

"Everyone has their own alert level system in states, private sectors and federal government, but we don't have each other's criteria," Lambo said. "If someone calls and says 'We just went to alert level red,' if I don't know what red is, that doesn't mean a damn thing to me... We're trying to tackle that monster."

Homeland Security has just begun planning Cyber Storm III and is focused on encouraging early participation from the state and local communities, and private sector, including the variety of infrastructure markets.

In the long term, Dix said, the true impact of the simulation on the administration's national response plan depends on follow-through.

"A lot of recommendations that came out of Cyber Storm I and II have not been touched or acted upon," he said. "If we're serious about improving our resiliency, we need to take this seriously. My hope is that with this administration's attention, we can raise the bar through action and not just reports that we place on a shelf."

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.