Everyone thinks that they are prepared, ready for the worst that can come their way – whether that is a natural disaster or a malicious attack. But how realistic is your preparation?
“You can feel the temperature go up in the room,” says Tucker Bailey, principal in the Washington, D.C., office of global management consulting firm McKinsey and Company, referring to a common occurrence during cyber war game simulation exercises. “I've seen crises erupt over who has decision rights when a simulated attack occurs. I thought one guy might go across the table at another guy who assumed he had the authority to make a decision that wasn't his to make. Suddenly, you've got gridlock over one decision.”
That's a problem not only in that instance. “It's a Petri dish environment,” says Samir Kapuria, a vice president in the cyber security group at Symantec, the Mountain View, Calif.-based technology company. The annual cyber war games he has conducted for his organization make blood pressures rise, he says. “They help us understand the real anxiety of an emergency situation.”
Other experts agree. “Next to the real thing, only a good simulation exercise can give you a feel for how fast a crisis can develop and spread,” says Harry Raduege Jr. (left), senior adviser and director of cyber risk services for New York-based Deloitte & Touche LLP.
As a lieutenant general in the U.S. Air Force, war games were second nature to Raduege. Now, he says, an increasing number of organizations, in both the public and private sectors, are adopting military methodology and pitting “red team” attackers against “blue team” defenders.
Craig Oldham, director-general at Public Safety Canada, a government agency created in the wake of the 9/11 attacks, says various levels of cyber war games are being conducted on a daily basis. “There is an increasing appetite among the private sector for these types of exercises,” he says. “They're more common than people probably realize, ranging from table-top exercises to full-scale simulations with people on the ground. From the municipal to the international level, these things are continuous now.”
There is also an increasing interest in bringing together a variety of players to see how they might collaborate and interact in an extreme emergency. In April, the European Union Agency for Network and Information Security, a branch of the EU that seeks to improve network and information security for member nations, invited more than 200 organizations – including energy companies, telecommunications carriers and security professionals – to participate in Cyber Europe 2014, an exercise to explore how nations can work together to combat a major cross-border threat. And, last November, more than 2,000 people, representing 234 organizations, took part in GridEx II, the second major simulation exercise conducted by the North American Electric Reliability Corporation. The players included public utility companies, government bodies and law enforcement agencies from the U.S., Canada and Mexico – all of them challenged to defend against a simulated cyber attack on corporate and control networks throughout the power grid.
“These types of exercises allow us to practice and test assumptions,” says Oldham. “We plan for a number of factors and, most recently, we've begun to build in a loss of digital infrastructure to help us develop policy and programs that would address that. It's very much an all-hazards approach.”
Also changing, says Raduege, is the type of people who set aside two days to participate. “In the past, we've mostly dealt with IT people, but the level and degree of involvement has changed. COOs, CFOs – they all have an interest now in understanding how you manage cyber risk. Business leaders are beginning to realize the importance of practicing inside a safe environment.”