“Game on!” With that enthusiastic shoutout, a senior Department of Homeland Security official launched “Cyber Storm V,” an annual cybersecurity exercise that drew over 1,100 participants from government agencies and the private sector.
This year’s exercise, held March 8-10, involved a simulated cyberattack targeting the healthcare and retail sectors, and was managed from a large conference room at the U.S. Secret Service’s headquarters in Washington, D.C.
But participants took part from desktops across the country and, DHS hopes, identified gaps in the nation’s “cyber incident response plan” that will help shape cybersecurity strategies.
In addition to retail and health, the communications and tech sectors were key players in the exercise that involved 60 private-sector organizations, according to DHS Undersecretary Suzanne Spaulding.
However, some stakeholders found shortcomings in the premise of the exercise.
“I think the bigger issue is that we’re having a national cyber exercise without a national cyber incident response plan,” said one industry source. “We’d be much better off if we were exercising against a national plan that details roles and responsibilities for government agencies in a large-scale incident response and one that integrates and formalizes coordination with industry.”
The source added: “The goal of Cyber Storm should be to test a national plan that details how we coordinate to respond to national cyber incident. We used to have such a plan, but for some unexplained reason the government decided to scrap it.”
The Obama administration is promising to produce “a policy for national cyber incident coordination” this spring as part of the president’s Cybersecurity National Action Plan.
During the exercise, Spaulding said, DHS was joined by the departments of Commerce, Health and Human Services, Justice, Treasury and Transportation, and representatives of law enforcement and the intelligence community.
Eight states participated and five foreign nations were represented at the exercise.
“This is a whole-of-nation challenge and it requires a whole-of-nation response,” Spaulding said in opening the exercise, before the doors were shut and the players went to work.
“We know what happened in Ukraine, this is not an academic exercise,” Spaulding said, pointing to a Russian cyberattack last December that brought down its neighbor’s power grid. “We saw for the first time a destructive attack on critical infrastructure that the civilian population depends on.”
This, Spaulding said, was the “nightmare scenario” in action.
Following the three-day exercise, DHS conducted a “hot-wash to assess how we did,” according to retired Brig. Gen. Gregory Touhill, DHS deputy assistant secretary for the Office of Cybersecurity and Communications.
After gathering more input from the thousand-plus participants, DHS “within a couple of months” will produce a detailed “after-action report” that will be circulated among both government and private-sector stakeholders.
Touhill said the exercise allows agencies to assess their preparedness and incident response procedures, improve information sharing and improve the cybersecurity training of their personnel.
They will also attempt to build on the lessons learned from the previous exercises, he said, including whether organizations are adhering to existing guidelines, whether those guidelines are effective and the need to tighten up info-sharing procedures.
The retail and health sectors are frequent and growing targets of cyberattacks, and representatives of those industries “raised their hands and volunteered” to participate this year, Touhill said.
“The reason we’re in it is we know information sharing is the most important function,” said Tom Litchford of the National Retail Federation. “We’re not looking to ‘win’ this game — we’re looking to identify failures” and improve.
This article appears in the March 14 edition of the Washington Examiner magazine.
Charlie Mitchell is editor of InsideCybrsecurity.com, a premium news service from Inside Washington Publishers. He is the author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” coming this spring from Rowman and Littlefield.
