New Zealand organisations will find their online defences tested for the first time in a huge international cyber-security exercise being coordinated by the US Department of Homeland Security next year.
Private and public-sector organisations will be involved in next March’s Cyber Storm II attack simulation, along with organisations in the US, Canada, the UK and Australia.
The exercise will simulate, on a private network, a series of hacking and “cyber-terrorism events” attempted via the internet.
Nothing of a dangerous nature will be attempted on live networks, says Richard Byfield of the Centre for Critical Infrastructure Protection, which will coordinate the local part of the exercise.
The first Cyber Storm simulation took place in March 2006, but New Zealand’s involvement was small, just a “table-top” exercise, with simulations of escalating events being represented on paper. This time, there will be an online portal, where scenarios appropriate to our national security will be played out, testing the responses and inter-communication abilities of government organisations such as CCIP, the Defence Force, the Security Intelligence Service and the Police’s electronic crime lab, as well as private-sector maintainers of vital infrastructure such as Telecom and Transpower. Some internet service providers are likely to be asked to be involved as well, says Byfield.
As organisations respond to the attacks, the situation will escalate in unpredictable ways. Like a fire-drill, there will be an exhaustive check after the simulation exercise, to see if the right people and agencies were informed at the right time.
Naturally, there is no advance knowledge of exactly what will be simulated, but unofficial reports suggest one of the major scenarios could involve the chemical industry, says Mike Harmon, who is in charge of the exercise for the CCIP.
New Zealand will have some flexibility when it comes to the scenarios it chooses to run, to reflect our particular vulnerabilities.
“The electricity grid and telecommunications are good things to test in New Zealand,” says Byfield, because management of the two industries is dominated by one company in each sector.
Interruptions to the electricity supply are likely to involve not only the core network but also the digital “supervisory control and data acquisition” (Scada) network that overlies and controls electricity distribution.
For a long time, Scada been concealed from public view — Harmon calls it “security by obscurity” — but the networks are now connected via the internet, making them more visible and therefore more vulnerable.
A preliminary table-top exercise will be held next month, to prepare for the real thing in 2008.
The first Cyber Storm simulation uncovered gaps and stresses in communications between agencies, particularly when there were multiple threats which demanded concurrent responses.
Management of public information was also identified as critical, and will be carefully monitored this time round.
As part of the exercise, authorities have to ensure public information is accurate, so as to avoid creating needless panic, says the report from the first exercise. Misleading information or deliberate disinformation is a risk, particularly in a world of bloggers and other independent media sources. Media organisations, particularly those that cover ICT, could be asked to play a role in Cyber Storm II, says Harmon. Media relations staff from the various agencies involved in the exercise will certainly be important participants.