A well coordinated attack against multiple critical infrastructure points launched via the Internet could overwhelm the federal government’s ability to respond, according to a report released by the Department of Homeland Security last week on the Cyber Storm exercise conducted in February.

Conducted from Feb. 6-10, 2006, Cyber Storm was an exercise in coordinating public and private sector response to a series of simulated terrorist attacks on Internet-connected critical infrastructure, such as the electrical power grid and air traffic control, as well as general attacks on the integrity of the Internet as a whole, conducted by fake left-leaning groups for political purposes. My favorite part was when the hackers disabled the heating systems in government buildings.

Cyber Storm was conducted on a separate network expressly for the simulation and did not affect any real-world systems, DHS said.

In August, a PowerPoint deck marked For Official Use Only (PowerPoint) was leaked which contained details on the attacks which were launched during the Cyber Storm simulation as well as the fake left-leaning groups which conducted the simulated attacks, leading DHS to issue a news release stating in part that “While the scenarios were based on hypothetical situations, they were not intended as a forecast of future terrorist-related events.”

“Exercises like Cyber Storm are essential to our continued efforts to secure cyberspace and America’s cyber assets,” said George W. Foresman, DHS Under Secretary for Preparedness. “We are committed to working with our public, private, and international partners to turn the lessons learned from Cyber Storm into solutions for enhancing our nation’s cyber preparedness and response capabilities.”

As it turns out, they have a lot of work to do.

The report (PDF) documents what went right and what went wrong with the response to the simulated attacks. What went wrong was about what one would expect: The government had a hard time coordinating, not only between its own agencies, but with the private sector, and especially had a hard time with quickly sanitizing classified information derived from intelligence sources for use by the private sector. It also had a hard time communicating with the news media, which was also simulated during the exercise.

The coordination problem is known as the N² problem, where “any given organization ultimately ends up communicating with N squared number of other organizations rather than the sum of all their contacts,” the leaked PowerPoint document noted, that the communication between involved parties “becomes exponential rather than geometric.”

While the participants in Cyber Storm were largely successful in responding, they frequently “needed to communicate at the highest levels with appropriate tools requiring correlation, coordination and collaboration,” had to improvise “agreements and relationships to handle unexpected issues,” and had trouble maintaining “cross-sector situational awareness during a coordinated cyber attack campaign,” the report noted.

Most interesting was the admission that the scenario was limited to “critical infrastructure elements, primarily within the energy, IT, and transportation sectors, and secondarily within telecommunications.” This was done to “improve the capability of each player to respond.” I don’t think hackers bent on destruction, or terrorists, will be so nice as to limit their attacks to correspond with the government’s ability, or lack thereof, to respond to them.

In June, the Business Roundtable issued a report saying that “the United States is not sufficiently prepared for a major attack, software incident or natural disaster that would lead to disruption of large parts of the Internet” and that coordinating a response to such an attack or disaster should be turned over to the Department of Homeland Security.