Cyber Storm III uses Internet to attack itself

Tuesday - 9/28/2010, 7:00am EDT

WFED's Max Cacas

Click below to hear the report

Download mp3

Inside the National Cybersecurity and Communications and Integration Center, Sept. 27, 2010. WFED photo by Max Cacas.

By Max Cacas
Reporter
Federal News Radio

In places like Arlington, Va.; Washington, D.C.; across the U.S. and around the world, a global cybersecurity exercise is underway designed to test the limits not only of the "network of networks," but the ingenuity of the people charged with protecting it.

Welcome to Cyber Storm III.

This is the third time that the Department of Homeland Security, in conjunction with other federal agencies, is holding this global cybersecurity exercise. Previous Cyber Storm exercises were conducted in 2006, and again in 2008. For the first time, DHS will manage its response to Cyber Storm III from its new National Cybersecurity and Communications and Integration Center.

Normally, this facility, located in a nondescript office building in Arlington is classified and closed to the public. But the NCCIC recently opened its doors for an inside look to let DHS officials brief the media on Cyber Storm III, a worldwide cybersecurity response exercise that has been underway since late Monday.

Brett Lambo, the director of the Cybersecurity Exercise Program with DHS's National Cybersecurity Division, is the architect, or game master for this global cybersecurity exercise.

"The overarching philosophy," he told reporters in a recent briefing at the NCCIC, "is that we want to come up with something that's a core scenario, something that's foundational to the operation of the Internet."

Cyber Storm III includes many players in places across the U.S. and around the world:

  • Seven federal departments: Homeland Security, Defense, Commerce, Energy, Justice, Treasury and Transportation.
  • Eleven states: California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, plus the Multi-State Information Sharing and Analysis Center (ISAC). This compares with nine states that participated in Cyberstorm II.
  • Twelve international partners: Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (up from four countries that participated in Cyber Storm II).

DHS officials also say 60 private sector companies will participate in Cyber Storm III, up from 40 who participated in Cyber Storm II. Firms include banking and finance, chemical, communications, defense industrial, information technology, nuclear, transportation and water.

Lambo said to preserve the exercise's value as a vigorous test of cybersecurity preparedness, exact details of the scenario which participants will deal with over the next three days are secret. However, he did share some of the broad parameters of the scenario he helped write, and which he will administer.

"In other exercises, you do have specific attack vectors; you have a denial of service attack, you have a website defacement, or you have somebody dropping a rootkit," he said. "But we wanted to take that up a level to say, 'All of those things can still happen, and based on what you do, if you're concerned about the availability of infrastructure, we can look at what happens when the infrastructure is unavailable.'"

Lambo said another way to look at the scenario is that it builds upon what they learned from previous exercises.

"In Cyber Storm I, we attacked the Internet, in Cyber Storm II, we used the Internet as the weapon, in Cyber Storm III, we're using the Internet to attack itself," he said.

Lambo added under normal circumstances, the Internet operates based on trust that a file, or a graphic, or a computer script is what it says it is, and comes from a trusted source. But what if that source was not what it said it was, or the source has a malicious intent?

"What we're trying to do is compromise that chain of trust," he said, in further explaining in broad strokes of the Cyber Storm III exercise scenario.

Lambo and his colleagues at the Cyber Storm control center also will introduce new, and hopefully unexpected conditions to the scenario to further test participants.

"We have the ability to do what we call dynamic play," he said. "If we get a player action coming back into the exercise that is either different from what we expected it to be, if it's something we'd like to chase down further, or if it's something we'd like to pursue, we have the ability to write injects on the fly."

He said those injects could include new attacks.

The Cyber Storm exercise will be conducted primarily using secure messaging systems like e-mail or text messages to relay intersects to participants and that the simulated attacks are not being conducted over a live or a virtual network now in operation on the Internet, he said.