Industry reflects on Cyber Storm 2

Groups involved in the Cyber Storm 2 security exercise presented their first thoughts on the simulated attack drill.

Members of five corporate and government groups, including Microsoft, the US Computer Emergency Response Team (US-Cert) and Dow Chemical all spoke about the study on Wednesday at the RSA conference in San Francisco.

The exercise involved 18 government agencies in five countries, as well as more than 40 companies from the private sector.

While none of the participants would give an insight as to what particular incident was simulated, they did reveal that the exercise involved industrial, public relations, and IT elements.

As such, the takeaway from the exercise ranged from lessons in cross-industry communication to public alert tactics.

Each of the groups involved, however, found that the biggest lesson of Cyber Storm 2 was just how important it was to build a network of both government groups and companies around the globe.

"It was really about developing those relationships and broadening up trust and confidence," said Paul McKitrick, managing director for the New Zealand Center for Critical Infrastructure Protection.

"Having those official back channels straight into another security team is essential."

Dan Lohrmann, chief information security officer for the state of Michigan, said that his team also received a lesson in communications as a result of the exercise.

"We worked quite a bit on communicating public awareness," said Lohrmann. " How we can get out communications to our state employees, to our citizens, and other partners."

The operation did also, however, find some weaknesses.

"There were some shortfalls in information sharing," said Randy Vickers, associate deputy director of US-Cert.

"Some of it is as simple as groups not having the means to communicate widely, and so you either have to send information through various groups of people instead of one central point."

Christine Adams, information systems manager at Dow Chemical, said that in addition to being more aware of what elevated threat levels mean, companies need to become more flexible and able to adapt to a crisis situation, particularly when channels of communication are cut.

"We have some work to do in terms of getting priority telecommunications services if we need it."

The final report on Cyber Storm 2 is expected to be released in the autumn.