After a simulated cyberattack exercise last winter, officials in charge of cybersecurity at the U.S. Department of Homeland Security said they had identified eight areas they need to work on with the private sector to secure and respond to cyberattacks on the nation’s critical infrastructures.
But as many security experts expected, the Cyber Storm exercise (staged in early February to attack computers supporting the U.S. and international energy and transportation systems) pointed out that much basic planning is left to be done to prepare for a large-scale cyberattack.
DHS officials and the “Cyber Storm Exercise Report” were short on details of the exercise and what was discovered. DHS identified “eight core findings,” including the need for more interagency coordination (such as what events would trigger involving what government agency) and the need for clearer roles and responsibilities among government agencies and the private sector.
George Foresman, undersecretary for preparedness at DHS, said at a September press conference that other key findings cited the value of DHS’s ability to stage such a large-scale exercise and showed that the government could work with the private sector on cyberattacks.
Security experts who have monitored the government’s cybersecurity efforts say the United States should be further along in its preparations and note that Cyber Storm did not test how the country would respond to specific threats, such as a denial-of-service attack.
Foresman defends DHS’s performance by saying that the government has been aware of cybersecurity issues for only 10 years. DHS plans another exercise in 2008. “We ought to have processes and procedures in place that clarify” the coordination issues highlighted in Cyber Storm, Foresman says. “If they still exist, then we know we didn’t do a good job of implementing it.”