By David Vergun, Army News ServiceDecember 26, 2017
WASHINGTON --- When the Army, industry and local governments team up in "live-fire" cyber exercises, the results are mutually beneficial, said Col. Andrew O. Hall.
Hall, director of Army Cyber Institute, and other cyber experts spoke at an Association of the U.S. Army-sponsored forum on cyber issues, Dec. 13.
The reason that robust exercises are beneficial, he said, is that gaps in cyber defense become apparent and leaders of these communities learn what actions they must take to defend themselves.
In turn, lessons learned help the Army to better understand how to defend all the networks, which are all vital to national security, he continued.
A good example of this collaboration, Hall said, is the Jack Voltaic cybersecurity exercise. In 2016, the exercise brought together representatives from the Army and critical infrastructure sectors in New York City including finance, energy, telecommunications, emergency management, and city government to respond to a two-day simulated cyber-attack against the city.
Participants were also invited to West Point, where they got a crack at using ACI's cyber simulation center, he added. ACI published a report describing the methodology of the exercise, results, and possible improvements so that other cities may replicate or build upon the exercise.
Natasha Cohen, director, Cyber Policy and Client Strategy, BlueVoyant, pointed to several case studies that show a variety of ways that the military can partner with the private sector and local government to address the diverse nature of the threat, which she said is growing in part because of the proliferation of hacking tools that enable relatively low-skilled users to conduct operations against a variety of targets.
In 2015, the Maryland National Guard responded to real-world, distributed denial-of-service attacks in Baltimore, she said. DDoS attacks occur when multiple computer systems become infected, essentially shutting down targeted systems, in this case, the state of Maryland's.
The Guard was able to download tools that malicious actors had used and figured out how to defend against it, she said.
Although the incident ended before the Guard was able to share those findings with the targeted organizations, the experience did help to work through the legalities of such action and set the stage for assistance in the future, she said.
While the threat to organizations can be real, not every industry has the resources to conduct some of the more expensive security operations such as penetration testing, Cohen said, explaining that "pentesting" involves an authorized, simulated attack on a network to evaluate its security.
In 2016, the National Guard conducted a pentest on the Snohomish County Public Utility District network in Washington state, said Cohen.
The Guard was specifically trained in supervisory control and data acquisition, or SCADA, and industrial control systems, and was able to highlight a number of areas for improvement in the public utility, she said, noting that SCADA is a control system architecture involving critical services such as electricity, natural gas and transportation.
This agreement between the Guard and utility took two years to put together and hasn't so far been replicated, unfortunately, she said. "If the lessons learned from this experience could be shared and implemented across other states, it might provide a win-win for both sides -- training for the Guard and testing for critical infrastructure systems."
When a cyberattack occurs on a civilian organization, there is a need to surge outside resources to defend against it, Cohen said. Oftentimes, those surge forces, be they military, government or private-sector, are unfamiliar with how the organization does business, the security tools it uses and so on, so they cannot bring the right tactics, techniques and procedures to bear.
Arizona succeeded in attacking this problem by creating a hub for collaborative cyber information-sharing in a neutral environment of trust where partners from industry, academia, law enforcement and intelligence come together, she said, citing the non-profit Arizona Cyber Threat Response Alliance, Inc., or ACTRA, which has led that effort.
Hall lauded the collaborative efforts which Cohen cited, and said that ACI is working with the Command and General Staff College at Fort Leavenworth, Kansas, to create a common cyber language that will facilitate information-sharing among cyber and non-cyber personnel, since many terms can seem cryptic to laymen.
At this time, the 780th Military Intelligence Brigade is testing this common-language concept at the National Training Center at Fort Irwin, California, and is working to train the next generation of leaders in being more fluent in the cyber domain.
Tyson B. Meadors, director for Cybersecurity Policy, National Security Council, said it's often difficult to surge cyber defenders because there's a shortage of about 300,000 cybersecurity professionals in the U.S. workforce. Small and mid-sized companies might not even have a cybersecurity expert on staff.
That's why public-private partnerships and exercises are so important to bridging this gap, he said.
One framework for surging cyber defenses that could be utilized regionally or nationally, Meadors said, is the Defense Support of Civil Authorities. DSCA was originally designed as a natural-disaster-response framework for inserting the Guard.
Reaction time has traditionally been measured in days, he said. However, a cyberattack on critical U.S. infrastructure would need to be dealt with in hours, since "we're going to lose all sorts of services at once."
Modifying DSCA to include cyberattacks, he said, "is a policy tweak that needs to be examined."
Cohen concluded that relations between the military and industry regarding cooperative cybersecurity measures will need to be based on trust and good relationships.
The private sector does not like to give away their own security vulnerabilities, she said, but at the same time, they need actionable intelligence that the military or government might be able to provide.