The US Military Can’t Train To Fend Off the Worst Cyber Attacks on Infrastructure — Yet

The U.S. military can’t fully test its ability to respond to a catastrophic cyber attack on civilian infrastructure, and likely won’t be able to until 2019, representatives from Cyber Command and the Joint Chiefs told lawmakers on Wednesday.

Last Friday, Cyber Command wrapped up Cyber Guard, a major exercise that gathered  800 representatives from DOD, DHS, FBI, and industry to practice repelling a major network attack on U.S.infrastructure. The exercise took place on a joint information operation range in Suffolk, Va. — a kind of cyber firing range. The exercise, however didn’t fully emulate the full range of tactics and techniques that hackers might deploy against U.S. infrastructure.

“We don’t have the scale or the complexity to truly represent a realistic and relevant threat, the ones that we’re truly trying to train to,” Brig. Gen. Charles L. Moore Jr., the Joint Chiefs of Staff’s deputy director for global operations, told the House Armed Services Committee.

In the event of a massive cyber attack on the United States, Cyber Command would help fend it off or respond to it, as directed first by U.S. Northern Command and, on top of them, DHS.

At the hearing, a lawmaker asked Lt. Gen. James K. “Kevin” McLaughlin, Cyber Command’s deputy commander, whether his forces were ready to respond to a full range of possible attacks on critical infrastructure.

“I would not be able to say I’m confident we would be able to respond to all of those,” McLaughlin said. “Control systems are different than platforms like airplanes and tanks, which are different from networks.”

That won’t always be the case. Cyber Command is building what its leaders call a Persistent Training Environment. It’s a different sort of cyber firing range, one that can accommodate a much wider host of commercial industry participants, a much wider array of systems, networks and devices; and better emulate a catastrophic cyber attack. Most importantly, operators will be able to train against different threats and attack scenarios continuously, rather than just in occasional exercises. That ability to train round the clock is key, Coast Guard Rear Adm. Kevin E. Lunday told reporters at the conclusion of last year’s Cyber Guard exercise.

That might include the ability to bring in players from across industry and in different areas or locations. “The final piece is the physical locations that the exercise participants sit in, and then the transport layer that they connect into the exercise from … We can do that in a very distributed way from all over the nation, or even internationally, through a transport layer into the exercise environment,” said Lunday.

McLaughlin told lawmakers that the new range would include detailed and realistic simulations of attacks.

“Part of what we will build are the high-fidelity replications of each of those unique types of targets that we would defend against,” he said. “We are building the ability for civil or other partners … and connect into that environment and then the people that want to actually do it, they will actually sit down, plug into what looks to them like their realistic replication of what they’re trying to defend. And then do their job in a realistic scenario against hackers.”

The “Persistent Training Environment gives us a couple things we don’t have on the joint training operation ranges,” Moore said.

He said that the Joint Chiefs are currently reviewing the initial capabilities document, a process he expects to conclude within a couple of weeks. If that happens, then the training environment will reach initial operating capability in fiscal year 2019.