Homeland Security Tests Response to Cyber Attack

A major government security exercise intended to find out what would happen in the event of an international cyber attack. Hackers simulated attacks on both the telephone network and the Internet. Although the government invited the media to observe the drill, it didn't reveal too much about how it would handle such a situation.

Copyright © 2008 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

STEVE INSKEEP, host:

We can't tell you the whole story here, only part of it. The government last week hosted a major security exercise. It was designed to simulate an international cyber attack. In it, hackers attacked the phone network so it became hard to call 911 and then they hit the Internet. And then - we don't actually know what happened next, because though the government invited the media to take a peek, officials do not want to give away too many secrets.

NPR's David Kestenbaum reports on what we do know.

DAVID KESTENBAUM: Here is what we can tell you. the drill was called Cyber Storm Two. There were participants from five countries, 11 cabinet level agencies, nine states and over 40 private sector companies. No computers were actually hacked. It's all play, designed to test everyone's ability to communicate and respond.

About a dozen journalists met at the nerve center for the drill, which was Secret Service headquarters. That's not secret, it's on H Street. A sign in the lobby read 100 percent I.D. check, but no one ever asked for my I.D.

A man put his card on the scanner by the turnstiles, we walked through metal detectors, and were taken inside to a small conference room for a briefing. And in brief, the message we got was this: one, cyber threats are a concern and two, the government is on the case. Here's Department of Homeland Security Under Secretary Robert Jamison.

Under Secretary ROBERT JAMISON (Department of Homeland Security): We're concerned that the threats are real and growing. That they're more sophisticated, more targeted, more frequent.

KESTENBAUM: Jamison did not offer details. The government is hearing more reports of attacks, but some of the increase is due to the fact that more people are reporting them.

In January, the CIA said it had evidence that cyber attacks had caused power outages in multiple cities, though cities outside the U.S.

Reporters asked questions like: what are you most concerned about, attacks from China, terrorists, active attackers?

Undersecretary JAMISON: Well, first of all, I'm not going to comment on any specific classified information or any specific threat streams.

KESTENBAUM: Jamison was trying to walk a fine line here. On the one hand, the government knows it needs to work with the press, especially if there is an attack.

One lesson from the previous Cyber Storm exercise was that while hackers could be dangerous so could the media. The final report said, quote, "more damage could have occurred as a result of erroneous and panicked public response to incorrect media coverage than by actual attacks by the adversary."

On the other hand, the government wants to protect information, because it needs the trust and cooperation of private companies - companies that run the electric grid, the phone networks, financial institutions. Those places don't always like to share information about cyber attacks.

After the press conference reporters were finally allowed to peek in and watch the exercise in action. In the room, players sat at computers with flat screen monitors, typing, talking on phones. Then some reporters noticed a poster on the wall. It appeared to list the 100 major hacker attacks in the exercise. A public relations official said, Wait, I think that's sensitive information. Yes, that's off the record. There were clicks of reporters' cameras. And definitely no photographs, she said.

The scene captured a perennial debate in the cyber security community. Is the world safer if people talk about flaws and let programmers of the world to fix them or is it better to keep secrets so the bad guys won't know the weak spots?

Bruce Schneier is a computer security expert and he comes down on the side of openness.

Mr. BRUCE SCHNEIER (Computer security expert): The secrecy is silly. I mean, any competent security expert could come up with a list of 100 attacks. And which ones they do, I mean, it's sort of obvious.

KESTENBAUM: Even so, Schneier, who is critical of many things, says the fine details of this exercise don't really matter. He says I'm just glad they're doing it.

David Kestenbaum, NPR News.

(Soundbite of music)

INSKEEP: This is NPR News.

Copyright © 2008 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.