Companies, government responses to war game draw mixed reviews

Imagine this: Washington’s Metro trains shut down; seaport computers in New York go dark; bloggers reveal locations of railcars carrying hazardous materials; airport control towers are disrupted in Philadelphia and Chicago; overseas, a mysterious liquid is found on London’s subway. And this is just for starters. AP’s Ted Bridis reports that these incidents were among dozens of detailed, mock disasters confronting officials rapid-fire in the U.S. government’s biggest-ever Cyber Storm war game, according to hundreds of pages of heavily censored files obtained by AP. DHS ran the exercise to test the nation’s hacker defenses, with help from the State Department, Pentagon, Justice Department, CIA, National Security Agency, and others.

The list of fictional catastrophes — which include hundreds of people on No Fly lists suddenly arriving at airport ticket counters — is significant because it suggests what kind of real-world trouble keeps people in the White House awake at night. Imagined villains include hackers, bloggers, and even reporters. After mock electronic attacks overwhelmed computers at the Port Authority of New York and New Jersey, an unspecified “major news network” airing reports about the attackers refused to reveal its sources to the government. Other simulated reporters were duped into spreading “believable but misleading” information that worsened fallout by confusing the public and financial markets, according to the government’s files. The $3 million, invitation-only war game simulated what the United States described as plausible attacks over five days in February 2006 against the technology industry, transportation lines, and energy utilities by antiglobalization hackers. The government is organizing another multimillion-dollar war game, Cyber Storm 2, to take place in early March. “They point out where your expectations of your capabilities may be overstated,” DHS secretary Michael Chertoff told the AP. “They may reveal to you things you haven’t thought about. It’s a good way of testing that you’re going to do the job the way you think you were. It’s the difference between doing drills and doing a scrimmage.”

AP obtained the Cyber Storm internal records nearly two years after it requested them under the Freedom of Information Act (FOIA). The government censored most of the 328 pages it turned over, marked “For Official Use Only,” citing rules preventing the disclosure of sensitive information. “Definitely a challenging scenario,” said Scott Algeier, who runs a cyber-defense group for leading technology companies, the Information Technology Information Sharing and Analysis Center. For the participants — including government officials from the United States, England, Canada, Australia, and New Zealand and executives from leading technology and transportation companies — the mock disasters came fast and furious: Hacker break-ins at an airline; stolen commercial software blueprints; problems with satellite navigation systems; trouble with police radios in Montana; school closures in Washington, Miami and New York; computer failures at border checkpoints. The incidents were divided among categories: computer attacks, physical attacks, or psychological operations. “We want to stress these players,” said Jeffrey Wright, the former Cyber Storm director for DHS. “None of the players took 100 percent of the correct, right actions. If they had, we wouldn’t have done our job as planners.”

The important question: How did they do? Reviews were mixed. Companies and governments worked successfully in some cases. Key players, however, did not understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it did not have enough technical experts. Also, the sheer number of mock attacks complicated defensive efforts. The little-known Cyber Response group, headed by the departments of Justice and DHS, represents the largest U.S. government departments — including law enforcement and intelligence agencies — and is the principal organization for responding to cyber attacks and recovering from them. The exercise had no impact on the real Internet. Officials said they were careful to simulate attacks only using isolated computers, working from basement offices at the Secret Service’s headquarters in downtown Washington.

Birdis writes that the government’s files hint at a tantalizing mystery: In the middle of the war game, someone quietly attacked the very computers used to conduct the exercise. Perplexed organizers traced the incident to overzealous players and sent everyone an urgent e-mail marked “IMPORTANT!” reminding them not to probe or attack the game computers. “Any time you get a group of (information technology) experts together, there’s always a desire, ‘Let’s show them what we can do,’” said George Foresman, a former senior DHS official who oversaw Cyber Storm. “Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players.”