President's Commentary: Protecting and Sharing Critical Infrastructure
With the Jack Voltaic (JV) exercises, which were first launched in 2016, Army Cyber Institute (ACI) researchers have taken a unique, “bottom-up” approach to critical infrastructure cybersecurity and resilience. Because the worst effects of a critical infrastructure attack would likely be felt first at the city level, the focus is local, especially on those cities and municipalities that share infrastructure with nearby Army bases.
The ACI’s JV website explains that U.S. military installations and surrounding communities share an interest in the resiliency of cyber-critical infrastructure systems. Additionally, a failure in one critical infrastructure sector can cascade across others.
According to the JV 3.0 report, the project enables the institute and partners to study incident response gaps, identify interdependencies and offer recommendations. “Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated,” the report explains.
The ACI, the Army and the Department of Defense harvest insights about roles, dependencies, partners and requests for support while cities discover potential capability gaps, expand their critical infrastructure information-sharing networks and gain understanding of prevention and response capabilities before a potential disaster strikes.
Note that when China’s state-sponsored hacking group, Volt Typhoon, infiltrated U.S. critical infrastructure, they targeted electric utilities and emergency management systems, highlighting the threat to U.S. cities and validating the ACI’s local-centric approach. Additionally, the group targeted communications systems important to U.S. military forces in Guam, which would be strategically important to the United States if China were to invade Taiwan.
Now, the project will mature and transition. Through partnerships with other academic and policy communities, the ACI seeks to foster the growth of JV-inspired practices. Multiple initiatives through 2025 will build upon the momentum and lessons of JV 1.0 - 3.0, the ACI website states.
Lt. Col. Jason Brown, director of ACI’s Cyber Law and Policy Division, told SIGNAL Media that they are forging a new path for JV in hopes of transforming it from a tabletop exercise to ubiquitous practices. The need remains, he indicated, to educate and inform Army customers and local officials in cities near military bases, to create opportunities for military officials and local leaders to communicate “over the fence,” and to alert installation management personnel about their dependence on civilian infrastructure.
To ensure the nation continues to reap JV benefits, the ACI is searching for advocates within the military—Army North is one possibility—and other departments and agencies, such as Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Universities and nonprofits also are likely advocates, Col. Brown said. So, AFCEA may be able to play a role. My esteemed predecessor, Lt. Gen. Robert M. “Bob” Shea, USMC (Ret.), former president and chief executive officer of AFCEA, recognized the importance and value JV exercises offer. AFCEA International and our Atlanta Chapter worked with the ACI and the regional CISA cybersecurity advisor to conduct a multisector tabletop exercise with the city of Atlanta and the state of Georgia in 2023, enabling participants to practice a coordinated response.
AFCEA is a professional association that connects people, ideas and solutions globally. Our mission is to provide an ethical forum that allows the military, government, industry and academia to discuss issues, identify challenges and find technology solutions to meet the needs of our national security and defense community.
We are looking for opportunities to draw on the breadth and depth of our membership’s expertise to support our strategic partners. We could host more tabletop exercises or simply provide a forum for revealing and discussing results. In doing so, we would support the exchange of information, ideas and solutions across the public and private sector to deepen coordination and build critical infrastructure resilience.
We at AFCEA will continue to assess our role, but in whatever way we can, we will support this valuable work to protect the infrastructure our community shares.