Washington Prepares for Cyber War Games

By Brian Krebs
washingtonpost.com Staff Writer
Friday, March 7, 2008; 7:44 AM

The U.S. government will conduct a series of cyber war games throughout next week to test its ability to recover from and respond to digital attacks.

Code-named 'Cyber Storm II,' this is the largest-ever exercise designed to evaluate the mettle of information technology experts and incident response teams from 18 federal agencies, including the CIA, Department of Defense, FBI, and NSA, as well as officials from nine states, including Delaware, Pennsylvania and Virginia. In addition, more than 40 companies will be playing, including Cisco Systems, Dow Chemical, McAfee, and Microsoft.

In the inaugural Cyber Storm two years ago, planners simulated attacks against the communications and information technology sector, as well as the energy and airline industries. This year's exercise will feature mock attacks by nation states, terrorists and saboteurs against the IT and communications sector and the chemical, pipeline and rail transportation industries.

Jerry Dixon, a former director of the National Cyber Security Division at the Department of Homeland Security who helped to plan both exercises, said Cyber Storm is designed to be a situational pressure-cooker for players: Those who adopt the proper stance or response to a given incident are quickly rewarded by having to respond to even more complex and potentially disastrous scenarios. Players will receive information about the latest threats in part from a simulated news outlet, and at least a portion of the feeds they receive will be intentionally misleading, Dixon said.

'They'll inject some red herring attacks and information to throw intelligence analysts and companies off the trail of the real attackers,' Dixon said. 'The whole time, the clock keeps ticking, and things keep getting worse.'

At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans.

'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise.

Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest.

Individuals who helped plan the scenarios all have signed non-disclosure agreements about the details of the planned attacks. They will act as puppeteers apart from the participants, injecting events into the game from a command center at U.S. Secret Service headquarters in Washington, D.C. Meanwhile, players will participate via secure online connections from around the world.

At its most basic, organizers say, the exercise tests the strength of relationships and trust between government officials and the private sector companies that control more than 80 percent of the nation's critical physical and cyber infrastructure. In Cyber Storm I, the Department of Homeland Security and the participating companies largely kept the exercise a secret until it was virtually completed. In fact, most of the companies that participated in Cyber Storm I did so anonymously, so that that private sector players only knew each other's respective companies by fictitious business names.

The fact that so many companies have chosen to trumpet their participation in this year's exercise is a testament to how those trust relationships have grown in the intervening years, said Reneaue Railton, manager of critical infrastructure response for Cisco Systems, a company whose hardware devices help direct a large portion of the traffic on the Internet.

'All the companies that played did so anonymously,' Railton said. 'We didn't always know who we were contacting.'

Railton, who helped plan the attack scenarios in this year's exercise, said Cyber Storm II promises to keep all participants on their toes, like an episode of the television show '24,' only for an entire work week at a time. Dozens of companies and government agencies from Australia, Canada, New Zealand and the United Kingdom will also participate in the war games and will keep the game in flux around the clock, she said.

The war games will be far more realistic and inclusive for Australia, whose participation in the first Cyber Storm amounted to what a spokesperson for the Australian Attorney General's department called "a desktop exercise" that did not include any private sector companies.

"This year, we're setting up an exercise control room and will be sending out injects to the players in both the private sector and the government," said Daniel Gleeson of the Australia's Attorney General's office. "So we'll be involved in this as it unfolds in real time, rather than just talking about what we'd do in those situations."

© 2008 The Washington Post Company