Government Cyber Storm Ends

Bemmu writes "Mainichi Daily News and BBC News are reporting that the 'Cyber Storm' operation, for testing how prepared America is for fending off cyber attacks, has now concluded. Apparently they even used bloggers as part of the operation, as relayers of misinformation!"

Uh oh

[rwebb]

If the exercise Hurricane Pam is to Hurricane Katrina as Cyberstorm is to an actual cyber attack, then we're in deep doodoo. No smiley.

Re:Uh oh

[carpe_noctem]

Hey, that's a rather unfair comparison. The Hurricane Pam exercise accurately pointed out everything bad that would happen in case of a category-5 hurricane, and it also outlined the government's areas where they were not prepared (well, up until the point when the exercise was cancelled, that is). The exercise itself could have been very useful, had the government actually used information from this exercise. However, gross amounts of miscommunication (which seems to be the norm in the US government these days) led to the katrina disaster.

Cyber-BS

[Rosco+P.+Coltrane]

The exercise had given the US "an excellent opportunity to enhance our nation's cyber security," the US said.

What? they finally told Microsoft to release a secure OS or else...?

Seriously, most "cyber-attacks" are as much the result of criminals, professional spammers and teenage virus writers as it is the result of the single shoddy OS they target. Both are needed for an attack to work. The rest can easily be taken care of by training IT professionals better and by selecting more secure OSes.

And no, before you ask, I'm not trying to push *nix or MacOS against Windows: while I do believe Windows is badly designed at core and will always be insecure one way or the other, if Microsoft could make it secure, it would most certainly give a lot less headaches to the DHS folks.

Mock attack = Mock results

[t7]

"The war game drew in 115 agencies from the FBI and CIA to the Red Cross, the Department of Homeland Security said."

"IT companies and state and foreign governments also played a role in responding to the mock attacks."

These "simulated" attacks are all well and good, but they are being performed by entities meant to keep the system secure. Isn't that only attacking from one angle? Did these groups attack the systems like scriptkiddies would? Like seasoned professionals not skewed or influenced by "standard corporate security measures"? Did they take into account social engineering and attacks from the inside?

Re:Mock attack = Mock results

These "simulated" attacks are all well and good, but they are being performed by entities meant to keep the system secure. blah. blah. blah.

Ya gotta start somewhere.

Ya gotta make sure your doors and windows are locked before you install an alarm system. Ya gotta make sure your alarm system works before you install surveillance cameras. Ya gotta make sure your surveillance cameras work before you hire armed guards.

This may become an annual or biannual event. Maybe they're only at the stage of making sure their doors and windows are locked. Sure, that's not going to deter a determined cyber-attacker.

But ya gotta start somewhere.

Re:Mock attack = Mock results

[offal]

Speaking from experience, security audits from the feds have been much deeper and uncomfortable than any big four (or however many there are today) accounting/risk firms. "Some" feds are true wizards and may be the same "black hat" irc buddy you are in awe of. Script kiddies are called that for a reason. Anyone remotely experienced with IT Security better know Nessus and NMAP. Anyone selling "expertise" had better provide more than a report based solely on those two tools. In terms of using a test environment, well that's a good thing. Running an unannounced cyber Pearl Harbor attack on the real grid is what some folks call reckless. Regarding why are these systems on the net, well that may have something to do with commerce, deregulation, and the need to accomodate web based transactions without requiring a private T1 line that adds it's own concerns of risk, redundancy, and dependency.

Re:They apparently forgot .....

[jimicus]

It's worse than that.

I can't provide references off the top of my head, bu IIRC some estimates suggest that up to 70% of "attacks" come from within - disgruntled or corrupt employees being the most obvious example.

Naturally, most companies aren't too keen to issue a press release saying "Yeah, this chap we employed walked out the door with a couple of thousand customer records when we sacked him last week", so these estimates are little more than educated guesses. But even so, if there's only the tiniest grain of truth to them it demonstrates how important it is to consider both internal and external security.

Re:Misinformation?

[Zeinfeld]

the gov don't want you getting information off the oficial channels. stick to your tv and leave the internet alone.

This lot don't want people to take information from anywhere else than themselves, Fox News and the Washington Times.

But I suspect that the reason Blogs were in the simulation was because of their speed of reaction rather than anything else.

The biggest cyberwar effect being seen today is freebooting groups of partisans launching unofficial (and possibly sometimes official) actions. A big concern in the intel community is that these unofficial actors my tip an international incident into a crisis.

Take the current spate of attacks by Islamist hackers attacking targets in Denmark. Imagine if Denmark was a crazy-actor like Libya or Iran and a cyberattack by one of those unofficial freebooters took out a major infrastructure. Or imagine what might happen if Iranian hackers attacked Denmark, took out a major infrastructure and Danish hackers retaliated in kind.

Add freebooter hackers into an environment where diplomats are doing everything they can to avoid escalation and the potential for disaster is large.

Slashdot CyberSecurity Consulting

[tritab]

How many comments do we need asking "what if this", "what about that", "why don't they make Microsoft fix their insecure OS", etc? I for one, am excited that the government even attempted this exercise. The smart folks who were involved with this definitely learned valuable lessons. Likely, as was seen with hurricane Katrina, communication was the biggest obstacle. Even the PHB's will notice the major problems. Please keep in mind that the government is a large bureaucracy and as such, is large and hard to change.

Also keep in mind that the information security profession is still very immature. Remember that doctors and lawyers "practice" their professions. Do we "practice" information security? Engineers are legally required to submit their designs for peer review for all municipal projects. Is that same level of review required for information security for government efforts?

We still have quite a way to go, but we are making steps forward.

Re:CYBER STORM LOL

[AB3A]

Most hackers would have a hard time doing that where I work. It is TRULY isolated. Granted, in many utilities, the IT department has taken over things like DCS systems and SCADA systems. This is a very BAD thing. IT may be really good with computers, but they often don't know anything about how industrial control systems work. It is not "just another data source" or "just another network". Screw up on projects like these, and there may not be anything left to reboot. It is wise to cultivate a few engineers and attempt some cross training between the two groups.

Sadly, most IT departments are in it for the flashy reports and cool looking web page designs. Most engineers I have spoken to on this subject just shake their heads in disgust.