Case Studies with Questions and Answers
Chapter 1: Cyber Storm II
Cyber Storm II (in 2008) was designed to support the strategic vision of the Department of Homeland Security (DHS), and the National Cyber Security Division (NCSD). This a part of the National Protection and Programs Directorate's (NPPD) Office of Cyber Security and Communications (CS&C), and the President’s National Strategy to Secure Cyberspace. The primary goal of planning and executing Cyber Storm II was to provide the arena to examine the processes, procedures, tools, and organizations in response to a multi-sector coordinated attack through, and on, the global cyber infrastructure. The exercise incorporated a wide spectrum of players representing federal, state, and international governments, interagency coordination bodies, and the private sector. The coordinated cyber attacks facilitated incident response from the technical, operational, and strategic perspectives.
In 2008, a cadre of intruders leveraged their collective capabilities to mount a simulated coordinated cyber attack on a global scale. Although primary motives differed among the entities, a sophisticated network of relationships enabled the intruder to degrade Internet connectivity, disrupt industrial functions, and ultimately erode confidence in everyday communications. By generating counterfeit digital certificates, the intruders directed unknowing web users to "spoofed" websites where funds were extorted and personal information was mined. Coordinated attacks on domain name servers and telecommunications router infrastructure resulted in a distributed denial of service and unreliable telephony. Users were intermittently unable to access websites, send email, and make phone calls. Victims of the attack were forced to explore alternative methods of communication during the disruptions. The intruders’ intent was to cause cascading disruptions stemming from specific, focused attacks.
As the events unfolded, law enforcement and intelligence agencies gathered information and responded as necessary. In coordination with the impacted private sector entities and other government agencies, law enforcement and the Intelligence Community worked to halt attacks and restore confidence in the Internet. All participating organizations relied on trusted relationships and forged new communications paths to share information and build and pass along situational awareness.
Cyber Storm II objectives were examined through the exercise planning and execution period. A number of findings from the Cyber Storm II exercise were identified. These findings were made through observations by participants and observer/controllers. This part of the case study provides the exercise’s significant findings, some solutions and supporting observations:
- Value of Standard Operating Procedures (SOPs) and Established Relationships
- Physical and Cyber Interdependencies
- Importance of Reliable and Tested Crisis Communications Tools
- Clarification of Roles and Responsibilities
- Increased Non-Crisis Interaction
- Policies and Procedures Critical to Information Flow
- Public Affairs Influence During Large-Scale Cyber Incidents
- Greater Familiarity with Information Sharing Processes
The U.S. Department of Homeland Security’s (DHS) Cyber Storm exercise series (I, II and III) is part of the Department’s ongoing efforts to assess and strengthen cyber preparedness; examine incident response processes in response to ever-evolving threats, and enhance information sharing among federal, state, international and private sector partners. The Cyber Storm III exercise scenario reflected the increased sophistication of intruders, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself. The goal here was the compromising of trusted transactions and relationships. Throughout the exercise, the goal of exercise players was to identify, in real time, the ongoing attack and mitigate the compromises and vulnerabilities that allowed it to occur, as well as possible consequences to compromised systems. At its core, the exercise was about resiliency—testing the nation’s ability to cope with the loss or damage to basic aspects of modern life. Cyber Storm III was the first opportunity to test the new National Cybersecurity and Communications Integration Center (NCCIC). NCCIC served as the hub of national cybersecurity coordination and was inaugurated in October of 2009. Cyber Storm III findings are still being reviewed as of this writing.