U.S. testing defenses with simulated cyberattack

Set up by the Department of Homeland Security, Cyber Storm III is testing the ability of government agencies, private companies, and international partners to respond to a full-scale cyberattack.

Lance Whitney
Lance Whitney Contributing Writer

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

3 min read

The U.S. government has launched a full-scale simulated cyberattack to gauge how the country might fare in the real thing.

Sponsored by the Department of Homeland Security, Cyber Storm III kicked off yesterday for a three-day series of simulated events designed to exploit holes in the nation's cybersecurity system.

Specifically, the exercise will "inject" more than 1,500 different types of threats to examine the ability of the people involved to prepare for cyberattacks, make the correct decisions to respond to them, and share sensitive information with the right parties.

Noting that the country's adversaries have moved beyond Web page defacements and DDoS (distributed denial of service) attacks, the DHS's Cyber Storm III Fact Sheet (PDF) states that the new exercise will go a step further by trying to compromise trusted transactions and relationships.

"In Cyber Storm III, we're kind of using the Internet to attack itself," Brett Lambo, director of DHS's Cyber Exercise Program, told reporters in a pre-test briefing, according to AFP. "At a certain point, the operation of the Internet is reliant on trust--knowing where you're going is where you're supposed to be. We're going to try to compromise that chain of trust by attacking something that's fundamental to the operation of the Internet."

Lambo revealed that one of the simulations would compromise the encrypted digital certificates that verify identities online, while another would introduce issues into the DNS (domain name system) that pairs domain names with IP addresses.

Further, Cyber Storm III will incorporate certain aspects of the government's new National Cyber Incident Response Plan, a basic blueprint to determine who does what in case of a cyberattack. It will also be Washington's first chance to test the new National Cybersecurity and Communications Integration Center (PDF), which was set up last fall to act as a hub for coordinating cybersecurity.

Cyber Storm III will challenge a diverse group of thousands of people, including representatives from seven Cabinet-level departments along with the White House, intelligence agencies, 11 state agencies, 12 international partners, and 60 private sector companies.

"Securing America's cyberinfrastructure requires close coordination with our federal, state, international, and private sector partners," DHS Secretary Janet Napolitano said in a statement. "Exercises like Cyber Storm III allow us build upon the significant progress we've made in responding to evolving cyberthreats."

Cyber Storm III is the third exercise organized by the federal government to assess its cyberdefenses.

Launched in early 2006, Cyber Storm I attempted to see how government and the private sector would join together to respond to a cyberattack. A report on this first exercise (PDF) uncovered an insufficient number of "technical experts" who could analyze all the information coming through as well as difficulty determining who to call for help and the lack of a "triage" plan for cyberattacks.

Cyber Storm II in 2008 ramped up the challenge by injecting 2,000 different events, including hacking attempts, DDoS attacks, and even false intelligence information. The final report (PDF) found that many participants weren't familiar enough with the roles and responsibilities of each organization involved in the exercise and didn't know how to access or use the tools available to them in dealing with a cybercrisis.