Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Lessons learned from Cyber Storm II.

Download PDFDownload PDF


24 September 2008

LESSONS LEARNED FROM CYBER STORM II A detailed report outlining Australia’s involvement in the recent international cyber security exercise, Cyber Storm II, was released today by Attorney-General Robert McClelland.

The exercise, led by the United States Department of Homeland Security, allowed the governments and business sectors of Australia, Canada, New Zealand, the United Kingdom and the United States to put their e-security arrangements to the test.

“Cyber Storm II was designed to simulate a significant global incident caused by attacks on critical infrastructure systems via the Internet,” Mr McClelland said.

“The exercise proved Australia’s response arrangements to cyber-attack are sound, but just as importantly, demonstrated areas where improvements can be made.”

“The world’s increasing dependence on electronic communications creates new opportunities for criminals and terrorists. The lessons learned from exercises such as Cyber Storm II help ensure Australia is well placed to combat these threats.”

Australia’s involvement in Cyber Storm II included government agencies, state and territory governments and the largest contingent of private sector organisations ever involved in such an exercise.

“It is a clear demonstration of the strong partnership that has been built between the Rudd Government and business to protect our critical infrastructure,” Mr McClelland said.

Cyber Storm II was held in March in conjunction with the US Department of Homeland Security National Cyber Security Division, the UK's Centre for the Protection of National Infrastructure, Public Safety and Emergency Preparedness Canada and New Zealand's Centre

for Critical Infrastructure Protection.

The Cyber Storm II national cyber security exercise final report can be obtained at: Key findings are attached.

Media Contact: Adam Sims 0419 480 224


Finding 1: Effective response is enhanced by routinely reviewing and testing Standard Operating Procedures (SOPs), Incident Response Plans and/or crisis management arrangements.

Effective response to a cyber crisis is significantly enhanced by having tested procedures or arrangements, in which crisis-management relationships in the cyber response community are regularly reviewed to solidify communications paths and clarify organisational roles.

Finding 2: Non-crisis interaction among key stakeholders enhances effective crisis response during an incident.

More frequent, non-crisis interaction between various stakeholders involved in protecting the national information infrastructure will enhance real world response capabilities. Established relationships facilitate rapid information sharing among community members and must include relationships across sectors, with suppliers, with vendors and with incident response


Finding 3: Crisis communication procedures, predicated on accurate and appropriate points of contact, must be formalised within contingency planning.

Communication during a crisis significantly impacts the timeliness and effectiveness of responses. A unity of effort can be more effectively maintained when there is a clear understanding of roles and responsibilities and the interfaces between them.

Finding 4: Cyber crises require a tailored response that takes into account multiple interdependencies.

The borderless nature of cyber attacks, and the speed with which they can escalate across infrastructure sectors, was demonstrated in Cyber Storm II. Contingency planning must include potential flow-on effects.

Finding 5: Developing internal reporting and external notification thresholds assists in effective incident response by creating better situational awareness.

Identifying the problem, rather than simply addressing the symptoms, is critical to effective cyber incident response. In order to ensure situational awareness within and between organisations, clear notification thresholds should be developed and promulgated so that technical incident responders know when escalation internally or externally is necessary.

Finding 6: Attempts to facilitate an interactive international game were hampered by time zone differences, isolated scenario building and unexpected player actions.

International play was not extensive in the Australian national exercise. A longer pre-exercise build up, a longer exercise duration (to account for the 18 hour difference between Wellington and Washington) and more international communication during the exercise

planning phase will need to be incorporated into Cyber Storm III.