Government, business battens hatches following Cyber Storm III

Major ASX-listed companies and government departments have been fine-tuning their cyber security in the months following their participation in international Cyber Storm III exercise, according to Federal Attorney General, Robert McClelland.

Speaking in Canberra about cyber security collaboration and the results of the Cyber Storm III exercise, released today, McClelland said organisations such Telstra, ASX, Woolworths, and ANZ, as well as government departments and agencies, had picked up valuable learnings about crisis management.

“The Cyber Storm III exercise provided a good test of new government processes including the interim cyber security crisis management plan, which allowed agencies to identify gaps and revise processes,” he said.

“Business organisations that participated advised that their internal processes were effectively tested, refined and improved, and that the exercise had provided an invaluable opportunity to engage with their CEOs on the importance of cyber security.”

McClelland said the training exercise revealed many areas where internal and cross-sector partnerships worked effectively to communicate and resolve issues, but also highlighted areas where communications and planning could be further developed.

“While it did highlight gaps within existing government and business cyber incident processes, particularly in regards to escalation procedures, this feedback allows both government and businesses to take steps to improve our cyber security.”

CyberStorm III was run in September 2010 and involved 50 participants were involved including Australian Government and state and territory agencies, and over 30 organisations from the banking and finance, energy, food, transport, water, IT and communications sectors.

The event was run as a ‘no-fault’ exercise, with the strategic national-level objective being to test and evaluate Australia’s new crisis management arrangements in order to most effectively address an international cyber security event of national significance

In its analysis of the effectiveness of the exercise, consultancy Jakeman Business Solutions said Cyber Storm III proved “very successful” in enabling people to practice, learn and review their performance in relation to others working within and across the broader cyber-related crisis management frameworks.

“Indeed, substantial ‘good will’ was generated between government and industry as part of the entire Cyber Storm III activity, and this should continue to be built upon,” the report (PDF) reads.

“The exercise planning and management process allowed for the development of trusted external organisational relationships that would assist in a real cyber event with training, tools and processes provided by [the Attorney General’s Department] serving as a good foundation for future use.

“Australia should continue to plan and undertake regular cyber exercises as part of a broader national and international engagement program that practices and evaluates performances across tactical, operational and strategic levels.”

According to the report, participants also listed the exercise as a cost-effective way of conducting a business continuity or disaster recovery exercise, and as an opportunity to network with people in their organisation and sector that they may need to engage with in a crisis situation.

Further, it provided an opportunity to exercise and test relationships with key vendors and stakeholders across sectors, to explore inter-dependency issues and build new relationships; build stronger resilience into business and supply chains; and, allow for the identification of opportunities for improvement.