Threats against critical infrastructure and questions about election security have heightened cybersecurity concerns, raising the question of how businesses can better prepare themselves for the inevitability of a cyberattack. This increased focus on preparedness has given rise to a tactic long practiced by the government: cyber war game exercises.
A View From the Trenches
A survey conducted by Venafi at Black Hat 2018 asked more than 500 IT security professionals their opinion on whether we are in the middle of a cyber war. The results? An astounding 86 percemt said yes, with 37 percent of respondents stating they believe a nation-state cyber attack will directly lead to the loss of human life within the next couple years.
In addition, 88 percent of those surveyed believe that attacks targeting the disruption of election infrastructure constitute acts of cyber war. “The bottom line is that the notion of war is changing from something that you do with bullets and guns on the ground to something you do with bits and bytes. Essentially, this is a war about compromising and controlling information. Once you fully understand that, it’s pretty easy to see that we are in a full-on cyber war right now,” said Jeff Hudson, CEO of Venafi.
The Business Risk Perspective
For those in the trenches who are inundated with alerts and see the myriad types of attacks coming in, it might very well feel like we are at cyber war. But Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC), said the survey results should be used to inform our level of capability for responding to attacks—they indicate the broader feeling that we are unprepared.
“At a business level in assessing risk, we don’t have that same sense of urgency. It’s not as much a cyber war as much as this is the environment that organizations are operating in. They recognize that it is a noisy and damaging environment, and they are building the capabilities to defend themselves in this environment, to protect their assets. Businesses are responding to changes in the environment as the attacker is getting more sophisticated,” Figueroa said.
To that end, the private sector has been following in the footsteps of the government with cyber war game exercises. Cisco Systems’ Cyber War Games, for example, evaluate resilience by assessing how an organization responds to realistic crises and determining which conditions might result in a resiliency breakdown.
Many of these collaborative defense simulations are sector-specific and run as either tabletop exercises or within a cyber-range. One such example is Cyber Yankee, a computer network defense team exercise that is run annually by the Massachusetts National Guard.
In large part, which organizations participate in the exercises depends on both the intent of the exercise and whether an organization is part of a consortium or chapter group. The most recent ACSC event was a tabletop cyber drill run in conjunction with the Commonwealth of Massachusetts, the Department of Homeland Security and its members. The cybersimulation exercise focused on improving response and collaborative defense.
Collaboration is Trending
Although larger organizations have long staged their own cybersecurity simulation exercises, corporations of all sizes are now coming together with federal, state and local law enforcement to orchestrate “cyber war games” that help improve response capabilities and preparedness.
According to Figueroa, participating in a mock attack lets participants see potential vulnerabilities and avenues of attack so they can accelerate response times. More importantly, organizations learn to better respond in ways that keep the infrastructure going.
“It’s part of building a mental memory, which is incredibly important, so that if an incident does occur, you know who to call. You know who is going to be involved. You know who is responsible for what, and it’s generally based on disaster response,” Figueroa said.
What is emerging now is multi-organization exercises to enhance collaborative defense to learn how organizations can respond to community-level attacks, such as Mirai. When these attacks impact the broader community, the information that goes out can be chaotic and not always accurate. The cyber war games help organizations practice communication channels across multiple organizations to better understand how to respond to what is going on.
From a security perspective, organizations have begun conducting their own cybersecurity exercises to do very similar things. Given that response historically has gone poorly in the public domain, these exercises are intended to not just limit the damage but also “to help them with roles and responsibilities in the event that things become public. Based on the results of the exercises, they can best determine who is responsible for what—who is responsible for detecting and responding, for communicating in public, for communicating with board,” Figueroa said.