I first blogged about the "Cyber Storm" Cyber Exercise aiming to evaluate the preparedness for cyber attacks of several governments two years ago, and pointed out that :
Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed "Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China.
The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative to measure the response time to an OPSEC violation in the form of sensitive information leaking on blogs. A very ambitious initiative, given the many other distribution channels, which when combined in a timely manner make it virtually impossible to shut down and censor, the leaked material. What if it gets spammed? Moreover, what's a leak to some, is transparency into the process for others. Cyber Storm II is already a fact whatsoever :
"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans. 'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest."
The main issue with this type of cyber exercises is that starting with wrong assumptions undermines a great deal of the developments that would follow. Cyber warfare is just an extension of the much broader information warfare as a concept, namely, Lawfare, Econonomic Warfare, PSYOPS, to ultimately end up in an unrestricted warfare stage. Subverting the enemy without fighting with him, that's what offensive cyber warfare is all about, even if you take people's information warfare concept as an example. It's a government tolerated/sponsored activity, whereas the government itself is suverting the enemy without fighting him, but forwarding the process to their collectivism minded citizens. The strong lose, since the adversary is abusing the most unprotected engagement point, thereby underminig the investments made into securing the most visible touch points. A couple of key points to consider in respect to the cyber exercise modelling weakness :
From a strategic perspective, securing and fortifying what you have control of is exactly what the bad guys would simply bypass in their attack process, among the first rules of unrestricted warfare is that there're no rules with the idea to emphasize on the adaptation and going a step beyond the adversary's defense systems in place.
