[ad]
This is pretty interesting – US, UK, Canada, Australia and New Zealand are taking part in a fictitious cyberwar as an exercise to prepare and plan for sustained cyber attacks including some of which have actually caused power outages.
I personally think it’s a great idea, I must have missed Cyber Storm I as this is the first time I’ve heard about this program.
Participants of Cyber Storm II, which also include about 40 private-sector companies, will enact a scenario in which “persistent, fictitious adversaries” launch an extended attack using websites, email, phones, faxes and other communications systems. Other countries involved are Australia, New Zealand and Canada.
Cyber Storm II comes two weeks after the Pentagon released an assessment of China’s military might, warning the People’s Liberation Army was intent on expanding its capabilities for cyber warfare. It also comes amid intelligence reports that utilities in several countries have sustained cyber attacks that caused power outages.
It seems to be something like Business Continuity Planning for malicious attacks, it’s definitely a healthy exercise and it will teach a lot of people what it’s really like to be under pressure from a serious and persistent attack. That’s making a hefty assumption that those attacking really know what they are doing…I somehow doubt they can emulate a large scale DDoS attack from a huge Botnet.
Companies including Cisco, Juniper Networks, Dow Chemical, Air Products & Chemical and Wachovia are participating. Nine US states and at least 18 federal agencies are also involved. They represent the chemical, information technology, communications and transportation industries, which are considered critical parts of the infrastructure. The US Department of Homeland Security is hosting the event – no doubt with danishes and plenty of Starbucks coffee.
The exercises are designed to sharpen and assess participants’ ability to respond to a multi-day, coordinated attack and better understand the “cascading effects” such attacks can have.
There is some pretty heavy players involved like cisco and Juniper, so they should know what they are doing.
I do hope it leads to some knowledge, procedures and experience essential to defending against cyber terrorism.
Source: The Register
James C says
You can’t have a Mock Cyber Attack. This hole thing is like me tell a client company “Ok, tell your tech boys I
Ian Kemmish says
I seem to remember seeing some coverage of Cyber Storm I in the traditional media. As I recall, some of the commercial targets decided that attack was the best form of defence, and made strenuous and partially successful efforts to take out the machines that were attacking them.
The public sector people in charge were said to have scolded these companies for their initiative, claiming that it was “contrary to the spirit of the exercise”….
zupakomputer says
Mmm, isn’t there a stupid law in cyberspace that’s like the stupid laws in meatspace, whereby you aren’t allowed to attack, or spy on, someone else that is attacking you, without it being considered that you’re the aggressor rather than it being seen for what it is – removing a threat and / or identifying it.
‘contrary to the spirit of the exercise’ seems to be entrenched in that mindset – as if in reality any attacker is going to back-off, or be fighting you on some noble terms of yesteryear.
That said, as with meatspace again, can we expect to see a malicious breacher that has a counter-attack dealt them, then try to sue whoever they were trying to attack for damages?!
Remember I’m UK based, I know that it’s actually legal to protect yourself in some other countries. And people wonder why the UKs so full of delinquent a-holes.
Doey says
Reticent says
I work for a company which is involved in some of these tests. They are hypothetical attack’s, i.e What would you do if X happened? DOS attacks, malware/virus outbreaks etc. Any reference to companies ‘counter-attacking’ or resulting power outages sound more ficticious than the cyberstorm tests themselves. There are no emulated attacks, unless you think a few plain text emails with some scenariors are :)
eM3rC says
Actually, you can have an attack and have some positive results. Take the military for example, they know there is going to be an attack yet it still helps the soldiers. I know know how many members here have heard of an event called DEFCON (if not check it out!) but basically it uses mock hacking events. Although stealth can be part of the hacking attack it is not the only part. Even if these countries know about the attacks there are several factors that you might not be thinking of. First, the techniques. They might know about it but they don’t know how the hackers plan to get in. There are hundreds of thousands of possible things that could be done so they would have to be watching everything at once, all the time. Next, the period set aside for the operation. They might be on standby or ordered to act as though they do not really know about an attack. To rule this out the amount of time set aside for the attack could be some were around a month so although they might be somewhat prepared, they wouldn’t know when the hackers would hit. Basically what I’m getting at is the drill is excellent and although the governments might be anticipating the attack, it would still be very helpful for the security teams.
arley says
Those are the very same nations of the UKUSA Community, or as you may know, founders/suporters of the ECHELON Spy system.
zupakomputer says
ECHELONs keyword detector would have found that reference to itself, probably while it was still in the process of being sent to this website.
Well, at the very least, the computer security game means well paid work and you get to do videogames that are way more fun than most offerings these days. I probably won’t get a chance to do that either though – so I’m offering my services in advance of any further disappointments to the botnet people. Keeps you in a job, don’t it.
Just to go off on a minor tangent here – I can see that there’s going to be apps for dealing with attacks in realtime, that are going to function very much like classic (ie – arcade) videogames – a bit like House of the Dead. If it’s not immediately apparent what is meant there – applications that identify things like infected packets, flag them, and allow for commands to be entered on how to deal with them, in a graphical representive environment.
I’m not really meaning this’ll happen just for a laugh, although that itself is amusing, it’s more that when you’re dealing with realtime scenarios it’d be easier to be able to interact with the data if it’s shown graphically – quicker than using many command lines and having to lock / unlock windows, and typing.
Pantagruel says
@Reticent
MMM too bad it turns out to be a ‘paper’ excercise. A scenario book can only be tested for it effectiveness against a controlled real world test.
It’s much like a fire drill, the evac process is dull and tiresome. Learn your people how to extinguish a real fire (it’s fun burning 250 ml of gasoline) with a CO2 extinguisher and the drill will be remembered.
James C says
@Pantagruel
Well put.