Cyber Threats to the Homeland: Contested Training
Fictional Scenario: After years of experimentation in the cyber domain, with limited battlefield progress and continued Western support to Ukraine, Russia regroups. In cooperation with another nation-state with its own territorial objectives, a new cyber campaign is authorized aimed at attacking U.S. critical infrastructure. The industrial control system (ICS) attack goal is to disrupt energy facilities that Americans and U.S. military installations rely on. The nonkinetic energy disruptions are intended to instill unrest and friction for the military, allowing increased momentum by the opposing nation-state in the early stages of a follow-on kinetic conflict.
The unprecedented cyber-attack campaign creates panic and anger among Americans. On the ground, the U.S. military and private sector, in coordination with state, federal and government agencies, respond quickly to the cyber attack. Under Defense Support to Cyber Incident Response (DSCIR) authorities within the Defense Support of Civil Authorities (DSCA) framework, a U.S. Cyber Command cyber protection team augments the U.S. National Guard and private sector to provide cyber incident response.
Introduction
In 1961, President John F. Kennedy assigned responsibility for civil defense to the secretary of defense, stating, “One major element of National security which this Nation has never squarely faced up to is civil defense, and the history of this planet, and particularly the history of the 20th century, is sufficient to remind us of the possibilities of an irrational attack, a miscalculation, an accidental war.” In 2016, a Government Accountability Office report recommended an update to DSCA guidance to clarify Department of Defense (DoD) roles and responsibilities to support civil authorities in a domestic cyber incident.
The report highlighted a need for guidance on expectations of active and reserve armed forces, supported and supporting command relationships and the dual-status commander during a domestic cyber incident where DSCIR authorities are authorized. In 2023, DSCIR policy was updated, and while limitations in the GAO report are better defined, DSCIR policy and processes highlight the reality that many stakeholders, including the military, are involved in cyber-related civil defense that could also impact military installation operations. Across services, there is a need to understand and train to how the United States executes cyber incident response to support civil defense and military operations.
Partnerships with the private sector build trust to better respond in a contested environment supporting DSCA and DSCIR, but trust takes time and cannot be built overnight. Future conflicts may begin at the installation, shaping the timeline and overall outcome early on. Military exercises at the installation level focused on training in a contested environment before and during conflict and aligning personnel to support installation defense, both homeland and abroad, ensure the Joint Force is agile and prepared during the next conflict.
Cyber Threats to Installations
A driving factor to reinvigorate defense of installations is intelligence. According to the DoD Cyber Strategy, “In a moment of crisis, Russia is prepared to launch cyber attacks against the U.S.” In the event of conflict, China “likely intends to launch destructive cyber attacks against the U.S. Homeland to hinder military mobilization, sow chaos, and divert attention and resources. It will also likely seek to disrupt key networks which enable Joint Force power projection in combat.” Today, China’s cyber operations have transitioned from espionage and data theft to stealthy operations to achieve persistence and position for follow-on actions. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned of Chinese efforts to identify gaps in the security of U.S. oil and gas companies, and the Office of the Director of National Intelligence warned that China “almost certainly is capable of launching cyber attacks that would disrupt critical infrastructure services within the U.S.” Cyber threats that have historically targeted the ICS domain of the energy sector currently include seven global threat groups and 21 various forms of malicious software, with those numbers steadily growing.
Volt Typhoon is a Chinese state-sponsored cyber group that targets U.S. critical infrastructure with stealth living-off-the-land techniques, meaning to use built-in network administration tools to perform their objectives. The actor blends into normal network activity by routing traffic through compromised small office and home office network equipment, such as routers, firewalls and virtual private networks. Since activity relies on valid accounts and living-off-the-land binaries, detecting and mitigating Volt Typhoon attacks is challenging and requires behavior-based monitoring. Volt Typhoon has typically focused on espionage; however, in 2023, more targeted activity was aimed at U.S. critical infrastructure. With moderate confidence, Microsoft assesses Volt Typhoon is developing capabilities that could disrupt critical infrastructure between the United States and Asia during future crises.
Contested Installation Training
Dominion Energy manages critical infrastructure for more than 7 million customers and powers major military and intelligence facilities in the National Capital Region. Dominion’s annual exercise, Cyber Fortress, embraces the nation’s call to create military-public-private partnerships and enhance cybersecurity across critical infrastructure. The exercise raises awareness throughout the U.S. and Virginia state governments about threats to critical infrastructure and establishes a baseline for working together to protect the region from cyber threats. Dominion conducts the exercise in a virtualized, custom range that replicates a corporate network and operational technology environment. The exercise scenario replicates realistic overseas geopolitical tension with an impact in the United States and simulates nation-state cyber activity used to compromise enterprise and ICS networks, notionally impacting power distribution at a nearby military installation (in the 2023 exercise). The exercise embraces partnerships that increase resilience to respond to cyber attacks and test participants’ ability to think and react while coordinating across partners. Exercises like Cyber Fortress allow understanding of what the private sector, National Guard, government agencies and other stakeholders bring to the fight during a contested installation scenario.
It is recommended that the Joint Force leverage partnerships with the private sector to increase cyber defense, incident response and energy recovery procedures at installation levels. Realistic contested training among service members and external partners is an opportunity to leverage new capabilities and tools to respond, recover and operate in a contested scenario. Examples of critical missions required at the installation that could be tested and trained to include restoration of disrupted electrical power and providing backup solutions in the interim; mobilizing forces to the flightline to deploy despite a contested environment with disrupted energy; providing alternative water sources due to local suspected contamination; and coordinating with emergency and continuity of operations external partners.
Training environments combined with private sector and government collaboration remove notional scenarios and provide realistic training and critical thinking among the Joint Force. As an example, the DSCIR process could be a tabletop exercise involving all relevant stakeholders; electrical power disruptions at the installation can be live, scoped and coordinated with the private utility company that owns the electrical infrastructure (Energy Resilience Readiness Exercises)—applying a realistic training environment. The training could end when the nonkinetic threat is cleared, operations at the installation are restored and service members deploy for follow-on operations.
Specialized cyber teams and personnel within U.S. Cyber Command could be prioritized and trained to support defense of installations in a future crisis. This allows trust to be built across external partners for continuity of effort. This also allows dedicated personnel to fully understand roles, responsibilities and processes of DSCA and DSCIR, which can be challenging to comprehend across disparate and ever-changing teams. Training, rehearsals and coordination with external partners increases overall readiness and ensures the Joint Force responds and recovers quickly if required. It reinvigorates continuity of operations and defense of the homeland, a commitment of resolve to families, allies and partners.
Conclusion
According to CISA Director Jen Easterly in a 2023 blog, “This is resilience: doing the work upfront to prepare for a disruption, anticipating, that it will in fact happen, and exercising not just for response but with a deliberate focus on continuity and recovery, improving the ability to operate in a degraded state and significantly reducing downtime when an incident occurs.”
Military exercises at the installation level focused on training in a contested environment before and during conflict and aligning personnel to support installation defense, both homeland and abroad, ensure the Joint Force is agile and prepared. Contested installations are a challenge that cannot be solved by a new technology or policy alone. Defense of installations requires a refocus and a commitment to defend against increasing nonkinetic threats. Cultivating partnerships across the private sector, government, Joint Force and allies sustained by training and rehearsals enables trust and cooperation. Trust cannot be surged in a crisis, nor can it be automated; it must be developed and practiced.
Training in contested installation scenarios allows opportunities to experiment with new technologies available to serve as redundancies. It introduces a modern warfare environment of blended old and new capabilities, a likely scenario in the next conflict and a lesson observed from the Russia and Ukraine war. The next conflict will likely require an ability to respond, recover and fight using varied resources in a contested environment. The time to rehearse is now, and the alternative is a cold start in early moments of a crisis.
Maj. Sharon Rollins, USMC, is a cyber warfare officer, operational advisor and security cooperation planner currently assigned to U.S. Cyber Command. She previously served as a commandant of the Marine Corps Fellow assigned to Dominion Energy. She has 13 years of experience in planning and operating communications networks, developing and executing offensive and defensive cyber operations, and increasing cybersecurity alongside allies and the private sector. Maj. Rollins holds a Master of Science in Cybersecurity Management and Policy.
