Globally, we are in an undeclared cyber war. The Russian invasion of Ukraine is the first hybrid war, incorporating espionage, cyberattacks and internet-based disinformation alongside the more traditional military onslaught. The Ukraine ministry says it is facing constant attacks against its government and private infrastructure networks. However, the cybersphere has no borders, and Russia’s cyber offensive is also spilling out into NATO countries, with US infrastructure being the most attractive target of all.
Cyberattacks are one of Russia’s weapons of choice in the ‘grey zone’ of conflict between peace and outright war. In this atmosphere, protecting US networks and critical national infrastructure is as critical as protecting our airspace and our shores. Ex-NATO general Ben Hodges recently suggested that cybersecurity has become as important as missile defenses.
A cyberattack on critical functions like telecommunications, energy or finance risks the way of life that we take for granted. The Colonial Pipeline attack of 2021 resulted in fuel shortages and stockpiling, giving us a taste of the panic that is sown by a ransomware attack. Cybercriminals from nation-state actors like Russia and Iran are always probing for vulnerabilities that would allow them to cause chaos and extort money from businesses and government organizations.
Security teams need to develop a military mindset
With no tanks rolling down American streets, the majority of the population is lulled into a false sense of security. However, security teams tasked with protecting government and business networks need to see beyond this illusion of peace and tranquillity and bring a warfare response to combat bad actors. If there are any weaknesses in their defences, they will be discovered and exploited by the cybercriminals probing day and night for a weak point in their armor. Security teams at businesses and critical national infrastructure organizations should be training like the U.S. military. That is, they should train as they fight and train to failure, because they are on the front line.
The Bin Laden raid back in 2011 was successful because the Navy SEAL operatives rehearsed the mission exhaustively in advance, using realistic replicas of Bin Laden’s compound beforehand. Operational excellence is achieved when you rehearse in realistic environments and focus not only on the primary plan but also on the backup plan. At a minimum, Plan B should seem as natural as Plan A.
On the other hand, the IT community comes from the support world, where the focus is on constant availability and functionality. But defending IT operating systems is now like urban warfare. Security teams are doing the equivalent of building-to-building street fighting in a city full of people, cars, hospitals and other vulnerable infrastructure which they must avoid damaging. There needs to be a culture shift to a military mindset, whereby IT security teams are transformed into combat-ready cyber warriors who are trained and ultra-prepared. For this reason, more and more federal organizations and companies are mission-rehearsing for combat with cyberattackers in cyber ranges – the UK Army conducted the largest simulated attack exercise in Western Europe recently. A cyber range is a simulated environment used for cybersecurity training, testing and research. Just like the replica of the Bin Laden compound, it is designed to replicate real-world networks and systems, allowing professionals to practice and hone their skills in a safe and controlled environment so they are prepared for the real thing.
A U.S. Air Force approach to training and preparation
Currently, we are performing poorly at protecting our critical national infrastructure and our way of life. Despite years of investment, the people, processes and technologies tasked with keeping hackers at bay are ill-prepared to meet the mandates of modern cyber warfare. Any one of an organization’s people, processes and technology may not be up to the task, or perhaps the three are not working well in unison. Only by stress testing security posture with combat-like cyber warfare simulations can businesses gain visibility into what they are doing well and where they are falling down.
Cyberattacks are forecast to cost the global economy $10.5 trillion a year by 2025. Most cyberattacks go undetected and of those that are identified, most remain publicly unreported which makes accurate estimates of the true cost of cybercrime very difficult. This is reminiscent of the predicament the U.S. found itself in during the Vietnam War, where the air-to-air combat performance was well below expectations. It was, however, observed that those fighters who survived the first 10 combat missions had dramatically increased chances of survival. To increase survival prospects for all, the U.S. Air Force created an exercise called Red Flag which emulated those first 10 missions outside of the zone of conflict. This idea was so successful that the USAF has been running Red Flag exercises ever since.
As an ex-fighter pilot myself, in 2011 I was tasked with taking this same train-to-failure approach to U.S. Cyber Command where I led the first Cyber Flag exercise – the cyber variant of Red Flag. This pitted hundreds of operators against advanced, complex, multi-domain threat scenarios on ultra-realistic cyber ranges of friendly, neutral and enemy networks. The goal of the multi-week Cyber Flag series, generally held three times per year, is to provide insights to commanders on how the U.S. military would fare in a future cyber conflict.
Companies and critical national infrastructure organizations at risk of cyberattack now need to take best practices from the military’s approach to training and readiness and apply the Cyber Flag construct to protect their critical assets. We have become adept at protecting ourselves on land, at sea and in the air; now we need to take those approaches to the cyber world. Security teams should train as they fight. They should be pushed to train to failure because it is better to fail in training than to fail in a real attack and see the next Colonial Pipeline attack occur on their watch.
A former F-15 Fighter Pilot and Cyber Exercises Lead at the U.S. Cyber Command, William “Hutch” Hutchison is CEO and co-Founder of SimSpace. Working at Cyber Command and the National Security Agency, he led the first joint force-on-force tactical cyber training exercise, introducing a ‘special forces’ approach to testing cyber defense teams.