Inside DHS' Classified Cyber Coordination Headquarters
The Department of Homeland Security recently brought its classified National Cybersecurity and Communications Integration Center down to an unclassified level for one day only, and InformationWeek Government was there to take photos. The facility looks and functions like a state-of-the-art network operations center and much more. The NCCIC, as it's called, is the locus of DHS-led inter-agency cybersecurity work in the federal government. That includes providing an integrated response to cyber th
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
Typically, the National Cybersecurity and Communications Integration Center, the agency's hub for coordinated responses to cyber attacks, is a classified facility, residing several floors above a chain restaurant in a non-descript Arlington, Va., office building. Visitors to the Department of Homeland Security facility are required to go through several layers of security before they can actually enter the office space, including locking up their cell phones in tiny lockers. But for one day only, the DHS brought the NCCIC offices down to an unclassified level and InformationWeek Government was there to take photos.
The occasion for DHS briefly opening the doors of NCCIC to reporters was a preview of Cyber Storm III, an international, coordinated cybersecurity simulation that entailed mock attacks on the Internet's domain name system. The exercise tested both the draft National Cyber Incident Response Plan, an effort to provide a coordinated response to major cybersecurity incidents NCCIC. The large-scale exercise included representatives from seven cabinet-level federal departments, intelligence agencies, 11 states, 12 international partners and 60 private sector companies in multiple critical infrastructure sectors like banking, defense, energy and transportation. Though the facility may have been brought down to an unclassified level for the event, we were still warned against taking pictures of cyber-analysts' faces, photos of physical security sensors on the walls and ceilings, and wandering off into areas of the facility where classified work might still be going on.
SEE ALSO:
DHS Launches Cyber Attack Exercise
The NCCIC's operations center is staffed 24 hours a day, 7 days a week by an average of 20 analysts who track the health of government networks and analyze the latest cyber threats across the Internet. Partners from industry and other agencies work alongside DHS analysts, the ops center walls display live data and television news.
SEE ALSO:
DHS Launches Cyber Attack Exercise
Every cybersecurity analyst has a workstation that looks something like what a gamer, a financial analyst or a designer might have on his or her desk. In this case, though, the three screens feed the analysts with all sorts of information that could be related to cyber threats. Each workstation can pull up any of four separate networks.
SEE ALSO:
DHS Launches Cyber Attack Exercise
The new director of DHS' National Cybersecurity and Communications Integration Center joined from a task force that looked at threats to critical infrastructure like the communications and power grids. One of his recent tasks there was to analyze the sophisticated Stuxnet worm that attacked industrial control systems worldwide.
SEE ALSO:
DHS Launches Cyber Attack Exercise
The deputy assistant secretary for cyber security and communications for DHS is also a rear admiral. He helps set DHS' strategic direction for cybersecurity. He may have moved from the Navy to DHS, but NCCIC also has representatives from the military, industry, intelligence community and Department of Justice working right alongside DHS employees to help track and mitigate threats.
SEE ALSO:
DHS Launches Cyber Attack Exercise
Vickers is director of the United States Computer Emergency Readiness Team (US-CERT), which provides cyber defense and response to government agencies and industry partners. It also provides government and industry with cyber alerts and security tips. He joins with other DHS senior officials every morning at 8 a.m. for a brief on the latest threats.
SEE ALSO:
DHS Launches Cyber Attack Exercise
This screen shows a selection of real-time information from Einstein sensors, network flow analyzers placed strategically within government networks nationwide. Einstein is a series of technologies being deployed across the government for network monitoring, intrusion detection and intrusion prevention. "We identify not only cyber threats, but also monitor the cyber health of the nation," says McGurk.
SEE ALSO:
DHS Launches Cyber Attack Exercise
Another Einstein graphic breaks down traffic volume across federal government networks by protocol, such as TCP/IP traffic or UDP traffic. Deviations from the usual pattern might indicate anomalous activity on the networks and warrant deeper consideration. More detailed info on attacks might show up on these screens on a day-to-day basis.
SEE ALSO:
DHS Launches Cyber Attack Exercise
There's not much to see on the operations calendar, which indicates a number of typical daily meetings. However, what the calendar doesn't show is that mid-week, Cyber Storm III, a major cyber exercise, was slated to start. This year's Cyber Storm exercise was organized to test the forthcoming National Cyber Incident Response Plan.
SEE ALSO:
DHS Launches Cyber Attack Exercise
Though lots of cybersecurity work happens on site, the NCCIC doesn't do things like malware analysis. However, for demo purposes, DHS brought out some of its digital forensics tools for reporters to see, including these.
SEE ALSO:
DHS Launches Cyber Attack Exercise
So what's a photo of a conference room doing in here? It might look like an ordinary conference room, and it is, save one difference. It's that sign on the wall. When there is an unclassified meeting underway, the sign says, "unclass," but it switches to "classified" when something more secret is going on.
SEE ALSO:
DHS Launches Cyber Attack Exercise
So what's a photo of a conference room doing in here? It might look like an ordinary conference room, and it is, save one difference. It's that sign on the wall. When there is an unclassified meeting underway, the sign says, "unclass," but it switches to "classified" when something more secret is going on.
SEE ALSO:
DHS Launches Cyber Attack Exercise
Typically, the National Cybersecurity and Communications Integration Center, the agency's hub for coordinated responses to cyber attacks, is a classified facility, residing several floors above a chain restaurant in a non-descript Arlington, Va., office building. Visitors to the Department of Homeland Security facility are required to go through several layers of security before they can actually enter the office space, including locking up their cell phones in tiny lockers. But for one day only, the DHS brought the NCCIC offices down to an unclassified level and InformationWeek Government was there to take photos.
The occasion for DHS briefly opening the doors of NCCIC to reporters was a preview of Cyber Storm III, an international, coordinated cybersecurity simulation that entailed mock attacks on the Internet's domain name system. The exercise tested both the draft National Cyber Incident Response Plan, an effort to provide a coordinated response to major cybersecurity incidents NCCIC. The large-scale exercise included representatives from seven cabinet-level federal departments, intelligence agencies, 11 states, 12 international partners and 60 private sector companies in multiple critical infrastructure sectors like banking, defense, energy and transportation. Though the facility may have been brought down to an unclassified level for the event, we were still warned against taking pictures of cyber-analysts' faces, photos of physical security sensors on the walls and ceilings, and wandering off into areas of the facility where classified work might still be going on.
SEE ALSO:
DHS Launches Cyber Attack Exercise
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024