Homeland Security Tests Response to Cyber Attack
STEVE INSKEEP, host:
We can't tell you the whole story here, only part of it. The government last week hosted a major security exercise. It was designed to simulate an international cyber attack. In it, hackers attacked the phone network so it became hard to call 911 and then they hit the Internet. And then - we don't actually know what happened next, because though the government invited the media to take a peek, officials do not want to give away too many secrets.
NPR's David Kestenbaum reports on what we do know.
DAVID KESTENBAUM: Here is what we can tell you. the drill was called Cyber Storm Two. There were participants from five countries, 11 cabinet level agencies, nine states and over 40 private sector companies. No computers were actually hacked. It's all play, designed to test everyone's ability to communicate and respond.
About a dozen journalists met at the nerve center for the drill, which was Secret Service headquarters. That's not secret, it's on H Street. A sign in the lobby read 100 percent I.D. check, but no one ever asked for my I.D.
A man put his card on the scanner by the turnstiles, we walked through metal detectors, and were taken inside to a small conference room for a briefing. And in brief, the message we got was this: one, cyber threats are a concern and two, the government is on the case. Here's Department of Homeland Security Under Secretary Robert Jamison.
Under Secretary ROBERT JAMISON (Department of Homeland Security): We're concerned that the threats are real and growing. That they're more sophisticated, more targeted, more frequent.
KESTENBAUM: Jamison did not offer details. The government is hearing more reports of attacks, but some of the increase is due to the fact that more people are reporting them.
In January, the CIA said it had evidence that cyber attacks had caused power outages in multiple cities, though cities outside the U.S.
Reporters asked questions like: what are you most concerned about, attacks from China, terrorists, active attackers?
Undersecretary JAMISON: Well, first of all, I'm not going to comment on any specific classified information or any specific threat streams.
KESTENBAUM: Jamison was trying to walk a fine line here. On the one hand, the government knows it needs to work with the press, especially if there is an attack.
One lesson from the previous Cyber Storm exercise was that while hackers could be dangerous so could the media. The final report said, quote, "more damage could have occurred as a result of erroneous and panicked public response to incorrect media coverage than by actual attacks by the adversary."
On the other hand, the government wants to protect information, because it needs the trust and cooperation of private companies - companies that run the electric grid, the phone networks, financial institutions. Those places don't always like to share information about cyber attacks.
After the press conference reporters were finally allowed to peek in and watch the exercise in action. In the room, players sat at computers with flat screen monitors, typing, talking on phones. Then some reporters noticed a poster on the wall. It appeared to list the 100 major hacker attacks in the exercise. A public relations official said, Wait, I think that's sensitive information. Yes, that's off the record. There were clicks of reporters' cameras. And definitely no photographs, she said.
The scene captured a perennial debate in the cyber security community. Is the world safer if people talk about flaws and let programmers of the world to fix them or is it better to keep secrets so the bad guys won't know the weak spots?
Bruce Schneier is a computer security expert and he comes down on the side of openness.
Mr. BRUCE SCHNEIER (Computer security expert): The secrecy is silly. I mean, any competent security expert could come up with a list of 100 attacks. And which ones they do, I mean, it's sort of obvious.
KESTENBAUM: Even so, Schneier, who is critical of many things, says the fine details of this exercise don't really matter. He says I'm just glad they're doing it.
David Kestenbaum, NPR News.
(Soundbite of music)
INSKEEP: This is NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.