Participants described how their participation in Jack Voltaic 2.0, a joint exercise between the City of Houston and the Army Cyber Institute held in July 2018, opened their eyes to the threats of a combined cyber and physical attack on critical infrastructure.
During AFCEA’s National Preparedness and Infrastructure Protection Symposium on Wednesday, panelists in Jack Voltaic 2.0 shared how the exercise pushed them to collaborate closely and combine IT and emergency response expertise across critical infrastructure sectors and state, local, and Federal agencies.
Mary Dickerson, assistant vice president and CISO at the University of Houston, offered her view on the exercise from a local perspective.
“I’m a volunteer firefighter for the State of Texas, and I’ve worked with a volunteer fire department for over 20 years, so I know on the emergency response side, we’ve got that. I’m also an IT practitioner, and on the IT side, we also know what to do, when we get that suspected data breach, or when we get an incident. Those two sides of the house don’t sufficiently talk to each other, and to some extent, the IT side is not as mature in that area,” said Dickerson.
She described how planning for the exercise was the most valuable part for team, as they had to find the right stakeholders and get them together, which expanded as new areas were identified. She also emphasized the goal of creating a repeatable framework, and noted that progress on that goal still has a ways to go.
“They have been trained in this, but it is not part of their culture,” she noted. “I think that on the IT side, we need to do more work in helping it become part of the culture so that they can understand and talk the common framework, but also so they can more fully integrate with the emergency management side, where that is part of their culture.”
Mike Bell, CTO for the Houston Police Department, described how the exercise helped convince his colleagues of the importance of cyber threats.
“I think this was an amazing exercise, simply because it brought the [emergency management] type of people, the folks who are in the room during a hurricane event, into the room and exposed them to how a cyber incident might look when it unfolds,” he said.
“As the injects were occurring, those of us from IT backgrounds could see that this was building pretty rapidly to a significant event on the cyber scale, but we were having trouble convincing our counterparts who were dealing with physical security…that we needed to respond to this threat,” he added.
Bell noted that the exercise introduced him to Dickerson as a potential partner against attacks, and helped police break out of the “forensic” mindset.
“I’d argue that we’re pretty good, and we’ve been tested often, on physical responses to natural disasters and support to major events. Being ready and resilient in the face of physical, cyber, and informational attacks is different, and getting more complex as everything is getting smarter and connected” said retired Lieutenant General Rhett Hernandez, chair of the Army Cyber Institute.
Major General Michael Stone, commander of the 46th Military Police Command, touched on the confusion of the roles of state and Federal government in a major regional incident.
“When you see us show up in uniform responding to a hurricane, nobody cares what status the military’s in, but we’re always in a support role to support the civil authorities. But when you talk cyber, we’re all trained in the incident command system…there was a temptation at the local level in some respect, once they know the capabilities of the Federal level, to just skip the incident command system, and just ask for that capability at the Federal level,” said Stone. “When you add cyber, people forget their training.”
You’ve got to follow the process…you don’t want the military being in the lead on keyboards. It just kind of violates our sense of us being in support, and after the fact, all the hearings are going to happen and everything,” added Stone.
Stone also touched on the need for Federal agencies to make their role clear to states and municipalities, and push them to embrace their own cybersecurity.
“You’ve got all kinds of capabilities at the state and local level, but nobody at the national level can track that. You read the Presidential Directives, and what the role of the military is to defend the homeland vis-à-vis DHS [the Department of Homeland Security], the assumption is that DHS is going to be there. In the old days we were always told these CERT [Computer Emergency Readiness Teams] teams could show up and have all this capability. Well, they can come and give you advice, but there’s not a lot of Schlitz there. This has got to be a whole of community and whole of nation response to cyber,” he added.