Another Fifth … Quantum Dawn Cybersecurity Exercise

by C. Warren Axelrod on November 25, 2019

Another Fifth … Quantum Dawn Cybersecurity
Exercise

Following my BlogInfoSec column “Taking the Fifth …” posted on October 29, 2019, I came across other “fives,” the most relevant of which was about Quantum Dawn V, which took place on November 7, 2019. This is the fifth in a series of desktop exercises conducted every two years for and by the financial services sector.

The reason for my interest
is that I was on the team that initiated these exercises, along with Rob
Schmidt, Jeff Schmidt, Andy Cutts, Phil Sussman, and others. It all started
during the “hot wash” following “Livewire”, described here https://searchsecurity.techtarget.com/tip/Cybersecurity-exercise-helps-put-the-pieces-in-place in an article by the late Howard Schmidt,
when I suggested that, while Livewire was a reasonable simulation of the
technical side of the banking and finance sector, it did not address the
business side, which was equally critical, if not more important than the
technology infrastructure. We then engaged in a series of discussions with
senior people from the financial services industry to try to raise the needed
funds to develop such a model, but were not met with much enthusiasm as the
industry was understandably intent on addressing physical security following
the 9/11 attack on the World Trade Center.

Eventually, funding was
obtained from Congress, thanks to efforts by NUARI (Norwich University Applied
Research Institutes) and Delta Risk. There is a brief summary of this history
at https://deltarisk.com/resources/case-studies/distributed-environment-critical-infrastructure-decision-making-exercises/ The awarded funds were managed through the
Department of Homeland Security (DHS) by Doug Maughan. The resulting
closed-loop simulation model, which was named DECIDE-FS®, became the basis of the
Quantum Dawn (QD) series of exercises, mentioned above. NUARI subsequently obtained
four patents relating to the processes underlying the simulation model. DECIDE
is an acronym for “Distributed Environment for Critical Infrastructure Decision-making
Exercises.”

The early runs of the QD
exercises were relatively small affairs involving representatives from a dozen
or so financial institutions. I helped to design the simulation, develop
scenarios, and chronicle the results in after-action reports through QD-III.
The number of institutions, associations and government agencies grew rapidly from
one exercise to the next, as the capabilities of the model continued to improve
and more firms and agencies realized the benefits of the exercises. Until this
year, participating financial institutions were limited to U.S. domestic firms,
but Asia, Europe and Canada participated in QD-V. Indeed, in 2019, there were
more than 600 participants from over 180 financial firms involved in the
exercise!

Sponsorships Available

It is indeed gratifying
to see how popular these exercises have become. I believe strongly that they
are crucial components of building resilient infrastructures, and I am happy
that I was able to help initiate the simulated environment that made the
exercises so much more effective.

But financial firms are
just the start. In March 2019, the S&T (Science & Technology)
Directorate of DHS awarded $5.9 million to extend the DECIDE model to the
energy sector, see https://www.dhs.gov/science-and-technology/news/2019/03/21/news-release-st-awards-59m-expand-critical-infrastructure

My hope is that the model
will eventually cover all critical infrastructures, both domestically and
globally. What an exciting prospect. Congratulations to all involved in the
project so far. I am indeed proud to have contributed at the outset to this
monumental endeavor.