More Than a Game

Computerworld - London, Dec. 21, 9:02 a.m.: The secretary to the president of Big Dollar Credit in London gets a phone call: "You have not lived up to your obligation. You will pay." She reports it to you. As the IT manager, do you care?

Two days later, a mass of electronic trading services goes off-line. Then they're back online. Next, the phones go down at two of your trading partners' sites. Bombing threats are lodged against six London banking outlets. Now you care. But what do you do?

Welcome to a typical cyberterrorism exercise.

The purpose of the game is to rattle you, shake your confidence and push you into making critical mistakes. In so doing, your opponent wins the cyberwar, something U.S. government officials and many IT professionals think is more likely to happen since Sept. 11. In a June survey, 55% of 395 IT professionals at manufacturing, service, technology and other companies said they think it's very likely that utility grids, financial institutions, communications systems and transportation infrastructure will be the target of a major cyberattack in the next 12 months, according to the Business Software Alliance, a Washington-based software vendor lobbyist group, which conducted the poll.

Credit: Anastasia Vasilakis

The issue facing corporations and their IT departments is how to prepare and work with a cross-section of key players, including companies in other industries, emergency services, law enforcement and government agencies, so that all can effectively play their roles in a recovery from an attack on the nation's critical networked infrastructure.

"We depend on oil and gas lines being operational, but you lose some of those dependencies when a cyber and physical attack hit simultaneously. How do you recover? How do you report?" says James Sample, manager of information security at the California Independent System Operator (ISO) in Folsom, Calif., the state's energy grid operator.

The best way to prepare is through practice, say Sample and other experts.

The number of counter-cyberattack practice games being carried out is still relatively low. But since Sept. 11, more exercises have become available than ever before. For example, the Bethesda, Md.-based SANS Institute, a security education group, will hold an exercise in Washington next month. And the Seattle-based Pacific Northwest Economic Region, a regional economic development forum, has launched a cyberdefense training program called Blue Cascades, which conducted exercises in June that were attended by the California ISO and 120 electric power industry representatives from the Pacific Northwest and Canada.