March 17th, 2008 05:30 EST
Cyber Security and Cyber Storm II
Under Secretary Jamison: I want to talk a little bit about what we`re doing from a cyber-security perspective and what we hope to get out of the exercises going on today from the Cyber Storm perspective. I think it`s important to note that when most people think about DHS they think either about TSA or Border Patrol agents or other physical presence in security situations and it`s important to realize that DHS has an important role in cyber security. And even though cyber security is not tangible or as tangible as some of the other security aspects that we deal with at DHS it`s a very, very important issue and it`s important threats and arrows that we`re dealing with as a department.
As you know Secretary Chertoff has made it one of his top four priorities for "08 as well as the President`s put a lot of emphasis on this recently and we have a robust cyber initiative that we`re working on as interagency.
We`re concerned that the threats are real and growing; that they`re more sophisticated and more targeted and more frequent. And that we all realize that as technology advances and our dependence on an interconnected cyberspace grows, we`re more vulnerable from cyber threats. So we must evolve as a nation and we must evolve as a government that deals with this cyber threat. So we`re taking a proactive approach at DHS along with our federal interagency partners.
We`re trying to build on a foundation, a foundation of which some of the things that we learned from Cyber Storm 1 and others. We have established a national cyber security division. We do have intrusion detection capability in the form of EINSTEIN at our federal governments right now. In some portions of the federal government the capability will want to grow in the future and we`ve got a US-CERT, a 24/7 watch operation. It`s a warning and response center that is being tested in this scenario that we`re talking about today.
We really need to build on those capabilities and become a performance-based service organization and really get comprehensive intrusion detection capability across the federal government; improve our real time response and warning capabilities; make sure that we`ve strong analytical skills and we can respond not only to the federal government agencies that need our support but the private sector and the state and local governments as well. And that`s some of our focus going forward.
One of the biggest underpinnings of our response capability is comprehensive situational awareness. We`re really trying to make sure that all the entities across the federal government that have a role in cyber security are working together and leveraging the skills and resources that they have to work together to prevent and respond to cyber attacks. That`s one of the big things that we`re testing this week.
Let me tell you a little bit about Cyber Storm II. It is a week-long exercise. As I mentioned it`s focused on preparedness and response and our ability to leverage comprehensive situational awareness, not only across the federal government but with our international partners and with our state and local government partners, and our private sector partners. And that`s what we`re trying to test this week.
Let me tell you about what it`s not. I wouldn`t draw any conclusions about what you`ve heard about the scenarios or even the participants to real time cyber realities about what you think our most important threat or our most important adversary or issue might be. What we are trying to do is to simulate real time scenarios, make sure that we are coordinating on the response effort, and make sure that we`ve tested those concepts of operations and relationships that we have in place with all of our partners.
Cyber Storm I taught us some important lessons. As I mentioned, we built more of a foundation going forward into Cyber Storm II, but many of the things that we learned were that we needed more formal coordinated relationships to share information with our partners.
Through the National Infrastructure Protection Process now since Cyber Storm I we have 17 infrastructure sector specific plans that have a cyber component and we have formalized relationships in sector coordinating councils, government coordinating councils, and information sharing and analysis centers that allow us to more formally share information and respond together. That`s what we`re testing this week.
Going forward let me tell you a little bit about DHS` approach going forward and some of the things that we`re trying to do from a cyber perspective. I mentioned we`re really to improve our situational awareness. That comes down to, from a government perspective, for the .gov " domain, of working with our partners, the Office of Management and Budget and our federal interagency partners to reduce the number of internet access points that we have in the federal government and make sure that we outfit those with an improved EINSTEIN capability to get us better intrusion detection capability.
We`re looking to expand our resources and our personnel to be able to utilize that enhanced situational awareness and respond to it. So we need to improve our analytical capabilities. We need to improve and build upon our response capabilities and become, as I mentioned, a more service-based organization that provides those services to the federal government and our private sector partners as needed to help them respond to these events.
Third, we`re really looking on continuing to develop those relationships and information sharing with all the partners that we mentioned the government, the private sector, and our international partners.
And lastly, we`re looking to integrate these issues into our preparedness and response capabilities across not only the department but across the federal government of how we deal with and respond to incidents.
This has been a very challenging week for all of our players and for DHS and for US-CERT in particular but it`s a rewarding week. I think we`ve already learned a lot. We`ve got some good feedback from our partners and I think we`ve got some things that we will build upon in an after-action report and can only go to enhance our efforts going forward.
With that, I`d like to turn it over to Greg Garcia, our Assistant Secretary for Cyber Security and Communications, to give you a few more details on the exercise.
Assistant Secretary Garcia: Thank you, Mr. Under Secretary, and good afternoon everyone. Thank you very much for being here. What you are going to see this afternoon is the culmination of an 18-month planning process, which involved the expertise and dedication of hundreds of planners, crafting exercise scenarios to model real world challenges; and thousands of players who are testing their ability to identify and to respond to those challenges. So we have, in this exercise, nine states are participating; 40 companies; 18 federal agencies; 10 information-sharing and analysis centers, ISACs, the watch and warning. All of these folks are coming together to really focus on their ability to share information and to coordinate their response to cyber incidents that are being waged through and against the global cyber infrastructure.
Over the course of the week, exercise players have had to respond to nearly 1,800 what we call injects, specific bits of information that tell the players what has just happened that they need to respond to or to share information about.
These injects were sent over phone, over e-mail, over fax, over the exercise website, and in person. I think you will find it very interesting as you go down there, you will see somebody from the chem sector running across the room to talk to somebody from Delaware and somebody from Pennsylvania running across the room to talk to somebody in the communication sector. So there is a real time cross-networking that`s happening on the floor as these people are responding to the challenges and injects minute by minute.
As Mr. Jamison said, some of these injects are essentially white noise, where players need to distinguish between what is incidental white noise and an insignificant and that which requires significant attention; or may represent a real problem that needs to be dealt with.
In short, the effort here is a collective effort to piece together a digital jigsaw puzzle where some of the pieces are not available and other pieces are disguised and don`t at first seem to fit into the big picture.
So a couple of scenarios I can give you as examples. We simulated a telecommunications disruption which caused unreliable telephone service across the country. As a result players received injects about their inability to call other participants or difficulties reaching critical services, such as 911. On top of the damaged phone service, we added significant internet disruptions that impacted several top-level domains such as .com, " .net, " and .gov. " And this made internet access difficult; especially for our state participants whose websites and the exercise became unreliable. And this greatly impacted their ability to post critical information externally to their constitutions and to communicate with other stakeholders.
So as this week has progressed, the volume and sophistication of these attacks really has strained some of the best and brightest minds playing in this exercise from the public and private sectors.
I had a number of conversations with them over the past several days and they remarked somewhat sheepishly how much of a stretch it has been for them, which is just what this exercise is intended to do. It`s intended to test their ability to respond to challenging situations, to coordinated attacks against multiple sectors.
So what happens next? Tomorrow beings, when the exercise ends, begins an intensive evaluation process where all the players participate and will share their candid insights into what worked and more importantly what areas need to be addressed for improvement across federal, state, private sector, and international partners who had been participating in the exercise.
And my hope is that these thousands of planners and players are going to have used this week to hone their skills at information sharing and leverage the relationships that they have developed, not just over this past week but in fact over the past 18 months in the planning process. This is really the key to effective real time incident response is to have those relationships in place before something happens so that you know what to do.
We like to say with this exercise that you play how you train. So we designed this exercise to be as realistic as possible so that as we train when the time comes or if the time comes that a major incident does happen, we`re going to play the way we trained.
The result, then, after this evaluation is going to be an after action report, which we plan to publish in late summer. It will be on the DHS website. But our players` mitigation efforts through this after action report are just part of the equation. We hope, and indeed we are urging that other organizations are going to use this exercise report to more closely examine their own planning and response and capabilities and to apply the appropriate mitigation measures across the country. So I`ll end there and turn it back over to Under Secretary Jamison and to you all for questions. Thank you very much.
Question: Hi, Jim Fellon, CNN. In this exercise and if there were to be a large scale attack right now, my first question, very simple, is who`s in charge?
Under Secretary Jamison: Who`s in charge from what perspective?
Question: Who`s in charge period, for responding to an attack?
Under Secretary Jamison: First of all, let me answer in a couple of ways. One, DHS has the roles and responsibilities for cyber security and infrastructure protection so we have a lead role in protection of cyber space from the .gov " domain as well as the private sector domain to help it coordinate and work through those situations.
If you are referring more to the cyber security initiatives, I think one of the important things to know about that is across the federal government we`ve got lots of skill sets, lots of resources that need to be leveraged together to make sure that the federal government responds most effectively. So we`ve got a coordinating role to help leverage those resources together so that we work together.
We are testing those relationships and those concepts of operations this week and as a result I`m sure there will be many lessons learned and there we`ll be much able to better respond as an interagency, but DHS does have a lead role.
Assistant Secretary Garcia: I would also add that it`s important to note that the internet and all of the networks, corporate and government and otherwise that are connected to the internet, it is widely distributed. There is no central control of the internet or the networks, so it is incumbent upon DHS as the central coordinating role to ensure through exercises like this and in real world that we have those relationships in place across the government and across the private sector, down to the state level and internationally that together, we`re going to be in control of this situation.
Question: Just two quick follow-ups. So within DHS, Under Secretary Jamison, is that you? Are you in charge if there is an attack, for real, tomorrow?
Under Secretary Jamison: It`s under my domain, yes. I have several responsibilities one of which is cyber security and communications through Assistant Secretary Garcia`s location and I think it`s important to note also that one of the things that we`re testing this week is also the national response framework. So there is an architecture that we`ve just released that we leverage as a federal government to respond to any incident, not only cyber security but other incidents and that is in full play in this scenario. So we exercise those relationships and those concepts of operations as well.
Question: One last little thing on that. What about the .mil " domain? Are they involved in this? I see these airport commercials and stuff; they seem to be saying they`re --
Under Secretary Jamison: DoD is playing in this exercise. They play a key role in the military environment for their networks and we are coordinating with them on the response efforts and they have not only scenarios that they`re playing with this on but also we`re leveraging situational awareness in our responses.
Question: Mr. Jamison, I wanted to know about what you had said earlier about that there are growing threats. In Congressional testimony you`ve talked about threats from nation-states like China and also organized crime, terrorism, I guess, freelancers, so to speak. Can you be a little bit more specific, of all those or name one I didn`t mention, what is the scariest threat that is growing and what types of threats, can you tell me?
Under Secretary Jamison: Well, first of all I`m not going to comment on any specific classified information or any specific threat streams and some of the things you`ve attributed to my testimony probably aren`t accurate, especially from a nation-state perspective. But I will comment on this. We`re trying to simulate sophisticated adversaries, so they`re bearing everything from terrorists to activists to organized crime type scenarios is what we`re trying to simulate in this exercise. And we`re also trying to utilize real world type of events. So botnets, phishing, denial of service events, those of the types of things that we are testing and working together; and what has separated this exercise somewhat from Cyber Storm I, this was an 18-month planning effort and one of the things we did is we got all of our partners involved in the sectors, in our federal government agencies, involved early in that process and they were able to put in an impact the injects into the exercise so it`s much more real world in issues that they`re dealing with every day in those sectors and in makes it a much more realistic exercise.
Question: Just a follow-up. What are you more worried about, nation-state or organized crime?
Under Secretary Jamison: I think we`ve been clear on that. We`re worried about all of the threats in the cyber domain and as we prepare and get better from a defensive posture standpoint, many of the things that we are doing in the cyber initiative it addresses the threat landscape and it`s important that we don`t isolate one threat and that we prepare and respond and have a comprehensive defensive --
Assistant Secretary Garcia: And I would also, and not to oversimplify, but another threat which this exercise is intended to address is complacency and lack of awareness. We need to be paying attention to this on an on-going basis, every day and exercise our ability to share information and to gain the situational awareness we need to know what`s going on on our networks regardless of where the threat is coming from. But I think the fact that there is such a large attendance here today, I think testifies to the fact that interest is growing; awareness is growing and people are starting to get it. So I`d like to overcome complacency and that`s what the exercise is intended to do.
Question: You mentioned that being in the room, the scenario you gave, and chem will run over to Pennsylvania and so forth, so much of it is about coordination so is there a distribution of these players beyond the room so to speak in different areas in different countries?
Under Secretary Jamison: Absolutely. So for instance US-CERT is playing at US-CERT with the exception of when we`re thrown in scenarios that would might force us into a coup situation or we would have to relocate. We`re trying to be real time and test our redundancy and our back-up systems as well.
So we have got a coordination exercise center here, but the players are playing at their normal operations areas, and even in the sectors, the communications back to those sectors we are trying to simulate this in a real world environment.
Companies and countries, and governments, the feedback that I have been hearing is you know, one company with a global presence is exercising their incident response on their own networks for the first time on a global basis. And they are seeing what needs to be improved there, where their foreign offices have not experienced this type of necessity for coordination before, and the same with a foreign government, it is very interesting.
Question: Secretary, could you tell us if since you are exercising the draft provisions to the National Response Framework during Cyber Storm II, is there going to be a separate evaluation of those recommendations. They are still in draft form, obviously they haven`t been finalized yet. Is there going to be a separate evaluation of those within homeland security?
Assistant Secretary Garcia: We are going to evaluate everything in the exercise. When we have got a hot wash " process evaluated we will have an action report. I don`t think you will see results separated from the overall action report of the exercise.
Question: You said you have learned some lessons already, what are they?
Assistant Secretary Garcia: Well I think that the most important lesson is the coordination and the information sharing has gone much better through the formalized processes that we have through the sector coordinating council and the government coordinating council structures in the ISAC structures that we have in place.
I don`t want to go into specifics, but I think some of the redundancies and some of the issues that we have in place to test when we lose a particular communication vehicle has been tested. And we have learned some lessons on how well some of our partners are trained in that and some of our own components are trained in that. And that is a big lesson learned.
But I think the biggest learned is it comes down to a lot of the priorities that we have always placed in emergency response and homeland security is no substitute for having established relationships and knowing who is on the other end of the phone. And having tested the capabilities to respond and prepare together. And that is a big lesson learned.
And as I mentioned earlier, by having everybody involved in the -- development process and the planning process from the very start, we have got a much better, accurate response scenario and were able to test some of the processes we put in place.
Under Secretary Jamison: And that is an interesting place. To pick up on that, is that the companies, everyone who was involved helped to design the exercise according to their specific objectives. Company X`s objectives for the cyber exercise, we need to test our vulnerabilities here, so therefore these are the kinds of threats and attacks we need to see coming at us for us to test that ability.
And so it isn`t just DHS who is learning the lessons since Cyber Storm I, but it`s the companies who have applied their own real-world experiences running their operations and developing scenarios that are going to test those operations where they have been able to learn from that, and then build that into planning for Cyber Storm II.
Question: After the four days so far, what have you learned is the greatest vulnerability aside from the information sharing, and how has that changed, first of all? And second question is about privacy. In order to protect networks you need to monitor networks, and Admiral McConnell in The New Yorker piece said that if you think the FISA legislation was a difficult issue, this is going to be much, much, much more difficult. So, how do you deal with that?
Assistant Secretary Garcia: First of all, let me address the privacy issues. So, if you are referring to some of the things that we are working on the cyber initiative, privacy is the top concern for DHS. And as I testified to a few weeks ago, what we are talking about is really deploying comprehensive intrusion detection capability across the .gov " networks.
So it is taking existing type of intrusion detection capability that many if not all of the agencies currently have, but the big difference is making sure that it is consistently deployed and comprehensively deployed at all of our Internet access points. And we have got one point of comprehensive situational awareness.
We have already got a Privacy Impact Assessment on our current EINSTEIN capability. We are going to pursue another Privacy Impact Assessment on the next level of real-time intrusion detection capability. And it remains a top concern for us.
Question: But don`t you need to protect outside of the gate? I mean, if people wait for something to come in the gate, it is usually too late.
Assistant Secretary Garcia: Well the effort currently, right now, is focused on .gov " and federal networks and protecting them. We are looking -- through this exercise scenario we are testing the broader cyber domain. But from the cyber initiative perspective, we are focused on that in the initial stages.
We realize we have got to have a strong partnership with the private sector and industry, and we are continuing to work with them on how we leverage the best of both worlds, government and private sector have more comprehensive defense.
But I think that those statements are inaccurate to accurate from a privacy concern standpoint it is one of the top issues on the department`s radar.
Question: Could you just explain for the -- what did Admiral McConnell mean when he said it was going to be very, very difficult?
Assistant Secretary Garcia: I am not going to comment. I wasn`t in that interview and I am not going to comment on Admiral McConnell`s comments. I can talk about DHS and talk about what we are trying to do from a focus standpoint of improving a comprehensive situational awareness. You will have to refer those questions to Admiral McConnell.
Question: Do you have some arrangement with private industry for them to share when they have break-ins? I mean, do you have any -- I understand that is sensitive information for them, but are they sharing that information with you? How do you know they are actually protecting themselves?
Assistant Secretary Garcia: We have an arrangement under law called the PCII, the Protected Critical Infrastructure Information, by which companies are able to share information with the government with the understanding that it will be protected.
Question: Able or required?
Assistant Secretary Garcia: Sorry?
Question: Able or required?
Assistant Secretary Garcia: Able? No, no, no, it is voluntary information sharing and all the companies that have been a part of this exercise are voluntarily providing some of their own sensitive information to the development of the scenarios. And that really is the key as Under Secretary Jamison said, to any successful exercise or any successful partnership is trusted information sharing relationships.
If you don`t have those, we are not going to be able to have that combined correlated situational awareness that we need to see patterns across the networks that may indicate what a particular attack vector looks like and where it is coming from.
Question: How can you see -- over the course of a year or something?
Assistant Secretary Garcia: Sorry, say it again?
Question: How often, over the course of a year, do you get information from some company that they have had something that seems --
Assistant Secretary Garcia: Everyday we are sharing information that has a variety of levels of concern. And we work very closely with the various ISAC`s, as I mentioned, the Information Sharing Analysis Centers, and with other federal partners through an inter-agency group and through DoD.
And everyday we are working to analyze that information, analyze the attacks and then take the appropriate steps or advise our partners on the appropriate steps to mitigate that. So this is happening on a regular basis.
Question: How much money is the government proposing to spent on cyber security in "09, and how does that compare to current and former budgets? And you mentioned earlier that the president has been putting a large emphasis on this, has he played a critical role in the boosting of, the presumed boosting of funding both this year and looking ahead?
Assistant Secretary Garcia: Let me comment this way from the standpoint of -- I can comment very specifically on the DHS budget. There are large portions of the budget that are classified, so I can`t get into the total budget numbers in this forum. DHS basically, in "08 with a budget supplemental request that another $115 million to deal with this issue, which basically more than doubled our investment in cyber security from a DHS perspective.
And then we asked for another roughly $293 million in "09 to the president`s budget request. What that allows us to do is to do what we were just talking about. It allows to more comprehensively deploy our EINSTEIN intrusion detection capability into what I refer to in my earlier remarks, ramp up our response capability, more analysts, more response teams to help agencies in the sectors that deal with cyber intrusions in becoming the center of comprehensive situational awareness across the federal government.
Question: And on the president`s involvement --
Assistant Secretary Garcia: I mean, I think this is an important issue for the administration and this is a very important initiative for Secretary Chertoff. It is on Secretary Chertoff`s top priorities. And I think as evidence, you can further question the White House, it is an important initiative for us and for the administration.
Question: But you keep mentioning the importance of personal relationship, especially with private industry. It seems to me that would be the biggest, well, one of the biggest vulnerabilities. How deep are your relationships into U.S. industry into the economy, into financial companies? Is there, do you have ten percent you know, just to throw out a number? How much farther do you have to develop these personal relationships or voluntary participation in what did you call it, the PCII?
Under Secretary Jamison: The PCII is the term for how we protect the information. Let me just come in at a broad standpoint and Greg, you can elaborate if you like. You know, over the last several years, we have gone through a detailed process to develop sector specific plans for critical infrastructure protection. So we have got relationships with every sector, both on the government side and on the sector side, in the private or the public sector if it`s key to a piece of critical structure.
And so we have dramatically improved our process on how we coordinate, how we work together, how we plan together and how we will respond together. I don`t think you can ever develop enough of those relationships to lose focus on that and to say you have done enough. So we will continue to work on that.
And just as you look at the sector-specific plans, some of them are more mature than other sectors, because they have been dealing with these issues longer and they will always be some disparity about preparation. So we must continue to try to raise all of the sectors and raise their preparedness across the domain.
Assistant Secretary Garcia: Yeah, and you know I would just add that I just can`t overemphasize the importance of those relationships. You are simply not going to share information with somebody you don`t trust. And you are not going to trust somebody unless you spend some time with them, sitting with them side by side.
And we see this day after day in the U.S. -- as we talk to a very engaged people in the financial services sector, in the IT and communications sector and the water sector. You go down to the floor for the tour after this pen and pad, and a couple of players remarked to me over the week that they would love to see that floor recreated on a 24 by seven basis, where you have industry and government sitting side by side in a room doing that kind of watch and warning activity, because what they are gaining through that process of just sitting next to somebody from a different sector is invaluable, not just in terms of what they are learning, but in terms of the trust relationships that they are building up.
And they need to understand the operational models of you know -- needs to understand how transportation works and transportation needs to understand their interdependencies with the communication sector. And the only you are really going to be able to do that, understand that operationally, is to be sitting side by side with them and having those ongoing relationships.
Question: You mentioned a particular communication. You had some lessons learned in terms of communications and testing communications or when they have been tested, there were some last month. Could you be more specific at all? Is it when communication capabilities were taken down and how you handled that? I know you mentioned the phone was being taken down and the internet. Is that where a lot of the lessons were learned? I`m just trying to get at what really was taught in all of this.
Under Secretary Jamison: I don`t want to get too specific, but we spent a lot of time over the last several years working on redundant capabilities, making sure that we do have redundant systems, that we`ve got priority communication mechanisms and while all those systems worked as usual, I think in any scenario you find out that there is a need to continue to train people on how to use those, continue to train people on the awareness of those mechanisms. So while everything worked fine, it`s just a confirmation we need to continue to focus on this and continue to train.
Moderator: We have time for two more questions.
Question: In a response exercise like this, is the idea to see if players can (inaudible) going with different injects thrown at them or is it to figure out where the attacks came from and somehow track them? It seems to be very difficult to track cyber attacks so how much of this exercise is based on the forensic aspect of it?
Under Secretary Jamison: I`d say the most important thing they`re trying to do is to try to use their analytical skills and their ability to discern from normal everyday types of traffic or scenarios, outages, spear fishing, those types of attacks from a more sophisticated, targeted attack that is much more wearisome and requires a much different response. So as far as going back and tracking, there is some play in trying to do analysis to determine where the attack vectors are and there`s also a lot play of trying to determine what constitutes the most serious threat.
Question: Can you all talk about some things that were unexpected? I mean, you said you guys spent 18 months planning this thing so obviously this was pretty scripted. What happened that you weren`t expecting and what kinds of things, you know, what kinds of scenarios where you put them together produced unexpected results? Can you talk about that?
Under Secretary Jamison: In the future forum when we`ve actually had the time to go back through and analyze and do the hot wash " and go through the analysis sector --
Question: What about now? I don`t understand --
Assistant Secretary Garcia: You know I think I know where you`re getting and you say it`s tremendously scripted; it`s actually not so scripted as you think. The players are not aware. The players are not aware of what`s coming at them next. And that`s where the test is. You have a control center that`s doing a lot of the injects.
Question: -- I was actually asking from your vantage point, what happened, what interactions caused unexpected results that you observed?
Assistant Secretary Garcia: And I would stay tuned for the after action report because the Under Secretary and I have not been intimately engaged in every step of the playing process. So I think there will be a lot of unexpected things that occurred and that will be brought out in the after action report.
Question: Do you think that the after action report, I think you said isn`t due until late summer. Here we are gearing up for this major cyber security effort, (inaudible) money being spent. Is that too late? Do you need something sooner to incorporate what you learned here into what you`re building?
Under Secretary Jamison: I think we will incorporate all the lessons learned as we go through the development process so the question was out there earlier is .mil " playing; yes. The JTFGNO and our other partners and their interagency that are key to our success in cyber initiative are playing. We`ve already developed some new concept of operations that were in play this week that we`re testing to get better at that comprehensive situational awareness. And I`m sure as we continue to meet daily on our development of the cyber initiative we can incorporate lessons learned without waiting for a formal action report that will probably play more of a basis for the development of the next exercises as we go forward. So we want to make sure we go through all of the process to accurately reflect what came out of the after action but that`s going to prevent us from taking lessons learned and injecting them into the cyber initiative.
For Immediate Release
Office of the Press Secretary