An Inside Look At a CYBERCOM Dress Rehearsal

U.S. Air Force

CYBERCOM, when called on by DHS, helps repel incoming cyberattacks of catastrophic consequence.

During a recent hack attack drill, Cyber Command troops botched an attempt to stop compromised energy machinery from leaking oil -- and that was the intention, the Pentagon says.

"We do that because at the point of failure, that's where learning will occur," Rear Adm. Kevin Lunday, CYBERCOM director of exercises and training, told a small group of reporters.

Last month, in Suffolk, Virginia, Lunday supported the annual "Cyber Guard" practice session with civilians and an all-military "Cyber Flag" session.

Key to both exercises is the nascent "persistent training environment," or PTE, a closed network with a so-called transport layer that connects players at various locations.

Between June 21 and June 29, CYBERCOM troops in Fort Meade, Maryland, San Antonio, Texas, and overseas locations, among other places, participated in Cyber Flag. In all, 800 U.S. military members and allied partners deployed to the cyber range, organizers said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

During the previous two weeks, service members had partnered with other U.S. government personnel and industry for Cyber Guard, which is co-sponsored by the Homeland Security Department and FBI.

"We actually had one of the National Laboratories bring in the actual industrial control systems – that were networked, and we brought it through the transport layer into the actual exercise environment," Lunday said. CYBERCOM members had to defend the machinery from a pretend, live opposing force.

CYBERCOM, when called on by DHS, helps repel incoming cyberattacks of catastrophic consequence.

“Now, this control system could have opened an access gate to a port facility,” while another “operated a machine control for the oil and gas plant, which resulted in the spillage in the scenario,” Lunday said.

Paul Nakasone, commander of the CYBERCOM Cyber National Mission Force, added: "If you’re there, it’s fascinating because you can actually see when it goes offline. I mean, it’s pretty powerful, right? 'Hey, you guys just failed," said Nakasone, whose division is responsible for aiding domestic network defense.

‘We Cannot Afford Failure’

While the fossil fuel spill perhaps was anticipated, it was not preplanned, a CYBERCOM official told Nextgov on background.

Having cyberwarriors watch the network go down speaks to Lunday’s earlier point: "We can afford to learn and fail in an environment like Cyber Flag, where in an actual operation we cannot afford failure.”

Members of the 6-year-old CYBERCOM now are starting to maneuver as teams, Nakasone said, but they need this kind of shakedown year-round and it’s not fully operational.

The persistent training environment is designed to run scenarios for trainees, with colleagues role-playing adversaries and assessors watching. Aside from supporting DHS, CYBERCOM also defends military networks and supports overseas joint force commander objectives.

"But we don’t yet have a PTE where we can do this training on a continuous basis," Lunday said.

One CYBERCOM National Mission Force team member who participated in the drill said on background the virtual firing range "is necessary for us to grow and mature."

2017 House defense authorization bill proposes mandatory, specialized training for opposition troops who perform the role of Iran, China and other adversaries in the environment. The legislation stresses the importance of being able to tell the difference between actual and fictional network threats during practices.

Congress “recognizes that special arrangements will be needed to deconflict training from real-world activities that may happen on mission networks,” the legislation states. The Defense Department is urged to “address these kinds of issues in developing agreements with the combatant commands to integrate cyber opposition force training into continuous and ongoing training activities.”

All the same, the simulated cyberattacks are supposed to feel authentic.

"They say the finest steel is tempered in the hottest furnace," Lunday said. "That’s what we’re trying to get after in Cyber Flag."

The critical infrastructure perils CYBERCOM confronted in Cyber Guard continued into Cyber Flag, where key military allies – Australia, Canada, United Kingdom and New Zealand – joined in.

Lunday continued, the point is "to create that crucible of a training environment, so that the lieutenant and the people he serves with are put under that pressure, so that when they get into an actual contact in cyberspace in DOD networks or off DOD networks, as the mission demands, that they are the best prepared and that what they find is actually not as hard as what they encountered in Cyber Flag.”