Cyber Storm 2020 could be DHS’s most rigorous drill for critical infrastructure yet

Cyber Storm, now in its seventh iteration, has grown more elaborate over the years, coinciding with real-world efforts by adversaries to probe U.S. infrastructure.
DHS Cyber Storm
The Cyber Storm scenario will include multiple “injects,” or abrupt changes to the threat environment, during the training. (Getty Images)

Every two years, the Department of Homeland Security hosts a large-scale exercise to test critical infrastructure companies’  ability to respond to a disruptive, hypothetical cyberattack. With more threat data to draw on than ever, DHS officials hope next spring’s Cyber Storm exercise will be the most rigorous test of participants’ response plans to date, driving home the interdependence of critical infrastructure sectors in new ways.

Cyber Storm 2020 will focus more on collaborating with state and local officials to recover from an incident than previous drills, according to Brian Harrell, assistant director for infrastructure security at DHS’s Cybersecurity and Infrastructure Security Agency (CISA). In another twist, planners are looking to incorporate insider threats into the scenario, he said.

Participants, which are expected to include representatives of the energy, financial and communications sectors, cyberthreat information-sharing organizations, and other federal agencies, will have to “bring a [hypothetical] cyber incident to resolution as quickly as possible… [to] restore some of these key services as quickly as we can,” Harrell told CyberScoop. They will likely have to contend with distributed denial-of-service attacks and data exfiltration and manipulation, according to CISA officials.

This will be the seventh iteration of Cyber Storm. The event has grown more elaborate over the years, with the 2018 version drawing over 1,000 participants, many from their own locations across the country. Jeanette Manfra, CISA’s assistant director for cybersecurity and communications, said the agency expects more participants for Cyber Storm 2020.


“We will continue to test a lot of different incident response[s],” Manfra told CyberScoop. “But it will be at a ‘catastrophic’ scale. At Cyber Storm, you always try to get to a nationally significant sort of event so that you can exercise those really big kinds of responses.”

“In 2020, we will be integrating new partners and testing and evaluating the National Cyber Incident Response Plan in a simulated multi-sector cyberattack targeting critical functions,” she said. “Cyber Storm 2020 is open to all critical infrastructure sectors that will enable us to look more broadly at cross-sector issues.”

The scenario will include multiple “injects,” or abrupt changes to the threat environment, that participants have to respond to, according to Manfra. The same scenario will be incorporated into a sweeping National Level Exercise hosted by DHS’s Federal Emergency Management Agency next year.

As state-sponsored hacking groups linked with Russia, in particular, have probed the networks of U.S. critical infrastructure companies, those companies have looked to more thoroughly drill for attempts to disrupt their networks. Cyber Storm will be one of multiple exercises in the coming months that will provide an opportunity to do that.

The goal of the exercises is to push participants to consider threats coming from an array of vectors, including those they hadn’t considered before. Cyber Storm 2020, in particular, will also be a good measure of how CISA, which was formally established as a new agency last year, is maturing.


“It’s a great opportunity for us to test our own capabilities and processes,” Harrell said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts