application security  information security

Cyber Storm II

In order to be able to deal with threat of cyber-warfare, governments worldwide must take an active role in simulating actual cyber attacks. Cyber Storm is one such exercise led by the U.S. government, which brings together the good and the bad guys on the Internet with government taking critical lessons as to what it should do to protect its critical infrastructure.

In many places in the world, laws and regulations require organizations of any size to exercise their disaster control management systems at least once a year, for example by holding drills to test preparedness for incidents like fire. In the same way, pilots train rigorously on flight simulators, which attempt to recreate a variety of emergency situations in order to allow them to practice and become familiar with the actions to be taken in case of the occurrence of such. Finally, let’s not forget that a soldier’s ability to perform on the battlefield is judged largely via the use of mock exercises and war games.

The U.S. government has taken this process a step further. The country is renowned for technical innovations that are responsible for the development of the infrastructure that today we call “the Internet.” At a very rapid pace, the U.S. has automated business processes in both the private and public sectors by moving them online. The nation’s basic infrastructure, for example in the transportation sector, is controlled remotely as well. Their networking is world class and they remain unbeatable, as always. However, the government realized, if not too late, that it was not prepared for a major cyber attack targeted toward public and private sector systems. They were completely unprepared and clueless as to handle cyber disasters. What if a “cyber Katrina” were to hit their networks or a cyber war was launched?

Is Cyber Storm a Game?

To tackle these virtual war-like scenarios, the U.S. government, basically the National Cyber Security Division of the U.S. Department of Homeland Security, launched its first cyber exercise between February 6 and February 10, 2006. It was a simulation of cyber attacks and the focus was on air transportation. Call it a game or war, its purpose was to assess the government’s preparedness to avert cyber disasters. This event was called Cyber Storm I and the cost of conducting it was about 3 million U.S. dollars.

The data sheet of this exercise is available at http://www.dhs.gov/xnews/releases/pr_1158340980371.shtm. The documentation, which is over 350 pages in length details the lessons learned from the attacks. The most important revelation was the level of unpreparedness of the U.S. government to deal with such cyber attacks.

There is a very interesting site called homelandstupidity.us, which has put up the leaked report as a series of PowerPoint slides at http://www.homelandstupidity.us/documents/cyberstorm.ppt.

Simulating Cyber Attacks

The entire Cyber Storm event was a simulation of attacks involving two groups of people: the planners who planned the attack vectors and the players who “played the game.” The planners monitored the players’ activities when involved in simulations of real life situations. The simulations were devised in such a way so as to be similar in terms of threat level to those, for example, involving many persons on the no-fly list entering U.S. airports, planes flying too close to the White House, or railway switches failing all over the country. There were simulations of hackers breaking into the airline networking systems, of commercial software blueprints being stolen, satellite navigation systems failing, police radio signals being tampered with, and virus attacks on computers at border checkpoints, etc.

These are extremely creative simulations of various online activities, where one set of players impersonate the cyber attackers, or a terrorist group planning to wage a cyber war and the other group defends the infrastructure of the country. The villains in these events are obviously the hackers, the bloggers who paint all sorts of doomsday pictures, and reporters who create panic with regard to events that may never occur. The guardians have to focus on defending critical infrastructure like transportation, chemical processing, and the obvious information technology and communications during the storm.

The storm uses virtually all communication channels including websites, e-mail, chat, sms, phones, faxes, and radio signals, etc. to attack and defend. More than 300 players participated in the first event and exchanged 21,000 e-mails, which simply proves the seriousness and depth at which the participants worked.

Cyber Storm II – A Global Activity

Two years later, the United States of America along with 18 U.S. federal agencies and over 40 private sector companies launched Cyber Storm II between March 10 and 14, 2008. The federal agencies led by the Department of Homeland Security included the Department of Justice, and FBI, etc. It was supported by IT industry companies like Microsoft, VeriSign, MacAfee and non-IT industry players like Dow Chemicals, etc. Moreover, four countries – the U.K., Australia, New Zealand and Canada –supported this U.S. led event. There was a simulation of real life cyber war. Developing the scenarios for these cyber war games took over 18 months of hard work and cost over 8.2 million U.S. dollars. This cyber storm was played out in a basement in Washington but people participated from all over the world.

In the recent past, there have been cyber attacks on power stations and grids and the Pentagon has condemned them vehemently. Therefore, the U.S. Congress has mandated a Cyber Storm event once every two years. The goal of these war games is verify the preparedness of the security infrastructure of the U.S. Government should a large scale cyber attack occur.

The private sector owns 85% of the critical infrastructure in the U.S. Most of the telecommunications infrastructure in different countries is also with the corporate sector. Hence, the next generation of wars will not simply be waged among governments but will involve the private sector. The next Cyber Storm will be held in the year 2010 and will involve more countries than ever. These countries will naturally be the allies of the U.S.

Summary

If the U.S. is not ready for a global cyber attack, then other countries are obviously not prepared either. Most large cities today rely heavily on technology for their management and control; if these systems are disrupted, there will be chaos everywhere. To get a city down to its knees, hackers simply have to hack into a number of machines handling the city’s vehicle traffic, electricity, water and other utilities.

On the Internet, the hackers have their own network. They use technology effectively to share knowledge of exploits. It takes only seconds for a newly discovered exploit to spread to all corners of the Internet. There is a commercial interest now in hacking which involves the selling of exploits. Unfortunately, the good guys live in air tight silos and for the large part do not communicate with one another. As a result, when the largest ever cyber war games happen, the simulations are kept hidden and only select countries are allowed to participate. What’s more the government has not disclosed their findings publicly. The “outcast countries” now have to reinvent the wheel in order to be able train their people in the same defense mechanisms.

Every country must bear in mind that a cyber war will be global event and if they are not prepared, they will be sitting ducks watching the disaster unfold. It is in their interest to ask for participation in events like cyber storms or to stage such events of their own in their homeland.