Jack Voltaic: critical infrastructure resiliency project, not a person.
Dave Bittner: Hello, everyone, and welcome to the CyberWire Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Erica Mitchell: Well, Jack Voltaic got its start back in 2016.
Dave Bittner: That's Lieutenant Colonel Erica Mitchell from the US Army Cyber Institute. Today, we're discussing Jack Voltaic. That's their critical infrastructure resiliency research project.
Erica Mitchell: My predecessor, Chief Warrant Officer 4 Judy Esquibel, was looking for a research project and started thinking about, we have these mutual assistance agreements for energy companies. If there's a major natural disaster, you get linemen from all over the nation come in to help whatever the affected area is. And her thought was, what if we could do something similar with cyber? You know, we have struggles in having the appropriate number of cyber personnel. We have a negative unemployment rate in cyber. So what if we could lift and shift personnel when there's a major disaster?
Erica Mitchell: And so, that's how the Cyber Mutual Assistance Workshop in 2016 happened. And at that workshop, they discovered that there was difficulty in translating things across companies and across sectors. And so, the broader research became, how do we help these sectors talk with each other and leverage each other in the event of some type of cyber incident? And so, they conducted Jack Voltaic 1.0 In New York City in partnership with Citi. And from Jack Voltaic 1.0 They tested a terrorist attack with a cyberattack that occurred afterwards, particularly targeting finance, transportation, and energy sector. And the data that came out of that showed that we weren't really prepared for opportunistic cyberattacks. And so New York City was able to leverage that research and have since stood up their very own Cyber Command.
Dave Bittner: And then you move on to Jack Voltaic 2.0. What was the program there?
Erica Mitchell: So, with Jack Voltaic 2.0, we decided that we were going to take a look at another major metropolitan area. In this case, it was Houston. And with that, we also incorporated Beaumont, Texas, which is where we do a lot of port activity. The surface, deployment, and distribution command does – they move stuff out of the Port of Beaumont. And so we brought them into the scenario, and we were looking at what happens in the event of a hurricane and then a cyberattack, kind of preying on the chaos that surrounds hurricanes. And what we learned from that is, one, during a hurricane, all the ships are going to be pushed out of the port, so any cyberattacks that happen after that are basically overcome by events and don't have an effect.
Erica Mitchell: But what we also learned is what we tend to think of as the center of gravity – you know, you look at energy particularly – isn't going to always be the center of gravity. For Houston, water and wastewater was actually a bigger issue because of the amount of water needed to shut down the chemical plants there. And so these Jack Voltaic events kind of pull these threads that no one's gone, you know, all the way down the rabbit hole on. And we learn new things every time we conduct one.
Dave Bittner: Hmm. Well, today we're going to be focusing on Jack Voltaic 3.0. Before we dig into what you all did this time around, I'm sure there are some folks in our audience who are wondering about the name itself, which I'll admit I find a bit delightful. Can you give us a little of the back story? How did it come to be called Jack Voltaic?
Erica Mitchell: Well, sure. So, in the Army, in the military in general, we tend to give things these two-word names. And so, Judy really liked the term Voltaic and kept kind of trying to figure out what would go with that and then hit upon Jack. And the bad thing about Jack Voltaic is it's often caused people to ask us who Jack Voltaic is and expect a man to show up for these discussions...
Dave Bittner: (Laughs) Is he wearing a cape?
Erica Mitchell: ...But it's a great name. (Laughs)
Dave Bittner: (Laughs) It's certainly catchy and easy to remember and I think fitting for the type of exercises you're doing here. Well, let's dig into the third iteration. What did you all set out to do this time around?
Erica Mitchell: So, I'm going to go back just a little bit. Right before we did the third iteration, we were asked to go do a series of workshops across America. We went to six different port cities, and this was Jack Voltaic 2.5. And what we saw was that these port cities, even though they're all port cities, every single port city is different. And so that kind of led us, in Jack Voltaic 3.0, to not just look at port cities, but also make it more of a regional focus. It's kind of trivial – not completely trivial, but fairly trivial – if you can pivot from one port to another that's within a couple-hour drive. Where it becomes difficult is when you have two ports that are in close proximity to each other, that are both experiencing problems. And then you've got to start looking further away to pivot to a different port if you're trying to do a forced deployment.
Erica Mitchell: And so for JV 3.0, we were looking at pulling the thread that we couldn't pull with service distribution and deployment command – or deployment and distribution command during JV 2.0 and seeing whether an attack on civilian critical infrastructure without targeting the DOD specifically could interfere with our force projection mission if we had to send people and equipment out the door. And what we learned during JV 3.0 is that it absolutely has an impact. And we also saw some more of the information sharing that we've seen during JV 1.0 and JV 2.0, in that we had equipment that was moving to the port, but the cities that it was passing through weren't necessarily informed that it was coming there. So when they had these strange cyber issues, they weren't suspecting that it may be part of a bigger motive that's targeting DOD passing through their city. And so what we see is that the information sharing piece is one of the biggest components of Jack Voltaic in the findings every time we do it.
Dave Bittner: You know, looking through the report here that you published, one of the things that struck me – and I think this is just me coming from my own point of view – is, you know, that when you list your scope and objectives, the top of the list was to examine the impact of a cyber event on Army force projection. And I think it's not reflexive for me to think about Army force projection within the continental United States. I think most of the time I'm thinking of the Army going to other places and doing things. But that's this is part of your mission, and I think for whatever reason, that has sort of fallen out of the popular imagination of the types of things that you all do, but still an important part of the mission, yes?
Erica Mitchell: Absolutely. So, a lot of times we assume away any risk in the homeland, or we assume that we're going to have this uncontested homeland, and that if I need to move equipment from Fort Hood to Beaumont, nothing is going to stop me. If I need to move equipment from Fort Gordon to Charleston – which coincidentally I did back in 2003 – nothing is going to prevent me from being able to do that. And so, with cyber, that is no longer a good assumption the way it was twenty years ago or thirty years ago when we didn't have to worry about anyone being able to come over and start a fight in the homeland.
Dave Bittner: Mm-hmm. Right, right. The very nature of cyber is such that people can cross those borders virtually and affect things from a distance.
Erica Mitchell: Exactly. And so, what we're trying to do, one of our big focuses at the Army Cyber Institute is preventing strategic surprise. If we can dream it, someone can do it. And so that is why we're focusing so heavily on preventing that strategic surprise in the homeland having cyber prevent us from being able to complete our force projection mission.
Dave Bittner: Well, let's go through the scenarios here and how you organize things, you know, the varying degrees of types of events and impacts that could have on things, both within the military and the cities themselves. Can you share with us – how did you go about planning this?
Erica Mitchell: So, we had a team that got together and we actually researched events that have happened. So, for example, for some of the train injects, there was a young boy in Europe who, at 14 years old, managed to derail a train through hacking. And so we based everything on existing malware that could deliver the injects that we had, and on existing events that had already happened. And that way, it kind of prevents people from fighting the scenario. You know, when you come up with something that's completely off the wall, people don't really want to trust in the scenario, and they're they're more likely to say, oh, well, that can't really happen. But in this case, we were able to say, look, everything we're saying can and has happened. And that was our main focus, was to make it a realistic scenario using real-world events.
Dave Bittner: Can you walk us through then, how does it play out? I mean, do you start with with low-impact things and sort of crank up the heat from there?
Erica Mitchell: So, in this case, absolutely. We went with a death-by-a-thousand-paper-cuts-type scenario. And that's because what we're looking for is, at what threshold are people going to recognize that this may be an actual cyber event? And then for the next step, at what threshold are they going to declare that it's a cyber event? Because from a legal and policy perspective, there has to be a declared event for certain things to trigger certain support from the federal government and for states to get involved. And if there's no incident declared, then nothing is going to happen until said incident is declared and support is requested. And that's what we were really looking at – where are those thresholds?
Dave Bittner: And what did you learn? I mean, what can cause a delay between something happening, the suspicion that it may be one thing in an official declaration?
Erica Mitchell: So, a lot of the delay is we're still in a mind state where we don't expect the cyberattack. So, for example, when we had the traffic lights that were acting funny, the first thing people want to look to is mechanical failure, because, you know, at this point, that is a far more likely scenario than someone hacking from another nation-state. And so we left everything nebulous to see where the communication was. And the communication initially goes from the city to their DPW equivalent – not all of them are named DPW – but Department of Public Works equivalent, who then send somebody out. And so you get the delay where they're going out and checking the physical equipment or replacing the physical equipment. And then, if there's still a problem, then they may go to the next level and start to look at, well, is it possibly cyber? So you've got a pretty long time delay between a cyber interference starting and it actually being recognized as cyber if you keep it low-level, non-catastrophic.
Dave Bittner: Can you give us an idea of who are the various groups sitting around the table here? Who was taking part?
Erica Mitchell: Oh, so we had participation across industry. We had the local governments from the cities of Charleston and Savannah and town of Mount Pleasant. We had the local energy companies, Dominion Energy, Georgia Power. We also had Federal participation as well. We brought in – during the law and policy tabletop exercise – we had representatives from US Cyber Command, US Army North. We also had the Office of the Secretary of Defense for Cyber Policy represented. And so, it's this whole-of-community approach where we kind of bring everybody together. We even had the Charleston City School District, the Savannah School District brought in, because a lot of times people don't really think about the impact of public schools and children, but in our scenario, when there were events that directly affected the public schools, you started to lose personnel to work on your mission because they had to go pick their children up or they were worried about their children. And so, we really tried to take a broad, holistic look at everything that could possibly go wrong and cause a delay.
Dave Bittner: Did you have many sort of aha moments along the way? I mean, were there any things that stood out to you where, you know, people were looking around the room, looking at each other across the table and saying, hmm, that's interesting?
Erica Mitchell: So one of the big aha moments – and I kind of just gave it away with my answer before – during the law and policy tabletop exercise, we kind of stepped through some scenario pieces there, and we brought up the potential of an alert going out about a shooting at a school. And the horror, the tension in the room was absolutely palpable. And when you think about it, a lot of the people that are working in these offices have school-aged children, and even though they knew it wasn't real – it was a room full of people discussing a scenario – you could feel the tension and the stress coming off of all the parents in the room. And you could tell that that would be an immediate reaction. It doesn't matter what else is going on – that is going to be handled before anybody is ready to continue work.
Dave Bittner: Yeah, that's fascinating, isn't it? I mean, it's – I guess you can't really underestimate the human side of all of this, particularly as you mentioned at the outset, you know, when we're dealing with things like natural disasters and then having cyber put on top of that, people's emotional state is really an important part of all this.
Erica Mitchell: Exactly. I know in some of the workshop discussions we had when we were talking about earthquakes and flooding, depending on where we were, people will take care of their families before they can focus on the mission. And so, a lot of incident response planning depends on a best case scenario, where you have a hundred percent of your workers and they're completely focused on the mission, when the reality is if you're having these other issues, whether it's, you know, natural disaster, or a terrorist attack, or any other type of physical event, people are going to definitely put a lot of focus on making sure their families are safe before they focus on the actual job.
Dave Bittner: What were some of the main take-homes here? At the end of the day, what did everyone learn?
Erica Mitchell: So, at the end of the day, I will say one thing that I've got to put in there, that kind of trumps all of the actual lessons from JV 3.0 itself, is that we managed to conduct this fully distributed virtually online. And that's a whole new thing in tabletop exercises. Ordinarily, and up until the end of February, we were bringing everybody together in a room where they could interact, talk face-to-face, build this trust. And then with COVID travel restrictions, we had to to lift and shift and move the entire thing online. And now, I absolutely prefer the online methodology because, realistically, that's what's going to happen if there is an event. You're still going to be in your office, especially as long as we saw it take for people to recognize that it may be a cyber incident, even though they were participating in a cyber exercise. So, I think us moving this online and doing it a hundred percent virtual, far better mimics real life than actually bringing everybody in a room together where you kind of have a shortcut. You don't have to pick up the phone and call someone or email someone, you can just talk across the table.
Dave Bittner: Right.
Erica Mitchell: And also, in addition to that, what we've learned is we need more of these. And that's not me trying to toot our horn or anything like that. The reality is our structure and our framework has basically brought as many questions as it's answered. And so, with us doing one every couple of years, we've found that that is not going to get to the heart of the problem in the same way that having cities able to do their own would. Where they can do one more frequently and they don't have to go through the process we have to go through of coming into a new area, trying to understand the local landscape, finding the right partners, establishing trust between all the parties. And what we're hoping to do, and what we've been working on, is making it where these cities – and even possibly regions and state-level – can conduct their own exercise exercises and start to evaluate their progress on top of where they are now, but be able to continue to do them and evaluate progress from there.
Dave Bittner: Yeah, I mean, it really strikes me that there's an advantage to the cities of having you all from the Army Cyber Institute kind of take the lead on this, because you're not coming into an area with a set of biases. You know, you don't necessarily know all the ways that this particular locality does things, and so you're not liable to have that sort of, you know, that old chestnut about, well, that's the way we've always done things. You know, you're able to bring fresh eyes to the situation.
Erica Mitchell: Right. But now we're trying to use our framework to bring those fresh eyes without us having to go there ourselves. And it's just for, you know, economy of scale, right?
Dave Bittner: Right.
Erica Mitchell: I have a small team. We have three to five people at any given time. And so, trying to go out to a lot of different locations isn't going to get us where we need to be quickly. And so that's why we've developed a suite of tools that allow cities to go in, and without necessarily seeing the scenario up front, they can share what sectors and subsectors they want to have participate, how long they want the exercise to be, whether it's a half day or a three day exercise. And they can input a certain level of information about what they're looking to do. And then what our tools do is it basically fills in the Mad Lib for them and hands them back an exercise guide and a player handbook. And it also gives them a data collector guide. Like, what information do they need to know? What questions do they need to ask? And then at the same time as they get their documentation to run their exercise, it's also sent over to the Norwich University Applied Research Institutes' Decide platform, and they can actually play the exercise online in the Decide platform. And so what we've done is we've kept it low cost and low impact for the cities, but we've also managed to spread what we can do with just a handful of people.
Dave Bittner: What's the response been so far with the cities that you've partnered with? How are they feeling about having gone through this exercise together?
Erica Mitchell: So every city we've partnered with has loved it, they've leveraged it, at least so far, New York City and Houston have both leveraged the results of the exercise to get grant money to improve their cybersecurity. Charleston and Savannah are working on that, but they're still very early in the process. And they've all requested to do it again. I actually just spoke with someone a few days ago about the potential for Houston doing it again. And so what we're offering is for Houston to be able to use these tools and develop their own exercise using our framework. And so that's what we're hoping to do because we would love to have that repeat exercise feedback as opposed to, OK, we've done this one area and we're never going to see you again. You know, we would love to be able to follow up and have people continually do these so they can see where they've improved, what areas they still have for improvement.
Dave Bittner: Our thanks to Lieutenant Colonel Erica Mitchell from the Army Cyber Institute for joining us. If you'd like to learn more about their Jack Voltaic project, we'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.