Tuesday, October 21, 2008

National Cyber Security Exercise Report

The Australian Attorney-General's Department has issued "Cyber Storm II - National Cyber Security Exercise - Final Report". This is the unclassified version of the report on Australia's part in the US anti-cyber-terrorism exercise Cyber Storm II:
Cyber Storm II was structured and executed as a large-scale national exercise within an international framework. Canada, New Zealand, the UK and the US were participants. Australia’s participation was second only to the United States, and involved Australian Government agencies, state and territory governments and the largest contingent of private sector organisations ever involved in an Australian Government-sponsored exercise. The exercise structure allowed participants to exercise their internal incident response and communications in a national framework that allowed external communications to be more than notional and which encouraged a collaborative response.

Cyber Storm II was conducted as a “no-fault” exercise. Its purpose was not to obtain a stock-take of participant’s internal crisis management arrangements. Nor was the exercise a test of the resilience of participant’s networks to cyber attack. The starting point for the exercise was that the adversary had sufficient time, money and motivation to penetrate any network.

Many participants recognised that the global exercise framework provided by Cyber Storm II was an extremely cost-effective way of conducting an in-house cyber exercise.

The exercise proved that the major elements of the national response arrangements are sound, but as expected also found a number of areas where improvement would be possible. This report captures key findings and participant’s observations as they relate to cyber incident response.

The key findings are that crisis arrangements must be regularly reviewed and tested; established relationships facilitate rapid information sharing during a crisis; crisis communications procedures must be predicated on accurate and appropriate points of contact and formalised; cyber crises require tailored responses that take into account multiple inter-dependencies; and incident response is assisted by having clear escalation thresholds.

From: Executive Summary, Cyber Storm II - National Cyber Security Exercise - Final Report, August 2008

No comments: