OAS/CICTE REGIONAL CYBER SECURITY CRISIS MANAGEMENT EXERCISE

June 24, 2013 - Washington, DC

Ms. Anne Witkowsky, Acting Principal Deputy Coordinator for the Bureau of Counterterrorism at the U.S. Department of State,

US Deputy Permanent Representative to the OAS Mr. Lawrence Gumbiner,

Representatives from Member States,
Incident Response Personnel and Cyber Security Policymakers from our OAS Member States,

Colleagues from the OAS, especially Neil Klopfenstein and Juan Jose Goldstein and their respective teams of experts,
Ladies and Gentlemen,

On behalf of the Organization of American States, I would like to welcome you all to our headquarters to participate in the opening of this Regional Cyber Security Crisis Management Exercise (CME). At the outset, I would also like to recognize the government the United States - in particular the Department of State and its Bureau of Counterterrorism – for its continued and very generous support to the OAS and in particular to the CICTE Secretariat. They have enabled us to work so closely with our Member State governments, and made this Cyber mobile lab a meaningful reality.

Ladies and Gentlemen, the timing of this event is critical. Cyber threats and vulnerabilities currently affect people from all walks of life in the Americas and beyond. If you follow news events, you know that there has been an increase in cyber security incidents in most OAS Member States. These are happening with frightening frequency, sometimes with far-reaching and potentially disastrous consequences. It is important to remember that these attacks do not discriminate between nations big or small, and can threaten the critical infrastructure of our nations in unpredictable and undesirable ways. Cyber incidents target all kinds of public and private entities, regardless of political, social, or economic factors. Being unprepared for an attack leaves our societies vulnerable!

The world has never been more interconnected and dependent on the Internet, its networks, and complex information systems. Countless infrastructures on which we rely and largely taken for granted, including energy, transportation, security, communications and financial sectors, health, and social services systems, depend on the Internet. These connected networks function cheaply and efficiently, improving the quality of life for all. In addition, the Internet has allowed business to flourish, has been a vehicle for innovation and economic growth, and has become a tool in the Americas to promote democratic governance and social inclusion. The security gaps in this important piece of our critical infrastructure, however, have also yielded opportunities for criminal, and even terrorist, exploitation.

To help Member States fill these gaps, the OAS designed a series of Cyber Security Crisis Management Exercises (CMEs). Today marks the start of what will be the eighth CME carried out by the Secretariat of the Inter-American Committee against Terrorism (CICTE) and the OAS Department of Information Technology Services (DOITS).

The objectives of this exercise are several. First, the cyber attacks incident responders will face and the situations that will confront policymakers will test Member State officials’ abilities to analyze and mitigate the effects of a well-organized cyber incident targeting various types of critical infrastructure. Second, and more important, this event will test communication mechanisms between countries when responding to cyber incidents, which necessitate transnational collaboration. Finally, this simulation seeks to foster an exchange of best practices and lessons-learned in responding to cyber threats, both technically and at the policy-level. As we have seen in past events, regional exercises connect those involved in day-to-day cyber operations and provide space in which CSIRT operators can share experiences and cultivate the trusting relationships so necessary to successful cyber incident management.

Ladies and Gentlemen, CICTE held its first CME in Miami in 2011. Seven exercises later and two years later, the world – in particular the cyber world – is a much different place, and our exercise has evolved to match changing needs and realities. The OAS has incorporated its own lessons-learned in the design and delivery of its cyber security crisis management exercises.

For one, we have upgraded our infrastructure, both in terms of hardware and virtual computing. The equipment that you see in front of you – laptops, servers, racks, routers, and switches – comprises CICTE’s state of the art mobile laboratory, which was built in 2012 with the financial support of the US Department of State Bureau of Counterterrorism (thank you Ms. Witkowsky) and the collaboration of our OAS DOITS. The lab allows CICTE and DOITS to conduct Crisis Management Exercises anywhere. All we need is electricity. The lab gives us the flexibility to provide Member States with advanced training in a variety of subjects related to information security and cyber incident management.

In addition to upgrading the means to conduct our exercises, we have also rethought function and format. Until now, our exercises have only targeted technical personnel, as our goal was to test coordination among information security technicians within a government when confronted with a large-scale cyber incident. However, participant feedback from CMEs in Colombia, Argentina, Panama, Trinidad and Tobago and Guatemala has shown that it is important to integrate policy-level officials into the exercise. Their participation would encourage a more holistic discussion and facilitates the multi-stakeholder engagement needed for cyber incident prevention and mitigation. Indeed, countries often cite a disconnect between the operational and policy levels of cyber security management as a reason for persistent cyber vulnerability. Over the next two days, we hope to foster a greater understanding and better coordination between these two key groups. In my view, I believe it is important to expand this holistic approach to include legislators, management of large cities with critical infrastructure and the business community.

Past CMEs focused on developing successful procedures to respond to a cyber emergency, and, some have made clear that that is not enough. Some countries have comprehensive incident response plans, but they sit on a shelf and go untested. Today and tomorrow, you will be immersed in a realistic cyber simulation that closely resembles a worst case scenario cyber attack. The incidents you will confront today and tomorrow provide hypothetical situations in which you will have to decide what to do, whom to speak to, and when and how to act. During the simulation, the trainers will ask you to coordinate efforts, share information, decide upon best practices and establish relationships in order to successfully detect, stop and recover from the attacks. The experiences and knowledge that you gather from this exercise will help you better understand and be better prepared to respond to a real situation when it occurs, which, in turn, will fortify your incident response procedures, both nationally and internationally.

In cyber security, much more so than in other disciplines, personal relationships and trust are paramount to success. When confronting an adversary that easily establishes dangerous relationships in cyberspace and even works fluidly across language barriers, it is essential to know your allies well, and I dare to say know your enemies equally well. Over the next two days, you all will have the chance to build new working relationships and strengthen old ones. I urge you all to take advantage of each other’s presence, so you know who to call when the simulations are done and you are faced with a real cyber security incident. To address the challenges ahead, not only technological networks are necessary, but human networks as well.

On that note, I would like to highlight the fact that while these next two days are critically important, the days and months after the exercise are even more so. What will each of you do with the experience you have here? For this capacity building exercise to be effective, the learning and improvements it inspires must not end tomorrow. The knowledge acquired here must be taken forward, and put to good use. Over the next several days, I urge you all to take advantage of your counterparts, who together possess a wealth of cyber security information and experience.

Ladies and gentlemen, the evolving cyber security threats facing the Americas will not go away. Establishing a CSIRT, adopting a national strategy, or completing crisis management exercise will not make you immune from cyber incidents. Rather, it should inform continued cyber training and capacity building. As your governments continue down the never-ending road to secure networks, I would like you all to know that OAS/CICTE will be right along with you, every step of the way, coordinating efforts and providing assistance in any and every way we can.

I wish you a most productive and dynamic crisis management exercise and I look forward engaging with you tomorrow on the experiences you have gathered. I thank you very much for your attention.