Reflecting on the seventh iteration of the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cyber Storm Exercise that concluded late yesterday, Assistant Director for Infrastructure Security Brian Harrell is warning that many organizations fail to understand the security of third-party services that they rely on.
“Just because you think you are compliant and secure doesn’t necessarily mean that the folks that you rely on at your time of need are equally as secure,” Harrell said at a press briefing today about the exercise. “This was our opportunity to highlight the fact that you need to go beyond your own program and ask some very probing questions from some of the vendors that you lean on.”
Harrell said that CISA hosted a “hotwash” debriefing on the exercise with participants earlier today. From that effort, other key takeaways include the usefulness of communication and coordination in a distributed environment, the importance of cross-sector coordination during a cyber event, and the value of tools like Information Sharing and Analysis Centers (ISACs).
Because of the ISACs, participants were able to “put puzzle pieces together, analyze them, and push it to the authorities in the government, and also push it to stakeholders within industry so that we can all understand the mitigation measures and get better,” Harrell said.
While CISA officials did not reveal too many details about the cyber scenario participants practiced, they said it was not related to election security issues, as participants already practiced election preparedness during a July Tabletop the Vote event.
Lisa Beury-Russo, a cybersecurity planning and exercises official at CISA, explained that the scenario centered around processes affecting internet infrastructure.
“The core scenario was really focused on some of those key processes and infrastructure underlying the internet, specifically DNS [domain name system] certificate authority, BGP [border gateway protocol],” she said. When conducting the exercise, participants receive indicators to help the teams identify the issues. In this iteration, the indicators included ransomware, data breaches, denial of service, routing issues, and a few insider threat scenarios.
Harrell added that the exercise has “no perfect solution,” but said that the best course of action relied on knowing the organization’s boundaries, making sure security is integrated into every step of the organization’s processes, and never assuming that anything is good before a full analysis of the environment.
The exercise scenario was designed to push participants to examine their organization’s capability to protect against and prepare for cyberattacks, exercise strategic decision-making, perform interagency coordination, validate information sharing, and examine means to share sensitive information across boundaries, Harrell said.
He continued, “Beyond their own internal plans and playbook exercise, participants practiced the coordination mechanisms and evaluated the effectiveness of the National Cyber Incident Response Plan.”
The 2020 National Cyber Storm Exercise hosted about 2,000 Federal, state and local, private, and international participants from several critical infrastructure sectors. CISA is planning to release a full report on the outcomes of and findings from the exercise in the upcoming months, per Harrell.