Military training exercises should incorporate cyber offense teams into the full scope of the exercise so that commanders can experience the real pain that a cyberattack can cause their operations, according to military cyber experts who spoke in a panel at the 17th annual C4ISRNET conference May 10.
“All my best lessons in life involve pain; those are the ones that I remember,” said LTC Christopher Walls, deputy director for strategy and policy at the Department of the Army’s Cyber Directorate.
“At some level, we have to make a senior leadership decision of that’s exactly the training objective we’re going after, because until that commander really loses the battle because he didn’t appropriately defend his network and he has to deal with that for 24 hours, I’m not sure that we [are fully] convincing people of the importance of it.”
According to Master Gunnery Sgt. Carlos Torres, senior enlisted advisor of the Cyberspace Division for the Deputy Commandant for Information, cyber training operations often occur within a closed or limited scope so as not to negatively impact or derail the larger training exercise.
As Brett Barraclough, executive director of Cyber and IT Solutions at ManTech put it, if you’re spending $10 million a day on fuel, you don’t want to lose a day of training because the network has been taken down in an offensive cyber operations attack.
However, according to Torres, it is just that lost day of training that prepares commanders and their teams for the realities of a cyberattack in the field.
“How do you make that real so that they can understand when the weapons system does not work because the network is impacted? That’s going to happen. At some point, things are not going to happen the way you thought they were,” said Torres.
He explained that how commanders emotionally deal with that strain and how they use their teams to either address or circumvent the downed network is an important aspect of preparation for real operations.
Experiencing the stress of a downed network also helps to convince senior leadership of the importance of defending their systems as part of their overall preparedness.
Walls said that commanders have to understand that the security of their systems does not exclusively fall on the staff specifically assigned to communications and computers.
“It’s not ‘his responsibility’ — you can’t delegate that responsibility, commander. It’s your responsibility to ensure the security of your networks, because it is your war-fighting platform. We cannot conduct modern military operations without our networks; therefore, it has to be a commanders’ critical priority,” Walls said.
All three panelists agreed that there was still an important role for cyber ranges, where teams could go at each other’s networks without worry of impacting larger operations.
“When you go on a cyber range, offense and defense can play live,” Barraclough said, explaining that, unlike physical weapons ranges, cyber ranges allow teams to fire cyberattacks directly at each other without fear of actual damage.