– Cyber Storm II exercise demonstrates increased attention to cyber security
– NATO recognizes elevated risks of cyber warfare
– A consistent framework for cyber security must be developed to deal with evolving threats
Cyber Security experts have long acknowledged the growing threat of cyber crime and the potential for cyber terrorism, but these warnings have largely gone unheeded as the federal government has sought to improve security in other more pressing areas since September 11, 2001.
However, the past six years have witnessed a number of high-profile cyber attacks as well as potential vulnerabilities in the nation’s electronic and digital infrastructure. For example, the Department of Defense (DOD) and other government agencies have been repeatedly breached by cyber spies suspected of operating in concert with the Chinese government (Previous Report).
Additionally, in May 2007 Estonia fell victim to a massive distributed denial of services (DDoS) attack that crippled the country’s Internet access and disrupted the Estonian government’s ability to carry out financial transactions as well as communications within the government and with its citizens (Previous Report).
Moreover, a March 2007 test by the Department of Homeland Security (DHS) dubbed the “Aurora Generator Test” revealed that large power generators used to supply electrical power to cities could be remotely attacked and disabled by knowledgeable hackers. Finally, the Central Intelligence Agency (CIA) recently revealed that hackers had recently targeted electric utilities overseas and in some cases caused blackouts (Previous Report).
It now appears that the federal government is paying serious attention to cyber security – in part due to the apparent growing threat of cyber warfare chronicled above. For example, Director of Homeland Security Michael Chertoff recently noted that cyber security is “one area where we have significant work to do (source).” The attention to cyber security now finally extends beyond simple rhetorical flourishes, and funding for important initiatives is now a priority.
Improving Communication – Improving Security
Evidence of the recent increased commitment to cyber security can also be seen this week as DHS kicks off its biennial cyber security “tabletop” exercise named Cyber Storm II. According to DHS, Cyber Storm II will “simulate a large-scale coordinated cyber attack on critical infrastructure sectors including the chemical, information technology, communications, and transportation (rail/pipe) sectors” by “persistent, fictitious adversaries with a distinct political and economic agenda (source).” Insiders believe these adversaries will be modeled as nation-states, terrorists, and malicious insiders (source).
Participants in this exercise will include 18 federal agencies, including the CIA, DoD, the Federal Bureau of Investigation (FBI), and the National Security Administration (NSA). Nine state governments will also participate, including California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas, and Virginia. In addition, more than 40 private sector companies will take part in the exercise, including Cisco Systems, Dow Chemical, McAfee, and Microsoft. Finally, allied foreign governments, including Australia, Canada, New Zealand, and the United Kingdom will also partake in Cyber Storm II (source).
The obvious goal of the exercise will be to test intra-governmental communication. Additionally the exercise is also designed to improve and the government’s communication with the private sector which owns and operates approximately 80 percent of the US’s critical infrastructure.
The US government’s increased attentiveness to cyber security is also being echoed overseas. Due to recent events, such as the massive distributed denial of services attack on Estonia during the summer of 2007, NATO now sees cyber warfare as a serious threat. According to Suleyman Anil, the head of Nato’s Computer Incident Response Capability, “cyber defense is now mentioned at the highest level along with missile defense and energy security (source).”
Cyber security, like physical security, is not static and must be constantly attended to. As new software is released and older systems upgraded, new vulnerabilities will be constantly discovered and exploited. As such, it is vitally important that a solid cyber security framework be developed that creates a series of best practices for attack prevention, preparation, detection, mitigation, and recovery. Without such a framework, the increased attention to cyber security will be ineffective in yielding positive and progressive results.