March 27, 2018

The Lessons of Cyber 9/12

By Jared Zimmerman

The Atlantic Council’s Cyber 9/12 Strategy Challenge is a series of worldwide competitions designed for undergraduate, graduate, and mid-career professional students that presents teams of four with an evolving, fictional (but realistic) cyber incident and asks them to assess the situation and prepare responses. The 2019 DC Cyber 9/12 Strategy Challenge, held at the Lockheed Martin Global Vision Center in Arlington, VA, on March 21 and 22 set its fictional scenario during the 2020 US census and unfolded across three rounds.

The first round saw an unidentified actor posing as the US Census Bureau (USCB) capture personal information—including credit card data, Social Security numbers, and ethnic origin statements—from an unknown number of Americans via a phishing email campaign prompting public concern that census data was not secure. At the same time, an internal USCB audit revealed that census systems were vulnerable to intrusion and unsubstantiated media reporting suggested that minority and lower socio-economic status individuals were disproportionately affected by the phishing campaign.

The second round saw an organic social media movement to boycott the 2020 census coopted by an unknown actor with the Intelligence Community establishing possible attribution to locations in either Russia or Venezuela as the source of the social media bot activity to amplify the movement. The exposure of a web of private companies mishandling personal data, including the data of prominent Europeans living the US, further complicated the situation.

The third and final round revealed Russian malware on USCB systems and the death of the son of the German ambassador to the US under mysterious circumstances following the exposure of his personal information online. The competitors were judged by a panel of celebrity industry leaders, including Mr. Dmitri Alperovitch, Co-Founder and Chief Technology Officer of CrowdStrike; Maj. Gen. Jim Keffer, USAF (Ret.), Director, Cyber at Lockheed Martin Government Affairs; Ms. Madeline Mortelmans, Principal Director for Cyber Policy, Office of the Under Secretary of Defense for Policy at the US Department of Defense; and Mr. Kevin Smith, Chief Information Officer for the US Census Bureau, among others.

The judges eventually selected two winners: NDU Team 3 from the National Defense University for the professional track, and USAFA Delogrand from the United States Air Force Academy for the student track. Both teams were awarded tickets and travel to the International Conference on Cyber Engagement for their excellent work.

Even though the scenario was fake, competitors were able to draw very real lessons from it about how to assess a crisis, determine what levers of US national power to lean on in response, how to work alongside the private sector in a fluid situation, and how to deal with incomplete information.

Every competitor came away from the event with a different set of lessons learned, but three lessons should be universal:

1. Don’t get hung up on the “who did it?” at the expense of “what can we do?”

Attribution can be illusive in a cyberattack or disinformation campaign. Your gut will tell you that you need to know more about the situation and who’s behind it. A principal might pound the table demanding to know “who did this?!” Tasking the appropriate collectors to gather more information is certainly a useful first step, but it often isn’t enough. You should think broadly about the US national security enterprise and other sources of US national power. What role can the public and private sector play? You can often find a middle ground between doing nothing and swinging wildly at any actor you think might be behind an incident.

2. Know you customer and know what to tell—and not tell—them.

The fictional cyberattack scenario will tell you who are you are briefing. How high up the chain are they, and what truly rises to the level of their attention? What does a person in their position expect to hear and what aspects of the crisis directly involve them? In your brief, you’ll have to walk a fine line between demonstrating your subject matter expertise and giving your principal only what they need to know. It may suit you well to say “ma’am, you only need to concern yourself with X” or “sir, Y and Z are being handled by the appropriate authorities and we’ll let you know if anything changes.” And remember: if you wade too far into a subject you aren’t well-versed in, and you are being evaluated by a professional in that field, things may not go well for you. Be prepared to answer questions on these topics, but don’t lecture anyone.

3. Keep it snappy. Know what you know and what you don’t know.

Shave your sentences down to the bone. The scenario may only allow you a single page to distill thirty of background intelligence and media reporting. The real world will be much the same, but if its in a classified setting, you’ll likely lose half of that page to classification markings and warnings. Present your bottom line up front and make it a home run. Never overstate your confidence in assessing what has occurred. You may be tempted to say, “we know X,” but before you do, reexamine your sources. Can you trust them? A principal may only have ten minutes to listen to you, and she might get called away from your meeting two minutes in. When that happens, have you told her everything she needs to know and clearly delineated the knowns and unknowns?

The competition was made possible thanks to support from Lockheed Martin, Dell EMC, NATO, and Baker McKenzie.