A massive cyber-terrorism and hacking attack is on the radar for New Zealand.
Kiwi organizations will find their online defences tested for the first time in a huge international cyber-security exercise being coordinated by the U.S. Department of Homeland Security next year.
Private and public-sector organizations will be involved in next March’s Cyber Storm II attack simulation in the Land of the Long White Cloud, along with organizations in the U.S., Canada, the U.K. and Australia.
The exercise will simulate, on a private network, a series of hacking and “cyber-terrorism events” attempted via the Internet.
Nothing of a dangerous nature will be attempted on live networks, says Richard Byfield of the Centre for Critical Infrastructure Protection (CCIP), which will coordinate the local part of the exercise.
The first Cyber Storm simulation took place in March 2006, but New Zealand’s involvement was small, just a “table-top” exercise, with simulations of escalating events being represented on paper. This time, there will be an online portal, where scenarios appropriate to New Zealand’s national security will be played out.
Real-time tests will be conducted to assess the responses and inter-communication abilities of government organizations such as CCIP, New Zealand’s Defence Force, Security Intelligence Service and the Police’s electronic crime lab, as well as private-sector maintainers of vital infrastructure such as Telecom New Zealand Ltd. and Transpower New Zealand Ltd. Some Internet service providers are likely to be asked to be involved as well, says Byfield.
As organizations respond to the attacks, the situation will escalate in unpredictable ways. Like a fire-drill, there will be an exhaustive check after the simulation exercise, to see if the right people and agencies were informed at the right time.
Naturally, there is no advance knowledge of exactly what will be simulated, but unofficial reports suggest one of the major scenarios could involve the chemical industry, says Mike Harmon, who is in charge of the exercise for the CCIP.
New Zealand will have some flexibility when it comes to the scenarios it chooses to run, to reflect the country’s particular vulnerabilities.
“The electricity grid and telecommunications are good things to test in New Zealand,” says Byfield, because management of the two industries is dominated by one company in each sector.
Interruptions to the electricity supply are likely to involve not only the core network but also the digital Supervisory Control and Data Acquisition (Scada) network that overlies and controls electricity distribution.
For a long time, Scada has been concealed from public view – Harmon calls it “security by obscurity” – but the networks are now connected via the Internet, making them more visible and therefore more vulnerable.
A preliminary table-top exercise will be held this month, to prepare for the real thing in 2008.
The first Cyber Storm simulation uncovered gaps and stresses in communications between agencies, particularly when there were multiple threats which demanded concurrent responses.
Management of public information was also identified as critical, and will be carefully monitored this time around.
As part of the exercise, authorities have to ensure public information is accurate, so as to avoid creating needless panic, according to the report from the first exercise. Misleading information or deliberate disinformation is a risk, particularly in a world of bloggers and other independent media sources.
Media organizations, particularly those that cover ICT, could be asked to play a role in Cyber Storm II, says Harmon. Media relations staff from the various agencies involved in the exercise will certainly be important participants.