Cyberterrorism drill set

Federal, state and local government officials are partnering with representatives from the private sector and the utilities community in a cyberterrorism exercise designed to identify the links between them in defending — and responding to — a cyberattack.

Operation Dark Screen, the brainchild of Rep. Ciro Rodriguez (D-Texas), is a three-phased exercise that will help all the players involved better understand their roles in preparing for, recovering from and protecting the nation's critical infrastructure during a cyberattack.

"A lot of people think about chemical, biological and nuclear attacks, but very few people think about the cyber," Rodriguez said. "Anyone who is going to hit us, it's going to be a combination of those."

For example, hackers might infiltrate the computer systems that control San Antonio's power grid to attempt shutting off electricity across the city. Officials from the Air Intelligence Agency (AIA) at Lackland Air Force Base, Texas, after tracking the hackers' movements, would notify the local utility company, as well as federal, state and local law enforcement officials, who would apprehend the criminals.

That's how the scenario should play out — and what Dark Screen will test — but today, a lack of information sharing and response procedures among the levels of government and the private sector could mean a victory for terrorists.

Collaboration is necessary, security experts say, because the private sector controls 85 percent of the nation's critical infrastructure, which includes telecommunications, transportation and essential government services.

A spokesperson for AIA, one of the Dark Screen participants, said the agency has taken part in numerous military intrusion exercises, but this is the first time it is participating in a civilian-led exercise involving so many different groups.

AIA is serving as an adviser to the civilian and community participants because agency officials feel their participation "will help to improve the security of the complex infrastructures in the San Antonio area," the spokesperson said. "As a community partner and major user of at-risk utilities, it is to the [AIA's] advantage to assist in helping to preclude cyberattacks on these valuable assets."

Lessons to be Learned

Dark Screen's first phase, scheduled for September, will be a tabletop exercise in which a still-to-be-determined cyberattack will be played out and all participants will respond, said Gregory White, technical director of the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio, which is leading the planning and execution of Dark Screen.

AIA has assumed a leadership role in bringing together various stakeholders, including representatives from the city, the county, the Army, the Air Force, the state attorney general's office, the FBI, the private sector and many others.

The second phase of Dark Screen will focus on applying the lessons learned from the tabletop exercise, and the third phase, to take place next May, will be a live exercise using actual attempts to penetrate networks, White said. He added that the final phase is "greatly to be defined," but will involve "testing notification and alert chains."

"We can do it on paper, but by bringing everybody together at one time, we can see who is prepared to do that," White said. "What we do here is applicable across the nation."

John Pike, director of the nonprofit organization GlobalSecurity. org, said the exercise was a welcome break from tradition.

The usual all-talk-and-no-action stance on cyberattacks is "rather strange, given the number of emergency response exercises that are conducted to anticipate other problems, such as hazardous materials spills or nuclear accidents," he said. He added that actual exercises are needed to "rehearse response measures."

The Defense Department frequently conducts exercises in which it pays companies to penetrate their systems, but Dark Screen will "help identify the interdependencies and linkages between the different sectors," White said.

San Antonio officials plan to "review and modify" their infrastructure security measures based on the Dark Screen findings, said Mike Miller, the city's emergency management coordinator.

"We hope to identify quick fixes and implement those quickly, as well as look at long-term issues that will take more time and resources to implement," said Miller, who is also assistant chief of the city's fire department. "The most important thing that we hope to get out of the exercise is securing San Antonio's infrastructure to maintain all aspects of the quality of life for our community. We also will share our experiences with other communities to help them be better prepared."

Inside and Out

The City Public Service (CPS), the utility provider for 560,000 electric and 302,000 gas customers in San Antonio, hopes to improve not only its internal mechanisms, but also its external communications through Dark Screen, according to Charles Lenz, manager of CPS' technology services.

Lenz said that his group would like "a more integrated and formal internal approach to dealing with cyber incidents, as well as increased communication with external sectors regarding cybersecurity issues." He added that the lessons learned "will be evaluated internally and, where warranted, additional resources and/or processes acquired or defined."

Lenz and Miller both said the only event that comes close to what all of these organizations are attempting to do with Dark Screen was the Year 2000 rollover. "Y2K was the last time we did this type of an event, with a tabletop before the actual Y2K event," Miller said.

Rodriguez said the idea for Dark Screen was hatched over a year ago, after the collision between a U.S. EP-3 spy plane and a Chinese fighter jet in which the Chinese pilot was killed.

That incident set off a series of activities by U.S. and Chinese hackers, and lawmakers received reports that cyberattacks against the Energy Department and DOD increased during that time, he said. "Every time there's an international crisis, the hits are a little higher."

Rodriguez said the need for a cyber military exercise was evident back then, before the Sept. 11 terrorist attacks. Right after the attacks, when phones were useless and one of the few means of communication was by using wireless handheld devices, the need to identify how the nation would respond to a full-scale cyberattack became critical.

"We really need to see what we can do," because what if the 911 emergency phone service goes down or financial institutions are hit, Rodriguez said. "I recognize that participating in this exercise may raise concerns about the privacy of individuals, proprietary business information, classified information and existing vulnerabilities, and these issues will be fully examined and addressed in the planning stage" (see box).

Currently, all Dark Screen participants are paying their own way, which hasn't cost much in the planning stages, but Rodriguez said he has asked DOD for $500,000 to pay for next year's live exercise.

Meanwhile, the lobbying efforts continue. Rodriguez said he had a meeting July 11 with John Tritak, director of the Critical Infrastructure Assurance Office, and that Tritak would be hosting a town hall meeting on cyberterrorism in San Antonio in September, either right before or after the first phase of Dark Screen. Tritak could not be reached for comment.

***

This is a test

Officials from the public and private sectors plan to conduct a series of exercises in which they will coordinate their responses to cyberattacks.

Operation Dark Screen has three phases:

1. A tabletop exercise for public and private officials to play out a scenario in which critical systems come under attack.

2. Applying lessons learned from the tabletop exercise.

3. A live exercise, which will include attempts to penetrate networks.