Plans, exercises, and lessons learned.
Practice makes perfect, just the way it does in any team sport.
John Foti (Senior Associate, Booz Allen Hamilton) moderated a panel whose members included Brigadier General (retired) Gregory Touhill (President, Federal Group, Cyxtera, and former CISO, US Government), John McClurg (Cylance), Ny Ho Wong (Government of Singapore), and Atsushi Karimata (Counselor, Japan's National Center for Incident Readiness and Strategy for Cybersecurity).
Trends in cybersecurity exercises.
Karimata opened by noting that that the number of participants in major exercises has continued to increase. He also said something the experience of most military people would validate: "The exercise itself is less important than participants' preparation and post-exercise review."
Touhill seconded Karimata's remarks, and he drew upon his own experience with CyberStorm to expand upon them. Like Japan, the US has a tiered structure within which it conducts many exercises (at his last check, there were about two hundred of them).
Like Karimata, Touhill sees greater realism, more interaction, greater participation, and more sharing about the risk and threat environment.
Singapore's Ny Ho Wong agreed with the importance of deriving lessons learned from exercises, and especially of sharing the ones that become best practices. He's seen this happen among competitors who exercise together: they remain competitors, but "they become friends."
Advice on designing exercises.
Touhill offered some general lessons he'd learned about the proper conduct of exercises. The first one he picked up from a mentor, Coast Guard Admiral Thad Allen: "The time to exchange business cards is not the time of crisis." So, Touhill said, be sure to build relationships in advance of crises, and exercises are an opportunity to do so.
When you design an exercise, Touhill advised that you decide on some discrete problem you want to address, and then look at testing the processes and procedures you have in place, with appropriate measurement.
Go back and look at the after-action reports of other exercises. Read the previous reports, take action, and assess the actions taken. Involve top leadership so the exercise is taken seriously. "Play for real," Touhill advised. "Don't try simulating away too much. Make the phone calls you would normally make." Budget for the exercise, and allocate necessary time and resources. Make it a priority.
With respect to exercise scenarios, McClurg emphasized that it's important in cybersecurity to work through scenarios in which the bad guys move through your extended supply chain to get to you.
Challenges and opportunities in international cyber exercises.
Touhill believed that in his experience most of the successful international exercises have been bilateral. McClurg saw bilateral and multilateral exercises as offering a particularly valuable opportunity. There are radical differences among national legal systems, especially insofar as they pertain to cybersecurity, and exercises are good ways of becoming aware of divergent norms and requirements.