14 July 2016

Inside the Pentagon's secretive preparations for a 'cyber 9/11'

June 21, 2016

SUFFOLK, Va. — The massive coordinated cyber attack began with rolling blackouts throughout the electrical grid stretching across the Midwest, leaving up to 10 million Americans' homes without power and businesses unable to process credit and debit card purchases.

Then came the inexplicable malfunction at a large oil refinery in Port Arthur, Texas, which spewed an oil-slick five-miles wide along the gulf coast shoreline. The governors of Texas and Louisiana declared states of emergency. In southern California, the attack shut down several major ports by disabling hydraulic systems. Dozens of cargo ships were stranded off Los Angeles, unable to offload their stacks of truck-sized containers.

Attacks on the Defense Department's networks threatened the systems that monitor North American airspace and the radars on which the U.S. military relies.

Total mayhem.

This fictitious scenario was laid out for nearly 1,000 military, government and private sector personnel here at this year’s Cyber Guard exercise, the nation’s largest test of its network defenses. Conducted over nine days in June, the event offered a disturbing look at the type of catastrophe that could unfold during what the government's top officials call “cyber 9/11.”

“For us, it’s not a question of if it will happen but when,” said Coast Guard Rear Adm. Kevin Lunday, U.S. Cyber Command’s director of training. “The more relevant question is: When it does [happen], will we as a Department of Defense, will we as a nation and with our allies, be ready for it?”

While Cyber Guard is a classified event, Military Times was part of a small, select group of media granted rare access to the exercise's final day. Officials with the highly secretive CYBERCOM provided a tour of the facility, and interviews with participants and organizers.

This year’s exercise was focused on defensive capabilities. The scenario involved an opposing force, referred to as a “red team.” The major nation state — though unnamed, it was most likely China or Russia — mounted an attack on the United States’ energy and transportation infrastructure. The scenario at last year’s exercise simulated an attack on major financial institutions.

About half of the participants were from CYBERCOM. The others included civilians from the Department of Homeland Security, the FBI and other government agencies, and private sector officials from energy companies, major port facilities and privately owned internet service providers. The training network, built specifically for this exercise, replicates military and private-sector communications systems but is not connected to the internet. Training on an internet connection would risk releasing classified — or potentially catastrophic — code-based weaponry into the public realm.

Cyber Guard participants huddle June 16, 2016, during a training scenario in Suffolk, Virginia. (Photo: Petty Officer 2nd Class Jesse Hy/Navy)

The exercise was orchestrated from a “white cell” command post, where administrators direct the “red team” attacks and monitor responses from the “blue teams” assigned to defend American networks. The white cell room bustled with military and civilian personnel, tapping on keyboards and monitoring large wall-mounted screens with maps and graphs illustrating the networks' flow of data.

“It’s not a rote script. It’s a series of injections," one of the exercise planners said. For example, maybe the oil spill gets really bad really quickly, the official said. Maybe the attack spreads to interstate highways by disabling gates, manipulating electronic traffic signals and creating havoc on the roadways.

At one point in the exercise, the personnel trying to fix the problem saw their keyboard converted into a foreign language script, rendering them unable to read the code they typed on the screen, one official said. The trainees suffered a lot of setbacks. But the point of the exercise is not a traditional competition between the Americans and the opposing forces.

“I’m often asked: ‘Who is winning?’ Lunday said. “But this is not a capture-the-flag scenario. It’s a classic military training exercise. We are assessing their capability to perform their mission-essential tasks. The opposing force works for me, and I direct them to dial up the pressure to keep that training audience at the point of failure, where that learning is going to occur.”
Noteworthy progress, but work remains

The exercise is a major milestone for CYBERCOM's teams, who are striving for what the military calls “Full Operational Capability,” or FOC status. Created in 2010, CYBERCOM is standing up a cyber-mission force of 6,200 active-duty specialists organized in 133 teams.

Progress has been slower than hoped, however. The target date for standing up those teams was initially set for the end of 2016, but that deadline has been pushed out to 2018. So far, about half of those teams have reached what's called “initial operational capability,” and only 27 have reached “full operational capability,” the final phase of readiness development.

CYBERCOM sent 24 teams to the Cyber Guard exercise in Virginia, each with about 30 to 40 personnel. All of those units have IOC status and are working toward FOC status.

No comments: