The Department of Homeland Security last week completed its latest major biennial exercise of a major cyber security event with initial results showing improvements are being made but also that organizations need to be more aware of potential threats from external sources, a department official said last week.

One of the key takeaways from the three-day Cyber Storm 2020 event is that “it was clear that many organizations do not have a full understanding of their reliance on third party services,” Brian Harrell, assistant director for Infrastructure Security at the Cybersecurity and Infrastructure Security Agency (CISA), said during a teleconference with reporters last Friday to discuss the exercise.

Even when an organization has a good security program in place that takes care of internal concerns and compliance, security goes beyond that entity to include vendors or possibly “cascading” impacts from other industries that affect “your ability to do reliable services for whatever critical infrastructure sector you’re in,” Harrell said. “I often tell people, ‘Just because you think you are compliant and secure doesn’t necessarily mean that the folks that you rely on in your time of need are equally as secure.’”

Harrell said that organizations need “to ask some very probing questions of some of those vendors that you lean on.”

Overall, based on lessons learned from the sixth iteration of Cyber Storm in 2018, Harrell said, “we are seeing some marketable improvement across the critical infrastructure space.”

Cyber Storm 2020 was a global exercise that involved about 2,000 participants working from their usual places of business from CISA and other federal departments and agencies, state and local governments, the private sector and international organizations, he said. Harrell declined to disclose specific participants but said the federal representatives included law enforcement, intelligence, defense, and that private sectors represented consisted of manufacturing, healthcare and public health sectors, transportation, information technology, communications, finance and retail.

The simulated scenario included attackers with different skill levels that “waged an all-out campaign” against various sectors aimed creating doubt around the “confidentiality, integrity and availability triangle for American cyber infrastructure,” Harrell said. Attacks involved things like ransomware, distributed denial of service, compromise of Domain Name Service registries, data breaches and in some cases, insider threats.

The exercise began last Tuesday and companies and sectors brought different mitigation strategies to bear to protect themselves and come Wednesday night and early Thursday they had the information they needed to start fixing their problems, Harrell said.

Incident response and remediation around ransomware demonstrated the value of one of the nation’s critical sector entities for analyzing potential threats and solutions and then sharing them with the larger community, he said.

In this case, the Multi State-Information Sharing and Analysis Center (MS-ISAC) came up with a solution, shared it “upstream with CISDA and then CISA pushed out the information back down to various ISACs to further disseminate to other participating organizations,” Harrell said.

Election security was not a component of Cyber Storm 2020 given that CISA and its stakeholders have already been routinely conducting exercises to strengthen the nation’s cyber security posture for national elections this November, he said.

Harrell highlighted other initial lessons from the event that included learning “communication and coordination processes” in a distributed world amid the ongoing COVID-19 pandemic, the importance of CISA’s role in coordinating for specific sectors and across sectors, the value of the ISACs, particularly “in the detection and analysis phase “where those groups were able to make connections across various incidents, really starting to put puzzle pieces together, analyze them and push it to the authorities in the government and also push it to stakeholders within industry so that we could all understand the mitigation measures and get better.”

He also said that private sector representatives also found their own ways to share information with various partners and the government.

A final report will be published in the near future, Harrell said. The latest Cyber Storm exercise was the first since CISA was established as an operational agency at DHS.