HARTFORD, Conn. – Cyber Soldiers and Airmen from around New England gathered June 14-18, 2021 at Joint Base Cape Cod to participate in the 7th annual Cyber Yankee exercise.
The exercise pitted Marines and Marine Reservists as the “Red Team,” against “Blue Teams” comprised of Guardsmen and industry partners representing different critical infrastructure sectors, such as power, water and gas companies in order to enhance the cyber warriors’ ability to thwart malicious actors in the digital space.
The battlefield of choice is known as Persistent Cyber Training Environment, a purpose built cyber range that was tailored to look and feel similar to that of a typical utility company, down to simulating normal company activity such as email and web traffic, to provide realistic concealment for the red team to carry out attacks.
Blue teams were tasked with supporting the industry partners’ response by identifying unusual activity to uncover attacks and malicious programs, then mitigating the attack’s effects, and eventual determining the scope of the damage, attack vector, and most likely threat actor.
As the week unfolded, the threats increased and malicious actors made their intentions known. What may have started early in the scenario as a network penetration, later became a deliberate attack delivered by a red team “inject.” The exercise planners paid careful attention to the master spreadsheet of injects to be carried out over the course of the week. To move the plot along and help the blue teams determine attribution, the white cell (exercise controllers) provided different intelligence items and news stories, curating the experience. Based on how an individual blue team was doing, the white cell either pushed the timeline forward or slowed it down.
Though the scenario featured a notional, competitor state known as “Miteopia,” their state-sanctioned proxies, other unofficial proxies, and unaffiliated cyber criminals, these types of adversarial forces mirror current threats seen in today’s reality and across headlines from the past year.
In recent years, the National Guard has become a first responder force to cyber-attacks of magnitudes that exceed an entity’s ability to handle on their own. In Connecticut, this played out after a vicious ransomware attack on the City of Hartford.
Similarly, the Vermont National Guard responded to a ransomware attack on the University of Vermont Medical Center. “[We’ve been doing this] since 1636,” said Brig. Gen. John Driscoll, Massachusetts’ land component commander. “This is just the next phase of the operation. This is about reassuring the public.”
Typically, attacks seen in real life and mirrored at Cyber Yankee occur on the networks of state or local governments, or on a private corporation’s network. Because of this, the Guard is in a support role to the affected entity and is limited to perform within what the host is willing to allow.
Given the gray nature of cyber operations, lawyers abound. Each blue team brought legal console to advise each step of the way. The Judge Advocate Generals (JAGs) pre-drafted memorandums of agreement, updating them as the situation warranted. In real life, having these prepared ahead of time, tailored to either a business or public agency speeds up the response. “Industry partners are in the lead,” said exercise documents. “The National Guard (Joint Task Force Cyber) is in position to support industry partners to uphold critical infrastructure.”
Cyber Yankee, while a regional exercise that complements larger nationwide exercises, also hosted federal participants from Department of Homeland Security-Cybersecurity and Infrastructure Security Agency (DHS-CISA) and the Federal Energy Regulatory Commission.