Hackers could whip up a Cyber Storm

It’s somewhat ironic that the report of the latest Cyber Storm exercise, released yesterday, runs to just four pages, and that’s including the cover page and index.

One of the main aims of last year’s infosec geek-fest was to improve information sharing across the public and private sector.

Cyber Storm III, held in September last year, involved more than 50 Australian organisations including Telstra, ASX, Woolworths, and ANZ.

The organisers are usually very coy on what exactly is tested during Cyber Storm, but the Americans did reveal the exercise involved “trying to upset the chain of trust” on which the internet depends by compromising two very basic services on which web traffic relies: certificate authority (SSL), and the domain name system (DNS).

Yesterday Attorney General Robert McClelland said the exercise had highlighted gaps within existing government and business cyber incident processes, particularly in regards to escalation procedures.

But there’s little more detail on what exactly those gaps are in the report from former Australian Army intelligence officer Miles Jakeman. While it’s understandable that the government doesn’t want to reveal specific vulnerabilities, the last Cyber Storm report ran to 20 pages and was much more specific about where improvements could be made. It also named all of the companies and government departments that participated, rather than just revealing a selection.

Why is the 2011 report so scant?

The government released the Cybercrime Legislation Amendment Bill 2011 earlier this year to help bring legislation better in line with existing communication methods. But it’s only just commissioned a Cyber Whitepaper, and its cyber security strategy, first released in 2009, remains a work in progress, with a renewed focus on the critical issue of collaboration across jurisdictions and borders.

The Americans have done it a little differently. Their participation in Cyber Storm was specifically designed to try out their national draft plan for responding to major cyberwarfare incidents — the National Cyber Incident Response Plan.

Yesterday the US Department of Defence launched a new Cyber Strategy website aimed at helping the public understand the its consolidated cybersecurity strategy. On the site it will inform the public of its accomplishments to date in how it is protecting the federal government and US critical infrastructure from cyber attacks.

The hacks of RSA Security, Epsilon, Lockheed Martin and Google have clearly driven a much more public response from the US government.

Meanwhile, New Zealand, still reeling from a distributed denial of service attack on the New Zealand Parliament website by hacktivist group Anonymous, has also stepped up its public response to cyber crime with a cyber security strategy of its own.

Cyber Storm is conducted as a ‘no-fault’ exercise, which means it doesn’t obtain a stock-take of participant’s internal crisis management arrangements. And yet that’s exactly what hackers do when deciding who to target.

There’s certainly a fine line between informing the public of what needs to occur for Australia to improve its response to cyber incidents, and giving hackers useful information with which to attack.

But sometimes a little information can be dangerous. Calling out in a report that there are gaps in procedures and processes without also providing more detail on what you’re doing to fix it is an open invitation to hackers to do their worst.