Vanguard Shield Cyber Exercise: Who Ya Gonna Call?
Vanguard Shield, a tabletop exercise hosted by the AFCEA Atlanta Chapter, Atlanta, on the first day of the chapter’s second annual Homeland Security Conference, stressed the importance of planning ahead of time and nailing down the basics.
The exercise was run by Klint Walker, supervisory cybersecurity advisor for the Cybersecurity and Infrastructure Security Agency (CISA), and Keyaan Williams, managing director, Cyber Leadership and Strategy Solutions (CLASS)-LLC, an Atlanta-based firm that aims to help global customers benefit from strategy, governance and program management lessons.
The coordinated cybersecurity preparedness exercise assessed how events impacting critical infrastructure are handled. The scenario involved a world-class sporting event and a wide variety of cyber-related threats and challenges, such as state-sponsored hackers, espionage, hacktivists, ransomware and insider threats, inspired by real-world events over the years.
The goal was to help identify and address gaps and interdependencies, bringing together various government agencies, industry and academia. The exercise was developed around areas of interest suggested by the participants and focused on gaining key insights into how multiple levels of industry and government respond to events impacting critical infrastructure and what impact that might have.
A common thread throughout the exercise was a focus on the basics, such as knowing when to notify industry executives or senior government leaders, identifying which law enforcement agency to call first and knowing what industry or other organizational partners to notify. “We’re going to be looking at this as an ecosystem and all the critical infrastructure. It’s not just what you would do. We don’t want to air dirty laundry,” Walker said in his opening remarks. “That’s not the purpose for you to tell us internally you’re going to be doing X, Y and Z—unless you think that’s going to impact the way that somebody else is able to respond. It’s about how are you sharing information, how are you letting everybody know what’s going on.”
Williams asked participants how many knew the primary law enforcement agency to reach out to when a critical infrastructure cybersecurity challenge arises. “It does become very valuable if you identify in advance when you have a problem, who you call. In some cases, I think it’s the State Department, in some cases, it’s gonna be the FBI. It could be another agency. It depends on the nature, the method, the cause, the outcome of the attack, but your response is going to be enhanced if you know which of the ghostbusters you’re going to reach out to.”
Toward the end of the discussion, Alan Greenberg, the chief information security officer for the city of Atlanta, offered some basic tips gleaned from lessons learned:
- Have an incident response plan.
- Have that plan on paper so it is accessible when systems are down.
- Have a shortened version of key tasks for briefing executives.
- Continually update points of contact.
- Retain vendors for incident response to immediately enhance the workforce because employees will soon be overwhelmed and exhausted.
- Provide teams with hands-on training.
Greenberg described an incident in which a county’s payment system was locked up and could not be accessed. “They had to go to the bank; they had to get permission to write checks, had to find someone who knew how to type up the checks because all of the electronic versions were locked up. They had to find paper to write them on, the format to do them, and then coordinate and give instructions to a lot of the people because a lot of the employees had never seen a check before,” he reported.
Greenberg added that “hackers hate it when we work together.”
It depends on the nature, the method, the cause, the outcome of the attack, but your response is going to be enhanced if you know which of the ghostbusters you’re going to reach out to.
Rick Siebenaler, CEO, Maritime Cybersecurity Institute, a nonprofit organization, attended the event and told SIGNAL Media that the value of cooperation and information was one of his key takeaways from the event. “Independent organizations need to be able to work with each other, be open to sharing information, not be fearful of doing that.”
A second takeaway, he said, was that a seemingly minor cyber incident could turn out to be part of a much bigger threat. “What might appear to be normal, run-of-the-mill cyber activities that happen all of the time may be just the tip of the iceberg to a much bigger strategy that’s happening, but oftentimes all you see is the tip,” Siebenaler said.
He also reported being impressed with the need to build relationships with the FBI or other relevant agencies and being willing to talk to them about cyber vulnerabilities. People don’t like to talk about it. They don’t like to talk about where there are weaknesses or shortages or gaps. We naturally hesitate to do that, and we need to be more comfortable doing that. And they need to be more comfortable sharing with us.”
Col. Kathleen Swacina, USA (Ret.), CEO/chief information officer of Kolibri Strategy, vice chair of the AFCEA International Homeland Security Committee and a member of the AFCEA Board of Directors, is helping AFCEA chapters organize the critical infrastructure tabletop exercises. She also attended the event and spoke briefly with SIGNAL Media during a break.
“Some of the lessons learned that I hope will come out of this would be the different agencies looking at the scenario and some of the questions that have been asked about whether you do multifactor authentication or down to the end-user monitoring, whether you do zero trust—some of the things that are out there that we are all talking about as federal agencies as well as industry. Do you have these checks and balances in place?”
She also stressed the value of breaking down silos within the critical infrastructure cybersecurity community. “Putting faces to names to telephone numbers, I think is critical. Holding exercises like these throughout the country—that’s what we’re trying to do within AFCEA—is to look at our critical infrastructure and break down those silos and get the talk that we need to have for critical infrastructure protection in this nation,” she said. “When something happens, a disaster happens, or a cyber attack happens, what’re you gonna do? Who’re you gonna call?”
