[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Bericht von "Operation Cyber Storm"-Übung veröffentlicht
"Most of the "key achievements" listed in the report seem to relate to the
planning and carrying out of the exercise itself, not in the government's
actual performance during the test."
Der Report ist hier:
<http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0993.xml>
RB
<http://weblog.infoworld.com/techwatch/archives/007886.html>
September 13, 2006
DHS releases Cyber Storm report
The U.S. Department of Homeland Security (DHS) released its public
findings from Operation Cyber Storm, a large-scale tabletop simulation of
a coordinated cyber attack on the government and critical infrastructure
that was held in February, 2006.
The exercise involved US-CERT, the Homeland Security Operation center as
well as the National Cyber Response Coordination Group (NCRCG) and the
Intragency Incident Mnagement Group (IIMG), various ISACs from the
transportation, energy, IT and telecommunications sectors, and 100 private
sector companies including Microsoft and VeriSign.
The report, released by DHS's National Cyber Security Division
(NCSD)Wednesday and while no performance "grade" was assigned, read
between the lines of the public report and the term "Needs Improvement"
comes to mind.
The exercise simulated a large-scale cyber campaign that disrupts multiple
critical infrastructure, as well as simulated "physical demonstrations and
distrubances" to test the ability of government to respond to multiple
incidents simultaneously, even when its not clear that the events are
related (read: 9/11).
So how'd our government do? Not so well.
Among other things, the report found that the NCRCG did not have
sufficient technical experts on staff to respond to the volume of
incidents. "As a result, development of an accurate situational picture
was challenging, albeit in part due to the difficulty of the scenario."
That's kind of like saying "If the test was just easier, I would have done
better!"
In fact, some aspects of the report eerily recall the Government's flawed
response to Katrina -- a disaster that actually postponed the Cyber Storm
Exercise by months.
According to DHS, "observers noted that players had difficulty
ascertaining what organizations and whom within those organizations to
contact when there was no previously established relationship or
pre-determined plans for response coordination and risk
assessments/mitigation. There was a general recognition of the
difficulties organizations faced when attempting to establish trust with
unfamiliar organizations during time of crisis."
Or how about this one:
"Contingency planning for backup or resilient communications methods is a
critical need. While only tested for a few players during the exercise,
many players noted a high reliance of cyber incident response activities
on communication systems that can be,
themselves, vulnerable to attack or failure."
So if Cyber Storm was designed to assess the U.S. government's readiness
to respond to a coordinated physical and cyber attack on critical
infrastructure, the conclusion of this report may be that such an attack,
if launched, may well succeed. From the report:
"Exercise participants noted the overwhelming effects that multiple,
simultaneous, and coordinated incidents had on their response activities."
and...
"The majority of players reported difficulty in identifying accurate and
up-to-date sources of information. Multiple alerts on a single issue
created confusion among players, making it difficult to
establish a single coordinated response. Players noted that the concept of
a single point for information would enable a common framework for all to
work from and likely increase effective response."
To be fair, the exercise wasn't a total wash. As DHS points out, just by
carrying off such a large scale private-public and multinational exercise
creates allows the government to test policies, procedures and
communications should an actual attack occur. It also created vital
contacts within the federal government and between private and public
sector participants.
However, the larger message is that the Federal Government and DHS in
particular are still woefully unprepared for a real "Cyber Storm," should
it ever come.
Most of the "key achievements" listed in the report seem to relate to the
planning and carrying out of the exercise itself, not in the government's
actual performance during the test.
That's like Derek Jeter claiming his key achievement in last night's game
was putting his uniform and cleats on and making it to the ballpark. I
don't think so.
At the very least, the government needs to find a central body to
coordinate response. Right now, it looks like they've got two in name:
National Cyber Response Coordination Group (NCRCG) and the Intragency
Incident Management Group (IIMG). The reality on the ground may be
different still. The feds also need more technical staff, and a scaled up
capability to do triage on emerging incidents.
Or, as DHS says: "Clarifying roles and responsibilities across government,
and clearly articulating expectations between public and private sectors
will enable the advancement of processes and communications architecture
to support the development and maintenance of situational awareness across
sectors."
Huh??
Posted by Paul Roberts on September 13, 2006 10:17 AM | TrackBack (0)
---------------------------------------------------------------------
To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
de
For additional commands, e-mail: infowar -
de-help -!
- infopeace -
de