Jack Voltaic 2.0 Gives a Glimpse of Future Infrastructure Protection
A 2018 exercise developed by the Army Cyber Institute at West Point and hosted by the city of Houston provided participants with a full view of potential critical infrastructure crises while also offering a path to security and resiliency. Known as the Jack Voltaic 2.0 Cyber Research Project, the exercise exposed critical infrastructure issues to 200 participants from 44 organizations.
The exercise took a bottom-up approach to viewing a critical infrastructure crisis. The worst effects would be on the local level, so the event focused on local responses first. This exercise showed that the military, federal government, state and local government and industry all have roles they can play during an infrastructure incident. Several days of involvement by a broad set of participants produced six major findings and recommendations.
The first finding is that current frameworks are inadequate to meet the growing threat to urban communities. U.S. cities need an adaptable and scalable model to improve their cybersecurity posture, as cyber attacks can quickly overwhelm an unprepared city government. Greater public-private partnerships will be required to provide vital support, and city and local cybersecurity efforts should better integrate the private sector.
The second finding is that the U.S. military and its allies depend on civil and commercial infrastructure, and its vulnerabilities are the military’s vulnerabilities. The military must collaborate with the National Guard, the Department of Homeland Security (DHS), the Military Reserve and the Department of Energy to develop an operational risk-management framework.
The National Guard’s importance to physical security and development of cybersecurity capabilities is the third finding. As cyber response handbooks are developed, they should be shared across state military departments, and the Guard should be trained on procedures. Also, the Defense Department should maintain an inventory of existing and emerging critical Guard and Reserve cyber capabilities.
The fourth finding focuses on the critical role states play supporting cities in physical and cyber events. States should develop, fund and implement statewide incident response campaigns. The DHS should maintain accountability of information sharing and analysis organizations to ensure state and local protection. And best practices and lessons learned from the financial sector’s Financial Systemic Analysis and Resilience Center should be leveraged.
The fifth finding is that policy and legal authorities at federal and state levels do not sufficiently empower cities to respond to cyber incidents. Only the energy sector explores cyber mutual assistance, and legal issues also arise amid defense support to civil authorities. Joint military organizations need to explore ways of offering cyber mutual assistance that are more proactive and sustained. Additionally, local communities as well as state and national organizations need appropriate policy and implementation guidance.
The sixth finding addresses the vulnerability of the private sector. Its adversaries are motivated by profit, intellectual property theft and geopolitical gain. Yet, this sector is uniquely positioned to inform, develop and provide its own solutions. Key sector representatives should gather frequently in a single group to compare notes and explore solutions. And consideration should be given to creating private sector “certified defenders” who would work under government authorization to prepare for and respond to adversarial cyber threats.
Researchers continue to generate papers on the results of Jack Voltaic 2.0, and planners are working on Jack Voltaic 2.5. A summary of the findings and recommendations can be found at event.afcea.org/JackVoltaicsummary.