Cyber War Games: Exercises to Improve Disaster Response

Threats against critical infrastructure and questions about election security have heightened cybersecurity concerns, raising the question of how businesses can better prepare themselves for the inevitability of a cyberattack. This increased focus on preparedness has given rise to a tactic long practiced by the government: cyber war game exercises.

A View From the Trenches

A survey conducted by Venafi at Black Hat 2018 asked more than 500 IT security professionals their opinion on whether we are in the middle of a cyber war. The results? An astounding 86 percemt said yes, with 37 percent of respondents stating they believe a nation-state cyber attack will directly lead to the loss of human life within the next couple years.

AWS Builder Community Hub

In addition, 88 percent of those surveyed believe that attacks targeting the disruption of election infrastructure constitute acts of cyber war. “The bottom line is that the notion of war is changing from something that you do with bullets and guns on the ground to something you do with bits and bytes. Essentially, this is a war about compromising and controlling information. Once you fully understand that, it’s pretty easy to see that we are in a full-on cyber war right now,” said Jeff Hudson, CEO of Venafi.

The Business Risk Perspective

For those in the trenches who are inundated with alerts and see the myriad types of attacks coming in, it might very well feel like we are at cyber war. But Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC), said the survey results should be used to inform our level of capability for responding to attacks—they indicate the broader feeling that we are unprepared.

“At a business level in assessing risk, we don’t have that same sense of urgency. It’s not as much a cyber war as much as this is the environment that organizations are operating in. They recognize that it is a noisy and damaging environment, and they are building the capabilities to defend themselves in this environment, to protect their assets. Businesses are responding to changes in the environment as the attacker is getting more sophisticated,” Figueroa said.

To that end, the private sector has been following in the footsteps of the government with cyber war game exercises. Cisco Systems’ Cyber War Games, for example, evaluate resilience by assessing how an organization responds to realistic crises and determining which conditions might result in a resiliency breakdown.

Many of these collaborative defense simulations are sector-specific and run as either tabletop exercises or within a cyber-range. One such example is Cyber Yankee, a computer network defense team exercise that is run annually by the Massachusetts National Guard.

In large part, which organizations participate in the exercises depends on both the intent of the exercise and whether an organization is part of a consortium or chapter group. The most recent ACSC event was a tabletop cyber drill run in conjunction with the Commonwealth of Massachusetts, the Department of Homeland Security and its members. The cybersimulation exercise focused on improving response and collaborative defense.

Collaboration is Trending

Although larger organizations have long staged their own cybersecurity simulation exercises, corporations of all sizes are now coming together with federal, state and local law enforcement to orchestrate “cyber war games” that help improve response capabilities and preparedness.

According to Figueroa, participating in a mock attack lets participants see potential vulnerabilities and avenues of attack so they can accelerate response times. More importantly, organizations learn to better respond in ways that keep the infrastructure going.

“It’s part of building a mental memory, which is incredibly important, so that if an incident does occur, you know who to call. You know who is going to be involved. You know who is responsible for what, and it’s generally based on disaster response,” Figueroa said.

What is emerging now is multi-organization exercises to enhance collaborative defense to learn how organizations can respond to community-level attacks, such as Mirai. When these attacks impact the broader community, the information that goes out can be chaotic and not always accurate. The cyber war games help organizations practice communication channels across multiple organizations to better understand how to respond to what is going on.

From a security perspective, organizations have begun conducting their own cybersecurity exercises to do very similar things. Given that response historically has gone poorly in the public domain, these exercises are intended to not just limit the damage but also “to help them with roles and responsibilities in the event that things become public. Based on the results of the exercises, they can best determine who is responsible for what—who is responsible for detecting and responding, for communicating in public, for communicating with board,” Figueroa said.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus