NEWPORT, R.I. — When a cyberattack hits an American financial institution, or the energy grid of a major U.S. city, what role should the U.S. military be prepared to take?
That was one of the central questions posed at a U.S. Naval War College war game last week. The Defend Forward: 2019 Critical Infrastructure War Game gathered more than 100 people from finance, energy, government and academia to participate in an unclassified two-day event on July 25 and 26.
It was the third in a series of cyber critical infrastructure war games held by the college’s Cyber and Innovation Policy Institute.
“The Naval War College stands at the forefront of efforts to better understand the interconnectedness of the public-private partnership, especially in the increasingly contested realm of cyberspace,” Acting President Lewis Duncan told the group in his welcoming remarks.
U.S. Coast Guard Rear Adm. Pete Brown, deputy assistant to the president and homeland security and counterterrorism adviser at the National Security Council, told the players that they can play an important role in cyber defense.
“Nation-states, criminal and terrorist actors seek to steal our intellectual property and our personal information, and damage our infrastructure through the use of malicious cyber tools,” Brown said in his opening remarks.
“Exercises like this one are critically important to understand the characterization of risk between the public and private sector, as well as the capabilities we each have to protect our assets and our nation.”
The game’s title – Defend Forward – is a reference to the 2018 U.S. Cyber Command strategy that calls for “defending forward” against groups that have used hostile cyber tactics against the United States.
“The brunt of cyber activity is occurring in the private sector,” said Jacquelyn Schneider, assistant professor in the college’s Strategic and Operational Research Department, in an interview about the game that she co-authored.
“For anyone who uses virtual banking, the viability of the financial system is existential. At the same time, the energy infrastructure is something that touches every American. We know that in crises, our adversaries will be looking at the financial and energy sectors as the soft underbelly of the United States,” she said.
“That’s where we’re going to see the most need for government collaboration. This game is trying to understand where the government should put its resources to help deter, defend and respond to attacks.”
The game’s findings may be used to help inform the Cyberspace Solarium Commission, a congressionally created working group looking at American cyber strategy.
Mark Montgomery, commission executive director, attended the event and said he hoped to come away with new insights and creative ideas for handling private-sector cyberattacks.
“A large percentage of our national security critical infrastructure is owned and operated by the private sector,” Montgomery said in an interview. “We need to ensure it is protected and supported at the same level as our government-operated infrastructure.”
The scenario of the game was that a “red state” with powers equal to the United States conducted low-level cyberattacks for six months against U.S. financial and energy targets, using cyber tactics to gain strategic access, gather personal information about "blue" leaders and steal intellectual property from the financial sector.
The game then imagined that the “red state” wanted to influence the political election of a “blue state” ally.
“The first move is all about what ‘defend forward’ looks like on a normal day,” Schneider said. “Then it sets up a potential crisis to see how ‘defend forward’ — which is a concept written for day-to-day competition — how that translates into gearing up for a crisis and the response to a crisis.”
The game was held at an unclassified level to allow people from the private sector to attend, Schneider said.
Representatives from major U.S. banks, financial corporations and energy companies were among the players. Participants were separated into rooms that represented the finance, energy, government sectors – with people designated as the chief executives, chief operating officers or chief information officers of fictional companies.
These groups grappled with how to respond to the scenario of an invasive security breach: Do we take the bank offline? Do we pause mobile banking? Do we have a bitcoin account established to pay hackers? Do we have a response firm on retainer? Do we issue a press release?
“This game is about institutions, information sharing and about strategic decisions and strategic trade-offs,” Schneider said.
“It’s less about today’s current capabilities and more about thinking through big-level strategic problems and thinking about the art of the possible.”
Findings from the event are expected to be released in a game report published on the college’s website, organizers said.
The Cyber and Innovation Policy Institute is part of U.S. Naval War College’s Strategic and Operational Research Department, in the Center for Naval Warfare Studies. More information on this group is available here: https://usnwc.edu/Research-and-Wargaming/Research-Centers/Cyber-and-Innovation-Policy-Institute