‘Cyber Storm’ drill for critical infrastructure focuses on corruption of key IT services

It is the subtle manipulation of these IT services that advanced hacking campaigns often exploit in the real world.
DHS, Department of Homeland Security, cybersecurity, Cyber Storm
(Getty Images)

In a drill this week that drew some 2,000 participants, the Department of Homeland Security tested the ability of companies in the health care, manufacturing and other key sectors to withstand hypothetical hacking campaigns that compromise the trust users place in key internet services.

The seventh iteration of Cyber Storm, as the biannual exercise is called, focused on what could go wrong when some of the pillars of the internet are corrupted. It is the subtle manipulation of these IT services that advanced hacking campaigns often exploit in the real world.

The simulation featured compromised certificate authorities, which deem software trustworthy, attacks on the Border Gateway Protocol, the internet’s basic routing mechanism, and the subversion of domain name system (DNS) records, which help send a user to a website that is not malicious.

“[I]t was clear that many organizations do not have a full understanding of their reliance on third-party services,” said Brian Harrell, assistant director of DHS’s Cybersecurity and Infrastructure Security Agency who was partly responsible for planning the exercise. “Just because you think you are compliant and secure doesn’t necessarily mean that the folks that you rely on in your time of need are equally as secure.”


But on the whole, Harrell said, critical infrastructure companies have improved their defenses in response to the years of drilling.

Participants, which also included state and local officials and U.S. law enforcement and intelligence representatives, had to respond to “a nationally significant incident where companies lost control” of their DNS registries, Harrell told reporters Friday.

Ransomware, denial-of-service attacks and insider threats all played a part in the scenario, which featured varied hacking groups with different skill levels that were bent on undermining confidence in IT systems. Participants used information-sharing centers to map malicious behavior and piece together the attacks that were unfolding.

DNS records have been an abiding concern for CISA, which monitors the security of civilian agencies of the U.S. government. In January 2019, CISA issued an “emergency order” for agencies to secure their domain login credentials following reports of a cyber-espionage campaign that manipulated DNS records.

The coronavirus pandemic forced Cyber Storm to move from the spring to August. But it also gave exercise planners a chance to alter the scenario to account for another threat. CISA officials and private-sector analysts have repeatedly warned of how hackers are targeting virtual private networking software and other technology that companies use to telework during the pandemic.


“Corporations have transformed their traditional workplace model…under the strain of COVID,” Harrell said. “We saw that during the exercise.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts