ENISA described their exercise scenario: “The simulation will be based on a scenario where internet connectivity between European countries would be gradually lost or significantly reduced in all participating countries so that citizens, businesses and public institutions would find it difficult to access essential online services. In the exercise, Member States will need to cooperate with each other to avoid a simulated total network crash.” The exercise FAQs make clear that
– this is a public sector only exercise, because “The Member States decided from the very beginning that it is already a very ambitious exercise. Having the private sector taking part in this first pan-European exercise would add an additional complexity factor..”
– All EU Member States and 3 EFTA countries take part. More specially, 22 Member States actively participate having in total 70 player organisations around Europe, while 8 countries take the role of observer….The team of planners involved staff from DK, FI, FR, HU, IT, PT, SE, UK, and was done with the contribution of staff from ENISA and the EU’s Joint Research Centre, JRC.
A prior recommendation, made by ENISA before the exercise, was that: “One of the important recommendations for Member States is to run national exercises. Exercises help to test measures and support decisions on taking actions. If all Member States become experienced in running national exercises the readiness in Europe will be enhanced.”
The DHS factsheet says the Cyber Storm 3 exercise scenario “ reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself—with the goal of compromising trusted transactions and relationships….The scenario will incorporate known, credible technical capabilities of adversaries and the exploitation of real cyber infrastructure vulnerabilities, resulting in a range of potential consequences—including loss of life and the crippling of critical government and private sector functions.”
In terms of size, Cyber Storm is even larger than its predecessors:
o Administration-Wide—Seven Cabinet-level departments including Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury, in addition to the White House and representatives from the intelligence and law enforcement communities.
o Eleven States—California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, as well as the Multi-State Information Sharing and Analysis Center (ISAC)—compared to nine states in Cyber Storm II.
o 12 International Partners—Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom—compared to four international partners in Cyber Storm II.
o 50 Percent More Private Sector Partners—We will have 60 private sector companies playing in Cyber Storm III, up from 40 in Cyber Storm II; several will participate on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water Sectors as well as the corresponding Sector Coordinating Councils and ISACs to identify private sector participants.
DHS are not publishing any report until 2011. The exercise has been criticised by political opponents of the Democrats (“Impressive, no? And just another reminder that theres a US election less than five weeks away. “OK, everyone… look busy.””). It is certainly complicated: a DOD press release says: “The ‘defenders’ could face over 1,500 separate events; some will be subtle, with only few hints indicating ongoing penetrations into computerized systems. Other events will be more dramatic, demonstrating the resulting effects to compromised networks.”
According to the Executive Director of ENISA, Dr Udo Helmbrech, quoted in The Register, ENISAs ‘Interim Findings’ about the EU exercise were:
– The exercise fully met its objectives. The scenario was well balanced between technical and communication requirements.
– Exchanging lessons-learnt with other (national or international) exercises would be useful.
– The private sector should be part of the next pan-European exercise.
– There is a lack of pan-European preparedness measures to test. This reflects the fact that many Member States are still refining their national approaches.
– The exercise was only the first step towards building trust at pan-European level. More co-operation and information exchange is needed.
– Incident handling in Member States varies a lot due to the different roles, responsibilities and bodies involved in the process.
– The Member States had difficulties in fully grasping how incidents are managed in other MS.
– ENISAs role in organising and managing future exercises is highly recommended by MS.
– Member States support future pan-European exercises, but more time should be allocated to plan and execute the exercise.
This is refreshingly quick and honest, after such dubious precedents as the official report on the EU’s ‘Exercise Common Ground’.
Critics (eg Bruce Hallas) have said that the exercise focused too much on DDOS. (“A better picture of the EU’s preparedness for a cyber attack would take into consideration much more than its ability to handle distributing / routing web traffic generated through a DDoS attack. “Yes” it is helpful, but “No” it falls short in the overall scheme of things because just like in real warfare no single attack wins an overall war.”) However, it was a first exercise, designed largely to test internal coordination and communications, and I have to say the scenario seems fair enough to me. Hallas may not be aware of the way the exercise was planned; to my mind it was best to go for a simple scenario for the first major exercise, rather than risk the technical issues which bedevilled Cyber Storm 2 (during which, as Bruce Schneier reported, “In the middle of the war game, someone quietly attacked the very computers used to conduct the exercise. Perplexed organizers traced the incident to overzealous players and sent everyone an urgent e-mail marked “IMPORTANT!” reminding them not to probe or attack the game computers.”)