The Department of Homeland Security’s Office of Cybersecurity and Communications held Cyber Storm II, a comprehensive, dynamic cyber security exercise, in March 2008. The exercise simulated a large-scale coordinated cyber attack on critical infrastructure sectors including the chemical, information technology (IT), communications, and transportation (rail/pipe) sectors.
The exercise addressed the increasingly sophisticated cybersecurity threats that both the public and private sectors face. As the Department's biennial National Cyber Exercise, Cyber Storm II sought to examine the processes, procedures, tools and organizational response to a multi-sector coordinated attack through, and on, the global cyber infrastructure. Exercise planning and execution provided the opportunity to establish and strengthen cross-sector, inter-governmental and international relationships that are critical during the exercise and in actual cyber response situations.
Cyber Storm II exercised government and private sector concepts and processes developed since Cyber Storm I.
Specific objectives of the exercise included:
- Examining the capabilities of participating organizations to prepare for, protect from, and respond to the potential effects of cyber attacks;
- Exercising strategic decision making and interagency coordination of incident response(s) in accordance with national-level policy and procedures;
- Validating information sharing relationships and communications paths for the collection and dissemination of cyber incident situational awareness, response and recovery information; and
- Examining means and processes through which to share sensitive information across boundaries and sectors, without compromising proprietary or national security interests.
Cyber Storm II intended to act as a catalyst for assessing communications, coordination and partnerships across critical infrastructure sectors. To accomplish this, Cyber Storm II served as a distributed exercise that allows players around the world to exercise from their own office locations. The exercise control center was located at a Department of Homeland Security facility in the Washington, D.C. metropolitan area. The scenario progressed as players received “injects” via e-mail, phone, fax, in person, and exercise Web sites from exercise control. These injects simulated adverse effects through which the participants exercised their cyber crisis response systems, policies and procedures.
The Cyber Storm II scenario was executed by persistent, fictitious adversaries with a distinct political and economic agenda. The Cyber Storm II adversary used sophisticated attack vectors to create a large-scale incident requiring players to focus on response.
Cyber Storm II planners designed the scenario around participants’ individual and collective objectives. Planners developed the scenario over an 18 month planning process during which planners interacted regularly both in-person and virtually. Throughout the planning process, individual organizations and sectors refined objectives for participation in the exercise. Planners built the scenario to accommodate the objectives of the organizations and sectors participating, but not specific vulnerabilities.
Participation in Cyber Storm II included the private sector as well as federal, state, and international governments, including Australia, Canada, New Zealand, and the United Kingdom. Eleven cabinet-level agencies participated in Cyber Storm II including the Department of Defense and Department of Justice. Nine states fully participated, namely California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas and Virginia. Private sector participants were coordinated through the Information Sharing and Analysis Centers, Sector Coordinating Councils, and Government Coordinating Councils. Over 40 private sector companies from the four critical infrastructure sectors participated in the exercise. It is through the interaction between the public and private sectors that the exercise accurately simulated the interdependencies of the world’s cyber and communications networks.
Cyber Storm II addressed the Training and Exercise requirements found in Homeland Security Presidential Directive 8 “National Preparedness.” Coordinated under the Department's National Exercise Program, it supports the National Strategy to Secure Cyberspace by exercising the national cyber security response. It also exercised the standard operating procedures found in the draft Cyber Incident Annex of the National Response Framework.
Applying Lessons Learned
The Department is applying the lessons learned from Cyber Storm II to strengthen the nation’s cybersecurity preparedness and response mechanisms. To achieve this, the Department hosted several post-exercise conferences to discuss the findings from the exercise and finalize an After Action Report. In addition, each participating organization was responsible for assessing its own performance and developing its own plan of action for strengthening its cybersecurity.
The Final Report from the exercise reviews the purpose, scope, planning and execution, scenario and the significant findings of the exercise.
Download the Final Report (PDF, 21 pages - 146 KB)