US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Homeland Security

Cyber Storm: Securing Cyber Space

Cyber Storm, the Department of Homeland Security’s biennial exercise series, provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind.

Congress mandated the Cyber Storm exercise series to strengthen cyber preparedness in the public and private sectors. Securing cyber space is the Office of Cybersecurity and Communication’s top priority.

Cyber Storm participants perform the following activities:

  • Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects;
  • Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures;
  • Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and
  • Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.

Each Cyber Storm builds on lessons learned from previous real world incidents, ensuring that participants face more sophisticated and challenging exercises every two years.

Cyber Storm IV

Cyber Storm IV is the fourth installment of the Cyber Storm exercise series.  The series is part of the Department of Homeland Security’s ongoing effort to assess and strengthen cyber preparedness, examine incident response processes in response to ever-evolving threats, and enhance information sharing among Federal, state, international, and private sector partners.  Through these efforts, the cyber incident response community improves both their capabilities and response processes, thus bolstering the nation’s cyber resilience.  Cyber Storm IV consists of individual, building block exercises at the Federal, state, and international level that provide the cyber incident response community with the opportunity to design focused events that evaluate specific capabilities.

State Exercises

State exercises are two-day tabletop events where representatives from a variety of state departments and agencies assess their cyber response plans.  They identify and simulate how to engage elements across state governance, as well as cybersecurity partners such as law enforcement entities and the private sector.  Throughout the event, participants can validate policies, plans, and procedures that enable response, recovery, and continuity of operations.  Players, planners, and observers represent a variety of positions, including technical and non-technical staff, emergency managers, public affairs representatives, and leadership.  Through CS IV, DHS designed, conducted, and evaluated exercises for seven states including:  Maine, Oregon, Washington, Idaho, Missouri, Mississippi, and Nevada.

International Exercise

The National Cybersecurity and Communications Integration Center (NCCIC) sponsored the International Watch and Warning Network (IWWN) Exercise on March 20-21, 2013.  Eleven of the fifteen IWWN nations participated in the distributed, functional event.  The participating nations included: Australia, Canada, France, Germany, Hungary, Japan, The Netherlands, Norway, Sweden, Switzerland, and the United States.  The session featured a distributed exercise control (ExCon), with ExCon members located at operational centers across the world.  Participants examined the IWWN’s common plans, standard operating procedures, policies, and capabilities necessary to ensure the security of the interdependent global cyber infrastructure and, where applicable, applied lessons learned from Cyber Storm III, conducted in September 2010.  The scenario engaged operational staff, such as civil computer emergency response teams (CERTs) and policy-level stakeholders within the IWWN.  The IWWN member nations participated at varying levels; some organizations participated continuously (24x7), and others participated solely during their respective normal operating hours.


During CS IV: Evergreen, DHS used a controlled environment to observe and evaluate a simulated cyber-attack targeting infrastructure at the local level; focusing on escalation from internal discovery and communication to national and international information sharing. Evergreen engaged hundreds of players from the private sector, state and local entities, and the Federal Government in operational play. The exercise used a distributed, functional concept where players participated from their normal work locations and received injects containing details of simulated attacks. Players then responded according to established policy and procedure, using normal communication means. Participants successfully executed the exercise from November 19-21, 2013, at distributed player locations in the State of Washington and the National Capital Region (NCR). Overall, these efforts have and will continue to enable DHS and its partners to increase their overall cyber preparedness and the resiliency of critical infrastructure.  The results of the exercises and the ongoing planning activity have greatly improved the readiness and response times in responding to any cyber incident impacting the nation’s critical infrastructure.

Overall, these efforts have and will continue to enable DHS and its partners to increase their overall cyber preparedness and the resiliency of critical infrastructure.  The results of the exercises and the ongoing planning activity have greatly improved the readiness and response times in responding to any cyber incident impacting the nation’s critical infrastructure.

Download the Full Report

Cyber Storm III: September 2010

Cyber Storm III built upon the success of previous exercises; however, enhancements in the nation's cybersecurity capabilities, an ever-evolving cyber threat landscape and the increased emphasis and extent of public-private collaboration and cooperation, made Cyber Storm III unique.

  • National Cyber Incident Response Plan
    Cyber Storm III served as the primary vehicle to exercise the newly-developed National Cyber Incident Response Plan (NCIRP) - a blueprint for cybersecurity incident response - to examine the roles, responsibilities, authorities, and other key elements of the nation's cyber incident response and management capabilities and use those findings to refine the plan.
  • Increased Federal, State, International and Private Sector Participation
    • Administration-Wide - Eight Cabinet-level departments including Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury, in addition to the White House and representatives from the intelligence and law enforcement communities.
    • Eleven States - California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, as well as the Multi-State Information Sharing and Analysis Center (ISAC) - compared to nine states in Cyber Storm II.
    • 12 International Partners - Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom - compared to four international partners in Cyber Storm II.
    • 50 Percent More Private Sector Partners - We will have 60 private sector companies played in Cyber Storm III, up from 40 in Cyber Storm II; several will participate on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water Sectors as well as the corresponding Sector Coordinating Councils and ISACs to identify private sector participants.

Cyber Storm II: March 2008

  • Involves 5 countries (Australia, Canada, New Zealand, United Kingdom, United States); 18 federal cabinet-level agencies (Department of Defense, State Department, Department of Justice, etc.); 9 states (Pennsylvania, Colorado, California, Delaware, Texas, Illinois, Michigan, North Carolina, and Virginia); and over 40 private sector companies (Juniper Networks, Microsoft, McAfee, Cisco, NeuStar, The Dow Chemical Company, Inc., PPG Industries, ABB Group, Air Products & Chemical Inc., Nova Chemical, Wachovia, etc.);
  • Affected 4 infrastructure sectors including chemical, information technology, communications and transportation (rail/pipe) and used 10 Information Sharing and Analysis Centers;
  • Exercised the processes, procedures, tools, and organizational response to a multi-sector coordinated attack through, and on, the global cyber infrastructure;
  • Allowed players to exercise and evaluate their cyber response capabilities to a multi-day coordinated attack and to gauge the cascading effects of cyber disasters on other critical infrastructures, shaping response priorities; and
  • Exercised government and private sector concepts and processes developed since Cyber Storm I, requiring great interaction and coordination at the strategic, operational, and tactical levels.
  • More on Cyber Storm II

Cyber Storm I: February 2006

  • First government-led full-scale cyber exercise;
  • Included over 115 organizations, including federal, state and local governments, and the private sector;
  • Featured four sectors: information technology, communications, energy and transportation (air); and
  • Allowed participants to respond to a variety of cyber and communications degradations and simulated attacks against critical infrastructures and to collaborate at the operational, policy and public affairs levels.
  • More on Cyber Storm I
Last Published Date: June 17, 2015
Back to Top