Everyone thinks that they are prepared, ready for the worst that can come their way – whether that is a natural disaster or a malicious attack. But how realistic is your preparation?
“You can feel the temperature go up in the room,” says Tucker Bailey, principal in the Washington, D.C., office of global management consulting firm McKinsey and Company, referring to a common occurrence during cyber war game simulation exercises. “I've seen crises erupt over who has decision rights when a simulated attack occurs. I thought one guy might go across the table at another guy who assumed he had the authority to make a decision that wasn't his to make. Suddenly, you've got gridlock over one decision.”
That's a problem not only in that instance. “It's a Petri dish environment,” says Samir Kapuria, a vice president in the cyber security group at Symantec, the Mountain View, Calif.-based technology company. The annual cyber war games he has conducted for his organization make blood pressures rise, he says. “They help us understand the real anxiety of an emergency situation.”
Other experts agree. “Next to the real thing, only a good simulation exercise can give you a feel for how fast a crisis can develop and spread,” says Harry Raduege Jr. (left), senior adviser and director of cyber risk services for New York-based Deloitte & Touche LLP.
As a lieutenant general in the U.S. Air Force, war games were second nature to Raduege. Now, he says, an increasing number of organizations, in both the public and private sectors, are adopting military methodology and pitting “red team” attackers against “blue team” defenders.
Craig Oldham, director-general at Public Safety Canada, a government agency created in the wake of the 9/11 attacks, says various levels of cyber war games are being conducted on a daily basis. “There is an increasing appetite among the private sector for these types of exercises,” he says. “They're more common than people probably realize, ranging from table-top exercises to full-scale simulations with people on the ground. From the municipal to the international level, these things are continuous now.”
There is also an increasing interest in bringing together a variety of players to see how they might collaborate and interact in an extreme emergency. In April, the European Union Agency for Network and Information Security, a branch of the EU that seeks to improve network and information security for member nations, invited more than 200 organizations – including energy companies, telecommunications carriers and security professionals – to participate in Cyber Europe 2014, an exercise to explore how nations can work together to combat a major cross-border threat. And, last November, more than 2,000 people, representing 234 organizations, took part in GridEx II, the second major simulation exercise conducted by the North American Electric Reliability Corporation. The players included public utility companies, government bodies and law enforcement agencies from the U.S., Canada and Mexico – all of them challenged to defend against a simulated cyber attack on corporate and control networks throughout the power grid.
“These types of exercises allow us to practice and test assumptions,” says Oldham. “We plan for a number of factors and, most recently, we've begun to build in a loss of digital infrastructure to help us develop policy and programs that would address that. It's very much an all-hazards approach.”
Also changing, says Raduege, is the type of people who set aside two days to participate. “In the past, we've mostly dealt with IT people, but the level and degree of involvement has changed. COOs, CFOs – they all have an interest now in understanding how you manage cyber risk. Business leaders are beginning to realize the importance of practicing inside a safe environment.”
He says war games are also attracting people from the cyber law community, as well as a growing number of insurance company representatives. “Cyber insurance is an emerging area, and the industry is trying to figure out models that work for them,” he says.
McKinsey's Bailey says that simulations have a way of building momentum within organizations. “As word gets out about what's going on, more people begin to get pulled in. It's not unusual for us to be working with CEOs and their top teams now.”
Bailey (left) recommends that corporate functions as diverse as public relations and customer service be included as a way of rallying teams and building what he calls organizational muscle memory.
“It's interesting, some of the anomalies these types of exercises can turn up,” he says. “One client, a bank, thought they were on top of their game, but the canned scripts they produced in response to a simulated breach were materially different than what they had planned to tell their regulator. That's one example of why a whole-of-business approach to simulations is very important.”
He adds that the number of organizations taking part in simulations has risen, too, from about three percent, as reported in an article he co-authored for McKinsey in 2012, to about 15 percent.
What they take away from the exercises, says Symantec's Kapuria, covers a wide range of very applicable lessons. His company's CyberWar Games Simulation exercises bring together more than 1,100 employees from 40 countries and yield interesting behavioral observations.
“The difference in methods that people apply to solve problems is pretty surprising,” he says. “There is definitely a cultural aspect to it.”
Kapuria (right) says his games, which take place over three days and feature a high level of realism, show participants how to think about an attack and analyze the way the attackers employ innovative approaches.
“The key lesson is the mindset you need to employ when you're under attack. We find that it really helps to grow people's security IQ.”
While some in the field might balk at the degree to which Kapuria goes to make his scenarios appear real – right down to ATMs and safety deposit boxes for the banking scenario staged last February – he says an “immersive” environment is critical for simulations to be effective.
“The full experience is key,” he says. “Table-top exercises are one-dimensional. Those types of ‘capture the flag' games don't get you into the kind of mindset you need to really learn things. What you want to take away is, ‘Do you have the people who can respond in a crisis?' People respond very differently under fire.”
Bailey agrees. “You need to base a simulation on real business risk, using participants' landscape and actual vulnerabilities, not a canned scenario. You need to get total buy-in, and get people lost in the game for it to be truly effective.”
Raduege, who directed the Defense Information Systems Agency before retiring from the Air Force, has two prescriptions for effective war games: “Keep running metrics on how you're doing against the attacks, because people tend to concentrate on risk, and include all kinds of attacks in the scenario. Change it up, and keep it fresh and focused.”
So, what does Kapuria have up his sleeve for the participants in Symantec's next global exercise?
“I can't give it away,” he says, laughing, “but we always steal things from the headlines to make it real. We're going to look at a big, next-generation wave, including cloud, the Internet of Things, Big Data. It's going to be intense.”