Inside the Pentagon's cyber war games

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
4 steps to successful data governance programs for government
Presented By Carahsoft
Download Now
The agility mandate: How government agencies are rethinking work to deliver faster
Presented By Atlassian
Download Now
By Tom Patterson,
GCN

By Tom Patterson,
GCN

|

Tom Patterson, CSO of MagTek and an adviser to the Air Force on cyber operations, took part in the recent Pacifica cyber war games and describes some of the lessons learned.

Under a constant canopy of low-flying nuclear-capable B-52s, the brand new Cyber-Innovation Center in the shadow of Barksdale Air Force Base in Bossier City, La., provided the perfect setting for the Pentagon's latest cyber challenge — a public- and private-sector exchange focused on leveraging “the art of the possible” in a cyber war game setting. Unlike the war-games or exercises prepared for by Barksdale's nuclear strike force — the Global Strike Command — these cyber war games, held in September, help prepare America for a different type of battle altogether.

Not just Xbox anymore

Just to be clear, these war games are about the real effects of a cyberwar, not bloody Call of Duty avatars or losing your Second Life. This is about clever bad guys using bits and bytes to confuse, dissuade or shut-down people and systems, on the battlefield and across America.

This is also about making planes fall from the sky, ships sink or drift at sea, and cutting off forward deployed troops from their lifelines. This is about causing chaos in our streets at home due to sudden crashes in our critical infrastructure through manipulation of our banking, transportation, utilities, communications, and other critical infrastructure industries.

These are all real scenarios being considered both by the United States, our allies and our adversaries. These cyber war games are in place to ensure that we consider everything, get awareness to what capabilities exist and prepare for it in the event it's ever used against us.

Next: A secret weapon

A different kind of game

War-games usually start with a story-board, where two teams — Red for bad guys, Blue for good guys — are presented a fictional scenario and face off in a simulated conflict over some time-period (today or 10-plus years from now), where Red thinks up ways to attack and Blue thinks up ways to counter those attacks and defend U.S. (and global) interests.

Related stories:

Cyber ShockWave exposed missing links in U.S. security

New threats compel DOD to rethink cyber strategy

In the cyber realm, Red's been kicking Blue's butt, so Blue did something radical. They hired Riley Repko away from private industry to develop non-traditional ways to engage the private-sector — the “true owners” of the intellectual capital within the cyber domain.

Because these defense-centric war games have historically been classified exercises, the participants were always limited to those with security clearances. Although that has always worked well in the kinetic world of air, sea, and ground power, it fails when it comes to cyber power. Much of what is possible in the cyber world is being thought up by people who never would want, or never could get, a Defense Department security clearance. That's where Riley's cyber war-games come into play.

Repko is a veteran of both the military (having retired from the U.S. Air Force Reserves in 2006 after 27 years of service), and the private-industry (working 25 years in management positions, including over a decade for Larry Ellison at Oracle). He has come back to the government and is now serving within Air Force Operations and Requirements, leading their engagements efforts, specifically with the private-sector.

Because of his transformational thinking, he is currently detailed to the Office of the Secretary of Defense. He knew that if we wanted to tap into American ingenuity and creativity, he would have to change the rules of the game. And that he did. This starts with, as he puts it, “awareness to what's out there” (capabilities found in the private sector) and their capacity — specifically, does this solution exist, is it fielded or is it merely an idea still on a napkin?

Next: The strategy revealed

Setting up the board

The key to Riley's plan is the ability to utilize a trusted third-party to perform the “sanitization and anonymization” functions that shield any over-exposure to vulnerabilities while at the same time protecting the sensitive corporate intellectual property from being misappropriated.

This further allows for the widest population of experts (globally) to participate, no longer worrying about clearances or IP issues, and for focus to be given directly to the real war problems at hand.

In essence, extending the operational reach of the military through a nexus of collaboration between large and small businesses, the R&D and university communities, venture capital, the inter-agencies and even the 'wizards' — those hackers and patriots who must be part of the mix. That made this cyber war game unlike its kinetic forefathers — fully collaborative, quite interesting and demonstrating a new model for going forward.

In this game, the Air Force took the time to create an actionable scenario that did not divulge any sensitive or classified material, yet still challenged participants to bring to bear the most creative of technological solutions.

Next: The battle is joined!

Inside the Pacifica Games

After the Air Force set the stage by briefing us on the hostile events transpiring on the fictional island of Pacifica, we went to work. We were briefed in a real world environment, with bits and pieces of information coming in real time. As happens in war, the events escalated over time, with the Red team throwing wave after wave of attacks that were a blend of kinetic and cyber challenges.

We had several Air Force officers with our group, to help define the typical military response and requirements in these situations. And then it was up to us. We leveraged what is being thought of, developed and deployed in the private-sector, including IPv6 communications (for ad/hoc networks and covert communications), a variety of transportable identification and authentication systems,  including magnetic fingerprints (which are used successfully in the payments world but never before in war), game theory, games development, advertising, social networks, search engines, and much more.

As a member of the Blue team, I was joined by technical experts from the intelligence community, former inter-agency federal leaders, academia and the communications, information security, financial, technology and other commercial sectors. The representatives from each of these organizations were not the typical business development types (for the most part), but rather that one person that most companies keep locked in their vault, as they know more about their subject than anyone else.

We knew this would be different from a typical business meeting when they had us all remove the batteries from our BlackBerrys and mobile phones, and completely power down our iPhones — explaining how advisories can load malware onto mobile devices that allow remote activation of our microphones. They didn't want us tipping our Blue hand before we even got out of the gate.

We had a Blue team member design on the board a new way to communicate, using adaptive lasers, despite the formidable enemy communications deterrence over Pacifica. This was something his company never deployed, because he knew of no commercial need, yet seemed to provide a workable countermeasure to the Pacifica “enemy.” We also developed a low-tech idea that repurposed soccer balls that also holds promise. In these games, everything was on the table.

Over the two days of the game, the Blue team offered over a dozen possible countermeasures to the Red team’s aggression, and followed our guidance to “find ways around the problem, if you can't stop it directly.” Lots of mash-ups were created that I've never seen before, which could well be steps toward defending our nation.

Next: Debriefing

Stopping a real cyber-war

While I can't say that the Blue team “won” the game, I do know that this is the way to develop our defenses going forward. Cyber war is so radically different than kinetic war, and the participants got very realistic demonstrations about the how the mash-up of both is changing everything. This approach to the problem will be a critical success factor of the future. Yet we still need to do better.

These Pacifica games demonstrated both the need and ability of this approach, but DOD needs to make this a long-term trusted component of their planning, and that requires three next steps:

Step 1. Use the fruits of the Pacifica war-game by linking and sharing the most promising of ideas to their most appropriate government partner, and get them going as projects. By tapping into the private-sector, you will be amazed as to what the 'art of the possible' is near-term.

Step 2. Build out the collaboration framework elements identified and developed by Mr. Repko. The “sanitizer and anonymizer” mechanism managed through a trusted but neutral administrator could enable both the Defense Industrial Base and the 17 other Information Sharing and Analysis Centers, small technology businesses, research and academic organizations to safely register and collaborate their potential technologies, gaps and seams with DOD and inter-agencies' and assist them with defining their cyber-warfare requirements.

Step 3. Widen the circle of participants for the future games, more commercial experts from smaller and more unique companies, design in the use of tele-presence to lower the burden on small business to participate, and spread the word through all business sectors that DOD (and federal agencies) are now 'open' for business.

I was proud to both advise and participate in the Pacifica cyber war game workshop. Along with many of my commercial colleagues, I look forward to the Pentagon taking the next steps with the support of the science and technology communities of Congress, DHS, and especially the private-sector. We can and must leverage the best innovation our country has to offer in the defense of our freedoms.

NEXT STORY: Telework tool: A DOD innovation goes wide

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.