Promoting Preparedness

By Alexa Wehsener on April 7, 2020

At the Institute for Security and Technology, we do not accept the argument that there is a divide between technology companies and Washington D.C. Quite simply, there are differing cultures across all domains — we embrace that fact and thrive on it. More importantly, we accept that technology is moving faster than policy can keep up — which requires earnest, trustworthy venues for the honest exchange of ideas and tools.

As part of our suite of solutions to these challenges, IST conducts public-private cybersecurity tabletop exercises (CTTXs) to examine current trends and potential future crises. These games force players to actively imagine what is possible, question their assumptions, and collaborate with others outside their comfort zones. We aren’t the only ones who do this — but our approach is a reinvigorated approach to solving 21st century challenges through a time-tested and proven method.

These simulations require participants to respond to complex national-level contingencies driven by cyber attacks, but also to consider their actions and solutions in light of much broader consequences that demand public-private collaboration. This means vertical integration between network operators implementing ground-level technical solutions and government officials responsible for higher-level public protection, geopolitical responses, and policy decisions. At the same time, players must reach out horizontally across sectors to coordinate their response, share information, and utilize all available tools — even devise new ones. Perhaps most importantly, the exercises build the trusted personal relationships and deepened understanding across sectors that are necessary to be prepared at all levels to face the inevitable crises of the future.

The exercises are teaching us valuable lessons. We have routinely found that the introduction of a geo-strategic lens is at odds with typical industry technical and business approaches. In large part, players from industry excel at what they do best: protecting their customers and dealing with technical problems. Stepping out from this tactical and technical level of thinking to broader, more strategic considerations is important and often challenging. Vice-versa, those attending from national security policy circles tend never to have seen how security companies actually manage a crisis — to include seeing just how rapidly and effectively massive online threats are addressed and ameliorated by networks of trusted actors across industries — usually before many national security professionals are aware of the problem. Our CTTXs tie together the strategic and tactical levels in dynamic ways to encourage participants to actively practice and develop new relationships, ascertain and learn about new tools, and otherwise break the mold of existing assumptions about threats and solution sets.

In 2019, IST hosted several different Distributed Denial of Service (DDoS) -centric CTTXs. Participants often push back against a scenario when they feel that certain elements are so unrealistic that they cannot place themselves within the scope of the game. By combining open-source research with information from subject matter experts within our network, we produced a scenario that participants found not only plausible, but highly likely to actually occur in the ‘real-world’. Our game designs incorporate flexibility, allowing for small scale to massive engagements, and are built and run by teams that are composed of highly-regarded subject matter experts who make these games as real as imaginable. This experience and expertise enables technical deep dives and realistic injects throughout our games — keeping us technically honest while challenging the assumptions and standard relationships that experts tend to rely on in real-life crisis scenarios.

Part of IST’s mission is to build ever-stronger relationships between the public and private sectors. Threats are too broad and increasingly at such a velocity, we cannot think otherwise. As a non-profit operating at the nexus of technology and global security, IST engages leading experts through various means — including these unique exercises. The real value of these exercises rests in building greater levels of trust. Tabletop exercises force participants to actually do something challenging, together, and to think critically in unorthodox ways. While these exercises are run to address real-world issues, they are done so within the confines of a ‘game’ where mistakes do not result in large-scale consequences. As the threat environment continues to intensify, it is best we build this trust, and these relationships before we are confronted with these crises in the ‘real world’.