APPENDIX B – PARTNERS | Cybersecurity Research

APPENDIX B – PARTNERS

APPENDIX B – PARTNERS

B.1. Partners

The ACI works with partners with mutual interests that aim to resolve similar issues. Preventing future cyber-related crises can become a reality through establishing public-private, academic, and industry relationships with relevant experts. Furthermore, JV 3.0 and Jack Pandemus would not have been possible without these partners.

The following sections elaborate on the ACI’s JV partners and their respective roles in JV 3.0.

B.2. Core Partners

B.2.1. City of Charleston

For the City of Charleston, participating in JV 3.0 was a positive experience, and the takeaways were extremely valuable. The presented scenarios allowed for the opportunity to examine current procedures within the city’s operations, assess potential shortcomings, and identify possible communication links that could be established both within the city and with external, regional organizations. Better communication with these agencies would provide for enhanced situational awareness of events in the region and, potentially, earlier detection of a coordinated event involving multiple targets. The exercise also allowed for a detailed exploration of the procedures that would be utilized to notify SLED and the SC Critical Infrastructure Cybersecurity program of a potential or active cyber event. Charleston would use these procedures to request assistance from state agencies and coordinate the notification of federal agencies. Perhaps the most valuable benefit of the exercise was the opportunity to create working relationships with other security professionals. The face-toface interactions during the planning meetings provided participants with the chance to introduce themselves to colleagues with whom they did not normally interact. As a direct result of the exercise, Charleston cybersecurity staff and other regional professionals created a working group to exchange ideas and information about challenges they face in their respective environments.

B.2.2. City of Savannah

The City of Savannah, GA, was involved early in the planning process. Led by the City of Savannah emergency management director, the IT, emergency preparedness, fire, and water resources departments became significantly involved in the planning. Savannah’s emergency manager and IT department served as the city’s points of contact for the exercise, introducing ACI to critical stakeholders in the area. In addition to supporting and attending the ACI meetings, Savannah held its own internal meetings to discuss and determine participation. The city also finalized its Cyber Incident Annex as part of its preparation. Savannah had 18 personnel from multiple agencies participate in the Rehearsal of Concept (ROC) Drills and exercise. The local police department participated in the ROC Drills, but it could not make the final exercise because its participation was preempted by a real-world incident.

Savannah considered the JV exercise to be a success for the city. Its well-established and welldeveloped relationships with local stakeholders—mainly, other government entities—and effective internal communications proved to be advantageous during the exercise.

The exercise also provided Savannah with opportunities to examine its protocol regarding cybersecurity, including the following recommendations for the future:

Savannah needs to identify and engage additional community partners (e.g., private sector organizations and utilities) well before an incident occurs.
Personnel staffing and role assignment were issues because the same people potentially fill multiple functions in incident response.
Savannah identified areas where the city’s IT department needs to be engaged prior to an incident. These areas relate to department-specific needs, such as:
- » Researching how the fire department’s mobile data terminals might be impacted by a complete communications blackout; and
- » Examining how a complete communications blackout might affect the city’s water and sewer resources’ networks, including SCADA and other systems.
Savannah acknowledged the need to conduct follow-on exercises to address gaps and assemble a whole-of-community response.

Savannah’s IT department identified the following as areas for improvement:

Check agreements and contracts for the parameters of cyber incident response support.
Ensure continuity of operations for the city data center during a long-term power outage.
Strengthen city policies regarding the doxing of employees.
Examine how attacks would affect the city as a whole and what external partners would need to be notified. For example, Savannah’s IT department believes it must address potential cross-system issues between the city network and isolated networks, such as SCADA and traffic management systems.

B.2.3. FTI Consulting

FTI Consulting is a global business advisory firm dedicated to helping organizations manage change; mitigate risk; and resolve financial, legal, operational, political and regulatory, and reputational and transactional disputes. The ACI partnered with FTI Consulting’s Cybersecurity team, which takes an intelligence-led, expert driven, strategic approach to global cybersecurity challenges affecting organizations through a trusted core of comprehensive offerings. This enables clients of any size to address their most critical needs and integrate new solutions atop or alongside preexisting policies and programs to address cyber threats.

FTI Cybersecurity was introduced to the ACI and JV 3.0 through existing relationships with FTI Cybersecurity personnel and members of the DoD. When the topic of JV 3.0 arose, FTI Cybersecurity welcomed the opportunity to support the ACI in the implementation of this innovative research project, confident that it had a significant ability to leverage its cybersecurity expertise, global representation, and professional consultancy to enhance research exercise development and implementation.

Representing the private sector and the cybersecurity industry, FTI Cybersecurity partnered with the ACI to cosponsor JV 3.0. More than a dozen FTI Consulting team members, including senior executives and segment subject matter experts, participated in JV 3.0.

Private sector collaboration on this venture served to enhance the ACI’s capabilities, ensuring successful implementation of the TTX and the development of strategic partnerships in defense of the Nation’s critical infrastructure.

Before the pandemic and once pandemic measures had been implemented, FTI Consulting worked with the ACI to complete several critical elements of the project, including but not limited to:

Planning for and recruiting participants and recommending additional regional and local partners from SC and GA for the exercise.
Collaborating on and shaping the key concepts and planning considerations for the exercise, including:
- » Setting the exercise foundation by reviewing guidance, training exercise plans, and other sources;
- » Selecting participants for the Planning Team and developing a plan of action and milestones;
- » Developing exercise-specific objectives and identifying core capabilities; and
- » Contributing to the exercise manual and the facilitator/controller handbook.
Drafting the exercise scenario and significantly contributing to event and inject development.
Providing input for the development of a research proposal, executive information sheet, Army objective information sheet, JV 3.0 technical report for senior leadership, JV 3.0 technical academic report with lessons learned, and After Action Review summary.
Engaging in a collaborative review of jurisdiction-specific threats and hazards; areas for improvement; external requirements, such as state or national preparedness reports; homeland security policy; and accreditation standards, regulations, and legislative requirements.
Planning and supporting the Law/Policy TTX, including leading the discussion and presentation on cyber insurance.
Supporting the execution of Jack Pandemus, a distributed functional exercise in support of JV 3.0.
Supporting the planning of the LFX, though it ultimately did not occur because of complications arising from COVID-19.
Developing and executing a communications outreach plan, including coordinating with Cyberscoop for an interview.
Incrementally increasing staffing as the exercise requirements increased. FTI Consulting continually added support as additional requirements arose, including the provision of moderator support for Jack Pandemus and JV 3.0.
Providing video development for the Executive Out-Brief.

Also, prior to the pandemic, FTI Consulting sponsored Distinguished Visitor (DV) Day, which would have included keynote speakers, staffing support, and food services at both venues. Once the JV event switched to virtual execution, DV Day became the Executive Out-Brief, for which FTI Consulting conducted the scenario presentation and supported the development of briefing materials.

B.2.4. NUARI/DECIDE®

NUARI partnered with the ACI for JV 3.0. NUARI is a 501(c)(3) non-profit that serves the national public interest through the interdisciplinary study of critical national security issues that is partially funded by DHS and the DoD and federally chartered under the sponsorship of Senator Patrick Leahy. NUARI provides cyber exercises; secure network monitoring; and custom consulting, research, and education through many avenues, including its DECIDE® exercises.

Initially conceived and started independently by NUARI and developed with funding from DHS, DECIDE®—an exercise platform—simulates cyberattacks and natural disasters for organizations and their partners to stress and test incident and emergency response plans, resulting in after-action reports that lead to improved strategic communication, compliance, risk, and overall resilience. The DECIDE® platform has been a trusted cybersecurity LFX solution for more than 10 years.

How DECIDE® Works

The DECIDE® platform powers LFX-based scenarios to help decision-makers in critical infrastructure sectors, private industry, and government to exercise their abilities to effectively prepare for and respond to cyber and emergency response incidents in a fully distributed environment. DECIDE® exercises allow users in a variety of geographic locations to conduct collaborative, realistic, fully immersive, scenario-based exercises where the consequences of each action feeds back into the exercise. The exercises are designed to help players understand the systemic ramifications of their actions and improve communication during potential high-stress threat events. DECIDE® also supports and facilitates discussion-based TTXs for much quicker and easier capture, review, and analysis of the exercise for immediate use upon completion.

When participants log in, they have access to three panes: the Communication pane on the left, the Information pane in the middle, and the Actions/Questions pane on the right. NUARI’s development team loads the exercise into the tool from an MSEL and roster. At the top, the day and time is displayed and can be advanced by minutes, hours, days, weeks, or years. This allows the exercise to simulate a multiday event and document responses, actions, and notes from participants at certain times. When an exercise is complete, the tool will have captured the relevant information associated with the exercise. The tool then organizes the information chronologically for easy analysis and evaluation of the results.

Figure 16: Once participants logged into DECIDE

Figure 16: Once participants logged into DECIDE®, they loaded this three-pane screen to view the Communication (left), Information (middle), and Actions/Questions (right) panes.

The ACI and NUARI initiated the partnership in January 2020. NUARI joined the ACI’s first planner workshop in Savannah, GA, 4 days after the first call. DECIDE® provided the platform for a fully distributed, 8-hour exercise for the cities of Savannah and Charleston. NUARI also worked frequently and closely with the entire Planning Team on a weekly basis. It was an enjoyable experience for the NUARI team, and the organization gained valuable insights working with the different exercise planners from the organizations involved.

Due to COVID-19 travel and distancing restrictions, exercise execution with participants in the same space was not feasible. Without DECIDE®, execution of JV 3.0 in 2020 would not have been possible. Because DECIDE® was created to facilitate distributed TTXs and LFXs with participants in a variety of geographic locations, it was a natural transition for the DECIDE® tool to facilitate the execution of the full JV 3.0 exercise from a remote, or distributed, position.

DECIDE® equips organizations, exercise divisions, consulting organizations, the military, and governments with the ability to exercise any type of response plan through a discussion-based TTX or full-scale functional exercise in a remote, or distributed, modality. It captures information that describes objectives set for the exercise and outlines them, allowing for analysis and prescriptive discussion to take place in order to improve resilience. It saves time for the subject matter experts facilitating the exercise and provides timely and meaningful information for the participating organizations. DECIDE® brings actors from across sectors, geographies, and roles together into a distributed environment to facilitate participation in critical infrastructure exercises.

B.3. Major Contributors

B.3.1. Intrepid Networks

Intrepid Networks provides both products for mission- and business-critical operations and custom development services—including the development of unique software applications, embedded firmware design, and low-cost communication hardware—for government agencies. Its flagship solution, Intrepid Response, is a FirstNet-certified and affordable web and mobile situational awareness software platform for day-to-day and emergency operations. Mapping, information sharing, team mobilization, emergency notification, and push-to-talk voice communications are integrated into an easy-to-use and deployable solution, enabling instant team communication, coordination, and collaboration over a common operating picture. Intrepid Response is uniquely designed to support users in the field engaging in day-to-day operations and incident and emergency management, base security, and surveillance operations.

Designated as the JV mobile situational awareness and collaboration software platform, Intrepid Response provides a common operating picture across federal, state, and local government and civilian organizations for coordinated response to cyberattacks.

For JV 3.0, Intrepid Response provided a turn-by-turn common operating picture of events that unfolded as a result of organized cyberattacks in the cities of Charleston and Savannah. The Intrepid Response capability enabled the rapid recognition of seemingly random events as having resulted from a persistent and coordinated cyberattack. This rapid recognition was shown to be instrumental for disparate stakeholders across federal, state, and local agencies to rapidly recognize, launch, and execute a coordinated, collaborative response while maintaining a real-time common operating picture.

B.3.2. FirstNet/AT&T

As described in section 4.5.6, FirstNet, built in partnership with AT&T, is a Nationwide public safety broadband network that delivers interoperability for all first responders across agencies and jurisdictions. A common platform that was designed with and for first responders, FirstNet is addressing the needs resulting from extremely fast-paced technology development coupled with government IT infrastructure limitations in handling the increasing demand for capacity, better coverage, and stronger security.

AT&T was originally going to provide a full suite of FirstNet equipment for the JV 3.0 exercises before the pandemic forced the events to move to a virtual format. AT&T, however, still provided a team of subject matter experts to participate in both planning and execution of the exercises. As a result, the team discovered the disaster response communications needs and limitations of local and state governments and how FirstNet can be applied to strengthen emergency response.

During the exercises, the AT&T team was afforded a unique view into city IT operations from both a cybersecurity and a staffing perspective. It became clear that though the players were willing and able to grasp new ideas and technologies, additional education, training, and network upgrades are needed to enable disaster response communications to benefit from technologies like FirstNet and other wireless technology advancements.

The fifth generation of cellular wireless technology, 5G, has the potential to offer massive connectivity and faster speeds that can transform how public safety and emergency response operate. AT&T is already working with the First Responder Network Authority on the best way to make 5G available to first responders. Other network upgrades that will support 5G include increasing capacity and coverage, adding fiber-optic infrastructure, enhancing the core network to support lower network latency (for a faster overall network), and adding tower equipment that can be upgraded through software.

The JV 3.0 exercises highlighted the vulnerabilities of municipality and other stakeholder IT security systems as well as the heightened threat environment and consequences of hacks and breaches. Network security is particularly crucial for public safety systems like FirstNet. Although 5G will allow for more innovation and efficiency, it will also require enhanced security measures. The network is the engine that keeps agencies and organizations running. For effective emergency response and operations in general, it is crucial for local and state governments to leverage multiple layers of security across applications, devices, networks, and platforms. This redundancy will help reduce the risk of exposure to attacks, whether they occur within or outside the network.

The Internet of Things is a network concept that can vastly improve agency operations by facilitating a rapid growth in the number of connected devices and sensors on everything from borders to buildings. AT&T Control Center, an automated connectivity management platform, can manage and monitor data generated from, and the connectivity of, Internet of Things devices enabled with FirstNet-capable subscriber identification modules over the Nationwide public safety broadband network in nearreal time. Control Center for FirstNet is a cloud-based platform that simplifies the deployment and management of connected devices and Internet of Things solutions for public safety entities through diagnostic and automation capabilities, multilayered security, service reliability, and usage monitoring.

JV 3.0 illustrated that reducing the complexity and cost of fighting cybercrime is an imperative, yet daunting, task. Local and state governments should become educated on and invest in resilient and redundant systems so that they may continue operations in the face of disruptive or destructive cyberattacks on their networks. FirstNet can transform the emergency management environment through the priority connectivity needed to protect local communities and support those who protect our homeland.

B.3.3. The Citadel

The Citadel, located in Charleston, SC, offers a classic military college education for young men and women focused on leadership excellence and academic distinction. The Citadel, which is recognized as a National Center for Academic Excellence in Cyber Defense Education by the National Security Agency and DHS, established the Center for Cyber, Intelligence and Security Studies in 2016.

The Citadel hosted a JV 2.5 workshop in Charleston on May 21, 2019. The college worked with the ACI to organize the workshop. In addition, faculty from The Citadel supported the planning efforts, attending the JV 3.0 Initial Planning Meeting in Augusta, GA, on July 9–10, 2019; numerous planning workshops; and the ROC Drill for Charleston on September 8, 2020. Faculty and students from The Citadel participated in the exercise itself, serving as both participants and data collectors.

B.3.4. Savannah Technical College

Savannah Technical College (STC) serves coastal GA by providing quality, market-driven technical education at campuses in Chatham, Effingham, and Liberty counties STC is a proven, reliable source of cybersecurity experts: It has a 99.1-percent job placement rate, with 94.6 percent of its students employed in their respective fields of study, according to a survey conducted in academic year 2019. Under the direction of Lt. Col. Scott C. Scheidt, USA (Retired), the Cybersecurity Workforce Education Center was launched in 2020 as a multidisciplinary cyber defense education center to meet the growing demands of the national cybersecurity workforce shortage and provide training support along with cyber-related advisory services to municipal and industry partners in the area. The Cybersecurity Workforce Education Center offers degrees with the following specializations: computer support specialist, networking specialist, cybersecurity, and cyber forensics technology. In addition, STC has built a cyber range with the help of a federal Perkins grant that will support cyber workforce training.

The ACI and STC began working together in January 2020. STC provided academic advisory support and facilitated face-to-face meetings prior to COVID-19. Also prior to COVID-19, the ACI and other key partners completed a site visit and approved STC as the on-site location of the Savannah JV 3.0 exercise.

When COVID-19 caused a change from face-to-face to virtual execution, STC offered to provide a cadre of data collectors from the Cyber Workforce Education Center. More than 15 students registered to help as data collectors for the Savannah iteration of the exercise. This not only facilitated success for JV 3.0 data collection, but also allowed students to gain valuable knowledge and insight into cyber readiness needs and methods that the students perhaps would not have received otherwise. The data collectors are now knowledgeable advocates for cyber readiness exercise planning and integration. In addition, faculty from STC served as members of the DV Day and Scenario Design and Execution OPTs. In the future, STC will collaborate with the ACI to incorporate the JV experience into training exercises in the coastal GA region.

B.3.5. Blank Slate Solution

Blank Slate Solution of Mount Pleasant worked to establish critical connections to local and state government that enabled the ACI to develop and execute JV 2.5 and 3.0. The company collaborated with the ACI on all events to ensure that participants received the greatest understanding of and appreciation for information warfare response and policy. The company also served as a member of the JV 3.0 data collection team. Blank Slate Solution will continue to push for additional commitments from other entities in support of future JV efforts.