Skip to main content

Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise

GAO-08-825 Published: Sep 09, 2008. Publicly Released: Sep 16, 2008.
Jump To:
Skip to Highlights

Highlights

Federal policies establish the Department of Homeland Security (DHS) as the focal point for the security of cyberspace. As part of its responsibilities, DHS is required to coordinate cyber attack exercises to strengthen public and private incident response capabilities. One major exercise program, called Cyber Storm, is a large-scale simulation of multiple concurrent cyber attacks involving the federal government, states, foreign governments, and private industry. To date, DHS has conducted Cyber Storm exercises in 2006 and 2008. GAO agreed to (1) identify the lessons that DHS learned from the first Cyber Storm exercise, (2) assess DHS's efforts to address the lessons learned from this exercise, and (3) identify key participants' views of their experiences during the second Cyber Storm exercise. To do so, GAO evaluated documentation of corrective activities and interviewed federal, state, and private sector officials.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security Given the importance of continuously improving cyber exercises, the Secretary of Homeland Security should direct the Assistant Secretary for Cybersecurity and Communications to ensure the scheduling and completion of the corrective actions addressing lessons learned during Cyber Storm I before conducting the next Cyber Storm Exercise.
Closed – Implemented
As of September 2010 and prior to Cyber Storm III, the Department of Homeland Security (DHS) demonstrated that it had completed all 66 of the corrective actions addressing Cyber Storm I's lessons learned.

Full Report

Topics

Access controlClassified defense informationComputer incident response capabilityComputer securityConfidential communicationsContingency plansCritical infrastructureCritical infrastructure protectionCyber crimesCyber securityFederal agenciesForeign governmentsHomeland securityInformation accessInformation securityInformation technologyInteragency relationsLessons learnedPrivate sectorRisk assessmentRisk managementState governmentsStrategic planningProgram implementation