RSA: New Zealand’s Lessons Learned in Cyber Storm II

Earlier this month, New Zealand completed its second Cyber Storm. Sponsored by the U.S. Department of Homeland Security Cyber Storm II gathered together about 2,500 people from New Zealand, Australia, Canada, the United Kingdom and the U.S. to play out several cyber attack scenarios in which critical parts of the infrastructure were disabled by computer threats. Although the results of Cyber Storm II are not expected to be made public until August, some of the participants shared their thoughts on the experience at the RSA Conference in San Francisco this week. [Editor’s note: For indepth CSO coverage on security simulations, see Red Team vs. Blue Team and How to Run a Tabletop Exercise]

Paul McKitrick, manager of New Zealand’s Centre for Critical Infrastructure Protection, sat down with IDG News at the conference to talk about Cyber Storm II. Following is an edited transcript of the interview.

IDG News: What was the extent of New Zealand’s participation in Cyber Storm II?

Paul McKitrick: We had about 30 organizations from the private sector in New Zealand. We had 10 government departments participate. And we had four sectors that we focused our scenarios around: they were banking, energy — and it was more around the power distribution companies — government, and IT and telco.

IDGNS: How did that compare with last time?

McKitrick: Last time it was six private sector organizations and six government departments. Last time it was pretty much a table top exercise. Cyber Storm II was real time over three days: 72 hours live play.

IDGNS: How prepared is New Zealand for a cyber attack?

McKitrick: I think we’re prepared, but we can always improve. This identified opportunities where we can streamline our approach to things. Even in the planning process, organizations got so much from the fact that an organization would talk to one of its teams, saying, “Right this is the scenario we’re looking at, how would this affect you?” And they would say, “Oh we’re not too sure, actually. We might do X, Y, or Z,” And they’d say, “What standard operating procedure would you use?” and they’d hear “Well we actually don’t have one.”

So there were things that they were doing before the exercise internally that helped realign their processes.

IDGNS: What did you learn from this?

McKitrick: The benefit of exercising. In my mind it’s going to be one of the key ways we meet our mandate in New Zealand. It gives people a way to shine in some respects. Your guys that are on the front lines quite often they don’t get tested. They’re bogged down with the day-to-day, business-as-usual things. This is a chance to really push them and give them a chance to step up.

You can plan and plan and plan, but unless you are testing these plans, you don’t know if they’re going to work.

IDGNS: New Zealand is smaller than the other countries that participated in Cyber Storm. Did that make the exercise different from your perspective?

McKitrick: We can do things differently. Having those official back-channels into an organization, we can do that very effectively and that works. In a big country like America it’s very hard to do that. Here in the U.S. people move around a lot more, so they may not last as long [at their current jobs]. Whereas in New Zealand, things are probably a bit more stationary. Or when people do move, they’ve gone from one critical infrastructure organization to another, so they’re still in the game.