After 12 years and five previous exercises, the Homeland Security Department believes it’s gotten smarter about simulating seemingly realistic but fake cybersecurity crises, even as the mechanisms and plans the agency uses to communicate and respond to real attacks are still evolving.
More than 1,000 “players” are convening both in person and cyberspace this week to engage in Cyber Storm VI, one of the nation’s largest simulated cybersecurity exercises.
Players from DHS, the National Cybersecurity and Communications Integration Center, federal law enforcement agencies and state governments, as well as private companies in the critical infrastructure sectors, are testing the agency’s National Cyber Incident Response Plan.
The goal is to uncover what’s working and what isn’t working in that national plan — and forge better ways to share and communicate cyber threat information for the future, said Jeanette Manfra, DHS assistant secretary for cybersecurity and communications.
“What we really need is that… playbook level, so that people, whether they’re a duty officer or just the analyst on watch, they know who they need to contact, what the protocols are, how to get that information out quickly,” she told reporters during the first day of the cyber storm exercise.
Most participants “play” from their actual work locations, but the Secret Service headquarters in Washington, D.C. hosted many of them. A room at the Secret Service was buzzing with activity on Tuesday morning before DHS officially kicked off the exercise.
The goal of the exercise, the department said, is to encourage participants to first look at the processes and steps they take to respond to a cyber incident and ultimately find ways to improve them.
“Many exercises in the cybersecurity world focus on technical aspects, training our technical analysts,” Manfra said. “Those are important and we do many of those. But the importance and what differentiates this exercise is the ability to exercise how we coordinate, how we collaborate [and] how we share information, because that is just as important, as we’ve seen in every real life incident, as the actual technical means of identifying who’s doing it and getting them off the computers.”
During the exercise, players receive an “inject” in the form of an email, a phone call, a simulated post on a social media or news site, and will then determine how they’ll respond. As a new addition this year, DHS simulated a realistic-looking social media and news site specifically for the cyber storm exercise.
DHS officially kicked off the game Tuesday, when players first begin to receive these injects. They ramp up in intensity Wednesday, and by Thursday, players from multiple entities will be working together to coordinate their responses.
“The timeline of the exercise, of course, is compressed. What typically happens over a matter of weeks or [a] month is being condensed into three days. The goal is to push participants out of their comfort zone and present them with a scenario that they feel they cannot respond to effectively unless they reach out to the others.
This year’s scenario is focusing on the critical manufacturing, transportation and IT sectors.
Though Manfra emphasized that other critical infrastructure sectors, like the election system, certainly face tough cyber risks in today’s environment, DHS sees the exercise as a way to bring all important players together to build more collaborative relationships.
Specifically, these partners are testing DHS’ own internal communication mechanisms and looking at how they communicate with private sector, state and local partners, and vice versa.
Tthe exercise deliberately tries to recreate a feeling that private sector companies and federal agencies are becoming all too familiar with, Manfra said.
“What we’re doing here is specifically focused on how does, say, the loss or the lack of trust or anything with your IT and communications system impact your mission, your ability to do your job,” she said.
Planning for the sixth cyber storm started more than a year ago back in February 2017. After this week’s exercise, the DHS team in May will begin to review feedback and lessons learned from the participants.
“That work does not end this week,” Manfra said. “In fact, the most important part of the exercise is the after-action process. Too often, we conduct exercises and we just move on to our day jobs. It’s so important and such a priority for us that we not only do the exercise but that we collect feedback, that we understand what we did well, where we need to improve, what our partners’ feedback was and again, that we incorporate that into our response plans and playbooks.”