The Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications (CS&C) held Cyber Storm III (CS III), a comprehensive and dynamic cybersecurity exercise from September 27 through October 1, 2010. Cyber Storm is DHS’ capstone national-level exercise. This biennial event represents the Nation’s most extensive cybersecurity exercise of its kind and is part of an ongoing effort to assess cybersecurity preparedness; examine incident response processes, procedures, and information sharing mechanisms; and identify areas for improvement -- absent the consequences of an actual incident.
This national-level exercise included participation from eight Cabinet-level departments, 13 states, 12 international partners, and 60 private sector companies and coordination bodies. Together, these entities participated in the design, execution, and post-exercise analysis of the largest, most comprehensive government-led, full-scale cyber exercise to date.
CS III's objectives were designed to assess the Nation's response to cyber incidents. The assessment has informed our preparedness and resiliency planning, thereby strengthening the Nation's capacity to respond to a cyber incident. The exercise's specific objectives were to:
- Identify and exercise the processes, procedures, relationships, and mechanisms that address a cyber incident;
- Examine the role of DHS and its evolving National Cyber Incident Response Plan (NCIRP);
- Assess information sharing issues;
- Examine coordination and decision-making mechanisms; and
- Practically apply elements of ongoing cyber initiatives, such as the Cyberspace Policy Review and findings from past exercises.
Cyber Storm III was a distributed exercise that allowed players around the world to participate from their office locations. The exercise control center was located at a DHS facility in the Washington, D.C. metropolitan area. The scenario progressed as players received "injects" via e-mail, phone, fax, in person, and the Web. Exercise play simulated adverse effects through which the participants executed their cyber crisis response systems, policies, and procedures.
The exercise gives the cyber incident response community a safe venue to coordinate practice plans, response mechanisms, and recovery tasks. Most importantly, the exercise provided participants with the opportunity to learn about their strengths and any areas that might need improvement. Participants are incorporating those observations into operations in order to helping reduce cyber risks posed to the Nation.
To create the CS III scenario, CS&C organized a Scenario Team, leveraging the engagement and technical expertise of participating operators. In collaboration, DHS and exercise participants developed CS III’s core scenario conditions and advised further scenario customization efforts throughout the planning process. The Scenario Team contributed to coordinated scenario development, creating a forum to vet, discuss, and achieve consensus on core scenario conditions to be applied to participating organizations.
The use of core scenario conditions as the basis for all targeted attacks ensured the exercise represented a comprehensive national and internationally Significant Cyber Incident. In developing these specifics, team members incorporated CS III goals and objectives, previous exercise findings, and previous observations into scenario design, while still adhering to the exercise construct.
During CS III, players responded to a series of simulated, targeted attacks, resulting from compromises to the Domain Name System (DNS) and the Internet chain of trust (i.e., validity of certificates and Certificate Authorities [CAs]). Because of the reliance on DNS and the chain of trust for a wide range of Internet functions, transactions, and communications, the adversary challenged players’ ability to operate in a trusted environment, complete trusted transactions, and support critical functions. In addition, the adversary used these compromises to carry out a variety of targeted attacks against private-sector companies, select critical infrastructure sectors, public-sector enterprises, and international counterparts. The scenario construct ensured all exercise players felt the effects the core scenario created.
Cyber Storm III included participation from eight Cabinet-level departments, 13 states, 12 international partners, and 60 private-sector companies and coordination bodies. Participation focused on the information technology (IT), communications, energy (electric), chemical, and transportation critical infrastructure sectors and incorporated various levels of play from other critical infrastructure sectors. In addition, CS III included the participation of states, localities, and coordination bodies, such as Information Sharing and Analysis Centers (ISACs), and international governments to examine and strengthen collective cyber preparedness and response capabilities. During the exercise, the participant set included 1,725 CS III–specific system users.
Cyber Storm III addressed the Training and Exercise requirements found in Homeland Security Presidential Directive 8 “National Preparedness.” Coordinated under DHS’ Cyber Exercise Program (CEP), it supports the National Strategy to Secure Cyberspace by exercising the national cybersecurity response. It also exercised the interim version of the National Cyber Incident Response Plan (NCIRP) and operations at the National Cybersecurity and Communications Integration Center (NCCIC).
Applying Lessons Learned
The Department is applying the CS III observations to further strengthen the Nation’s cybersecurity preparedness and response mechanisms. To capture all relevant information in the Final Report, DHS is working in close partnership with public and private sector stakeholders. In addition to the CS III Final Report, many participants developed their own internal summary and observation reports.
The Final Report from the exercise reviews the purpose, scope, planning and execution, scenario and the significant findings of the exercise.
For additional information on Cyber Storm exercises, please contact CEP at CEP@dhs.gov.