The day after: Preparing to respond to national cyber crises

Given that all entities are susceptible to being hacked, how will (not would) a federal government like that of the United States respond to the potential compromise of a critical asset like the Global Positioning System (GPS)? For the fourth year in a row, the Atlantic Council has been at the forefront of proactively tackling such cyber-related national security policy challenges by hosting the Cyber 9/12 Student Challenge. The Military Cyber Professionals Association (MCPA) and its members were honored to recently conclude its second year of direct support to the event. Having served as a reviewer, presenter, and judge at the event, here are some reasons why I look forward to the event’s continued growth.

Influencing policy takes time.

This event scenario charges each team of four to present policy response options to the National Security Council (NSC). Any national level crisis response requires a reallocation of available resources (money, personnel, intelligence assets, etc.), if not lengthy requests for more resources before Congress. Given the hierarchical nature of policy making and resource allocation within the US government, each echelon involved exacts a delay in responsiveness by applying their own decision-making processes. The result is what some in military circles refer to as an elongated “flash to bang time” that increases the risk of failing to achieve the desired response objectives. Simulations, table-top exercises (TTX), and/or Rehearsal of Concept (ROC) Drills are well known and effective ways to help identify the actions, structures, or capabilities needed to be better poised to respond to the realities of operating in an increasingly dangerous cyberspace environment.

While the building of entities like US Cyber Command (USCC) and the National Cybersecurity Center of Excellence (NCCoE) are good examples of national efforts to optimize responses to anticipated challenges, one must consider the dimension of time. While USCC was officially established about seven years ago (not counting a probably lengthy staffing process preceding the final decision and public announcement), its subordinate Cyber Mission Force (CMF) is still years away from being fully built out and ready to effectively serve in its intended role. Anybody who has ever built a team of any type, be it in little league baseball or in Silicon Valley startups, understands that assembling the pieces (personnel, real, estate, equipment, etc.) is only the first step in a long process of making that team effective. The Cyber 9/12 Student Challenge serves as just the type of exercise that gets policy wonks, technologists, and the elusive cyber-wonk hybrid to think seriously about such issues and produce innovative solutions well before they are needed.

Presentation by team from the US Military Academy at West Point

Diversity really matters.

This event is exceptionally inclusive, welcoming teams from the Ivy League, completely online schools, military academies, historically black universities, Middle America, and the coasts. The sharp undergraduate competitors, sometimes including teenagers, gave many mid-career graduate students some serious competition. While this article focuses on the American branch of the competition, the Atlantic Council’s European-based competition includes teams from places such as the United Arab Emirates. Such diversity of perspective is not only a good idea, but it is necessary to harvest the best concepts from a greater pool of brainpower.

Leveraging insights from science, like the Strength of Weak Ties argument, we can better understand how inclusive events like this draw upon the ideas of groups that may have otherwise never come into contact with one another. Ideas then emerge that can help better inform policy, since there is such a thirst for fresh approaches within the hallowed halls of Congress, the White House, and beyond.

We need to remember that the population of personnel within our national security apparatus that are read-in to a wide range of national-level capabilities (which may have been developed over years of substantial taxpayer investments) is necessarily small, since risk of disclosure (intended or not) increases with each individual. That small population is made further miniscule when considering how many of them actually understand those existing capabilities from a technical grounding and from what is sometimes referred to as “the art of the possible” (requiring years of prior education and experience). Short of actually being read-in to such capabilities and knowing the ins and outs of the NSC, this competition incentivizes a broad array of students to consider such scenarios before they find themselves in a position to offer real world solutions. This competition gamifies the process of learning about what may otherwise be seen as somewhat intimidating material.

I, and many others, can attest to the real world returns on previous investments made in academia. The beauty of this being a competition for students is that it gives the competitors a level of freedom and time to think about what the correct response should be, instead of being forced to make a quick recommendation in a more operationally-focused environment surrounded by personnel that value decisiveness and who may have little understanding of technology. Efforts such as the Cyber 9/12 Student Challenge ultimately grow the currently finite pool of personnel that are fluent in the ways of cyberspace, as well as national security policy.

Retired Major General John Davis (left) and J. L. Billingsley (right) recognize the “best military team”

We are among friends.

The widespread support for this event by members of the MCPA is a point of pride in the American military cyber community, as well as clear evidence that the event is consistent with the noble ideals of the MCPA. A sense of great comfort came over me as I took the podium at American University’s School of International Service to congratulate the competition’s “Best Military Team,” since I was surrounded by supportive colleagues, new and old.

For example, Major General John Davis (Ret.) not only served as a VIP judge in the final rounds of the event and awarded the “Best Military Team” the Order of Thor medal, he is also a member of the MCPA Board of Advisors and has played a critical role in the organization’s ongoing success. Jay Healey, also an MCPA Advisor, this year served as coach of the team from Columbia University’s School of International and Public Affairs. It was under his leadership as Director of the Atlantic Council’s Cyber Statecraft Initiative that the Cyber 9/12 Student Challenge was first developed.

Spectators and judges, including MCPA Chief of Staff Sana Saleh, listen to a presentation

Other team coaches included very active MCPA members. For example, the coaches from Air University (Dr. Pano Yannakogeorgos) and Harvard University (Dr. Michael Sulmeyer) have been involved in the production of the MCPA’s peer-reviewed journal, Military Cyber Affairs. Two coaches from National Defense University (Dr. Carl Horn and Dr. Alex Crowther) have both played active roles in MCPA outreach activities in our nation’s capital. Compounding the honor of serving as a judge alongside the biggest names in the cyber policy world, other MCPA members served as fellow judges, including Sana Saleh (MCPA Chief of Staff) and Dr. Aaron Brantly (Army Cyber Institute Policy Fellow).

Presentation by team from the US Naval Academy at Annapolis      

With the increased participation of teams from military affiliated schools (including the academies at West Point and Annapolis), this was the first year that the event organizers invited the MCPA to recognize the best military team. True to MCPA traditions, the winners (from Air University) were awarded the coveted Order of Thor medal. This medal is used to recognize excellence in the American military cyber community. The mythological warrior Thor, who adorns the medal, wields the hammer – a tool with the power to both build and destroy, which are characteristics shared by cyberspace.

The winning team from Air University wearing the Order of Thor medal, joined by Jay Healey, retired General Norton Schwartz, and other colleagues

Through the Cyber 9/12 Student Challenge, the Atlantic Council has made a true contribution to raising the level of the discussions surrounding cyber conflict. It is increasing the pool of those who have invested real effort in understanding both the relevant technological and policy environments. When considering the ancient truism that people fear what they do not understand, and (as Yoda teaches) fear ultimately leads to suffering, this event may actually lower the risk of unnecessary conflicts. For all the reasons discussed above and more, I look forward to the continued growth of this important effort.

J. L. Billingsley is Founder of the MCPA, Advisor of the Cyber Security Forum Initiative, Fellow at the Center for Network Innovation and Experimentation, PhD student at the Naval Postgraduate School Information Sciences Department, a graduate of programs at both the Army and Naval War Colleges, and serves as an officer in the US Army. The views and opinions expressed above are those of the author and are not those of the USG, US Army, or any other organization. All images are courtesy of the Atlantic Council photographer, Nuri Jeon.