The ”Cyber Storm” War Game
I recently read with great interest a news item that covered a gigantic “Cyber Storm” war game that transpired approximately two years ago. The US Department of Homeland Security, in cooperation with the Pentagon, Justice Department, State Department, Pentagon, National Security Agency ,and CIA, conducted a detailed simulation of three categories of massive disasters: computer attacks, physical attacks and psychological subversion attempts. Participants included employees of the US government and the private sector within the US as well as others from countries such as Australia, England, and Canada. Scenarios included unauthorized access to airline computers, a breakdown of police communications systems in one city, hundreds of individuals on “no fly” lists arriving at airport check-in counters at approximately the same time, commercial software blueprints being stolen, computer failures at border checkpoints, computer blackouts at New York Harbor ports, and many others. Observers generally rated the participants’ performance as fair or sometimes better.
Conducting exercises such as the “Cyber Storm” War Game seems like an exceptionally good idea in that incident response testing too often is ineffective because those who must engage in incident response efforts lack hands-on incident response experience. Paper and pencil tests and table top walkthroughs are better than nothing when it comes to testing incident response procedures and affording some level of familiarity of the nature of incidents and the types of responses that are appropriate. But these tests and walkthroughs simply do not go far enough when it comes to the realism dimension. Scenario playing is the obvious solution, but for a variety of reasons, lack of knowledge and lack of resources in particular, many organizations never engage in this activity. Catastrophes such as the ones in the scenarios to which participants in the massive war game responded are bound to happen some day, perhaps soon, given the crazy, topsy-turvy world in which we live. The experience that the participants gained is likely to be closest to what they will actually experience when they have to deal with large-scale catastrophic incidents. Additionally, participating in the scenarios enabled organizations to find missing or inappropriate steps in their incident response procedures so that both could be corrected and/or updated. Procedures, after all, are not really validated until they can actually be successfully performed under real-world or near real-world conditions.
Most organizations do not have the time and resources to hold exercises of the magnitude of the war game that occurred several years. They can, however, benefit considerably by obtaining information about the one that was held. Obtaining this information was at first nearly impossible, as the government for obvious reasons held on tightly to this information for a long time after the termination of the war game. The Associated Press ultimately won in its efforts to obtain this information through the Freedom of Information Act, opening the door for this information’s widespread dissemination. And if you missed the last war game, stay tuned—the US government has announced that it is going to hold another one soon.