- Examine organizations' capability to prepare for, protect from, and respond to cyber attacks' potential effects;
- Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures;
- Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and
- Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.
Each Cyber Storm builds on lessons learned from previous real world disasters, ensuring that participants face more sophisticated and challenging exercises every two years.
Cyber Storm I: February 2006
In February 2006 the Department of Homeland Security (DHS) coordinated a major cyber attack exercise, called Cyber Storm (later renamed Cyber Storm I) at a cost of about $3.7 million. It included large scale simulations of multiple concurrent attacks involving the federal government, states, foreign governments, and private industry.
The exercise simulated a large-scale attack affecting the energy and transportation infrastructures, using the telecommunications infrastructure as a medium for the attack. Participants included eight federal departments and three agencies, three states, and four foreign countries. The exercise also involved representatives from the private sector — including 11 information technology companies, 7 electric companies, 1 banking and finance company, and 2 airlines — and over 100 public and private agencies, associations, and corporations. DHS officials conducted the exercise primarily on a separate network to minimize the impact on "real world" information systems.
The objectives of Cyber Storm I were to:
- exercise interagency coordination by convening NCRCG and the Interagency Incident Management Group, a multi-agency team of federal executives responsible for providing strategic advice during nationally significant incidents;
- exercise intergovernmental and intragovernmental coordination and incident response;
- identify policies and issues that hinder or support cybersecurity requirements;
- identify public/private interface communications and thresholds of coordination to improve cyber incident response and recovery, as well as identify critical information sharing paths and mechanisms;
- identify, improve, and promote public and private sector interaction in processes and procedures for communicating appropriate information to key stakeholders and the public;
- identify cyber and physical infrastructure interdependencies with real world economic and political impact;
- raise awareness of the economic and national security impacts associated with a significant cyber incident; and
- highlight available tools and technologies with analytical cyber incident response and recovery capabilities.
DHS also identified eight lessons during the Cyber Storm I exercise that affected all participating sectors and agencies. These lessons involved improving (1) the interagency coordination groups; (2) contingency planning, risk assessment, and roles and responsibilities; (3) integration of incidents across infrastructures; (4) access to information; (5) coordination of response activities; (6) strategic communications and public relations; (7) processes, tools, and technology; and (8) the exercise program.
Cyber Storm II: March 2008
In March 2008, DHS conducted its second broad-scale exercise, called Cyber Storm II. The exercise cost about $6.4 million, and simulated a large-scale cyber attack affecting the communications, information technology, chemical, and transportation infrastructures. According to DHS, the exercise involved 18 federal agencies, 9 states, 10 information sharing and analysis centers, 5 foreign countries, and over 40 industry representatives from the private sector.
The objectives of Cyber Storm II were to:
- examine the capabilities of participating organizations to prepare for, protect from, and respond to the effects of cyber attacks;
- exercise senior leadership decision making and interagency coordination of incident responses in accordance with national-level policies and procedures;
- validate information sharing relationships and communication paths for the collection and dissemination of cyber incident situational awareness, response, and recovery information; and
- examine the means and processes to share sensitive and classified information across standard boundaries in safe and secure ways without compromising proprietary or national security interests.
DHS plans to issue a report on what it learned from Cyber Storm II by the end of 2008.
Cyber Storm III: September 2010
In September 2010, DHS conducted the third of its Cyber Storm exercises, Cyber Storm III. This three-day exercise was undertaken to test the National Cyber Incident Response Plan, and participants included representatives from federal departments and agencies, states, ISACs, foreign countries, and the private sector. It was intended to simulate a large-scale cyber attack on critical infrastructure across the nation.
Cyber Storm III represented the first opportunity to test the new National Cybersecurity and Communications Integration Center (NCCIC) — which serves as the hub of national cybersecurity coordination and was inaugurated in October of 2009.
Cyber Storm IV: 2011-2012
Cyber Storm IV was designed as a set of building block exercises, which began in fall 2011 and concluded in 2012. This exercise design promoted more focused exercise activities, allowing participants to delve deeper into particular cyber issues. Members of the cyber incident response community are actively collaborating with DHS in the design and execution of these building block exercises. Observations from the building block exercises will inform National Level Exercise 2012 planning activities, continue to enhance the cyber incident response community's capabilities, and support the Nation's ongoing resilience efforts.
- The Interagency Incident Management Group was later reorganized and renamed the Crisis Action Team.
- Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise.