Cyber Storm III simulates large-scale attack

A new cyberattack exercise hosted by the U.S. Department of Homeland Security this week reflects the increasingly sophisticated attacks U.S. agencies and businesses face, DHS officials said.

Cyber Storm III, the third large-scale cyberattack exercise hosted by DHS, will test the ability of government agencies and more than 60 private-sector organizations to work together during a massive incident, said Phil Reitinger, deputy undersecretary of the DHS National Protection and Programs Directorate. Cyber Storm III kicked off Tuesday morning, and Reitinger said Wednesday that he was pleased with the response so far.

“One of the things that I think it’s critical to recognize about cyberspace is it’s beyond the capability of any one government agency to respond, or even one government or one private-sector entity,” he said. “This really requires a joint response.”

Cyber Storm III focuses on increasingly complicated attacks, DHS said. “Our adversaries … have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself — with the goal of compromising trusted transactions and relationships,” the agency said in a fact sheet about the exercise.

Reitinger and other DHS officials didn’t lay out the details of the exercise during a press briefing Wednesday, saying they didn’t want news reports to influence the results of the program, which runs for about three days. Reitinger, a participant in the exercise, said even he doesn’t know what will happen next. 

“I see stuff as it comes up,” he said.

The exercise includes a potential for more than 1,500 “injects,” individual events that can be injected into the scenario, said Brett Lambo, director of the DHS’s cyberexercise program.

The exercise doesn’t attack an operating network, but simulates attacks, with participants getting a series of bulletins about new events. On Wednesday morning, about 100 participants from the U.S. government, state governments, foreign government and private companies were responding to new injects at an exercise control center at U.S. Secret Service headquarters in Washington, D.C.

Among the U.S. agencies participating in the exercise are the Departments of Justice, Energy, Defense, State and Transportation, as well as the White House and the U.S. National Security Agency, DHS officials said. DHS didn’t release names of companies participating, but the sectors represented included banking, chemical, communications, nuclear energy and IT, the agency said.

Officials from 11 states, including California, New York and Pennsylvania, participated, as well as officials from 12 other countries, including Canada, France, Germany and the U.K.

The goals of Cyber Storm III included testing the National Cyber Incident Response Plan, released by DHS in late 2009, and checking how well cyberattack information is shared among the organizations involved, DHS said.