1. APPENDIX D – LAW/POLICY TABLETOP EXERCISE (TTX)
   1. Law/Policy TTX
   2. Table of Contents

APPENDIX D – LAW/POLICY TABLETOP EXERCISE (TTX)

Law/Policy TTX

The Law/Policy TTX was a planning workshop and mock exercise that occurred February 18–20, 2020. The first two days consisted of presentations by the ACI and various partners and critical infrastructure stakeholders from SC, GA, the federal government, and private industry, and the third day consisted of a mock exercise that covered turns 1–4 of the JV 3.0 exercise.

The goals of the Law/Policy TTX were to:

• Identify support required at the municipality level and below;

• Stress cross-jurisdictional information sharing;

• Determine third-party support prioritization;

• Identify thresholds for business continuity without the availability of technology;

• Improve information sharing and discuss how to defeat misinformation; and

• Set JV 3.0 up for success.

Day one of the Law/Policy TTX focused on partnerships. The ACI discussed the JV 3.0 scenario, stating that the intended effect was to have participants respond to a cybersecurity incident and then analyze their response, asking themselves whether the response would be effective, whether it was realistic, would there be obstacles to the execution of the response, and with whom they should coordinate in executing the response. Specific goals that were mentioned included improving cyber coordination among the JV participants and promoting the JV exercise overall. The importance of utilizing available federal cybersecurity resources was emphasized. In addition, the ACI encouraged participants to exchange contact information so that they would be better prepared for a genuine cyber incident.

The ACI gave an overview of the JV project as whole. The institute stated that past exercises indicated that JV participants were generally not prepared for a cyber incident. The institute emphasized the importance of cybersecurity exercises and noted that a major goal of JV is to establish a cyber framework based on lessons learned from past JV iterations. The ACI noted that though it is a major step forward for cities to devote time and resources toward establishing a cyber command, cybersecurity exercises are essential if cyber commands are to be prepared for real-life cyber incidents. Other goals mentioned included helping cities with their critical infrastructure; helping cities identify available financial and personnel resources; and studying the likely effects of a cyber, physical, and informational attack on a port city.

Yet another goal discussed by the ACI was advancing cities’ understanding of the constraints, restrictions, and opportunities of municipal and federal law as they apply to the cities’ cyber incident response plans. For example, a city must understand Title 32 authorities, how they may be used to support cyber incident response, and their limitations in supporting a city’s response. Organizations must also be aware of the Antideficiency Act and the limitations of organizations’ roles in cyber incident response. The institute emphasized the importance of developing a team approach to cyber incident response and eliminating information silos, which may be created by laws, policies, attempts to preserve the good reputations of organizations, and questioning the “need to know” of others. The institute noted that though information sharing is necessary for a response plan, it is not sufficient; the information must be used to drive timely, relevant decision making.

Next, the importance of partnerships was discussed. The discussion emphasized the importance of information sharing among public organizations, among private organizations, and between public and private organizations. When organizations share information, they see cybersecurity from each other’s points of view, helping to foster a more comprehensive, collaborative, shared understanding of cybersecurity. However, there are obstacles to cyber information sharing: An individual may not have the appropriate security clearance, and organizations’ legal agreements may prevent certain information from being shared.

In addition, organizations must identify the partners who would be the most valuable in the case of a cyber incident. If two organizations share the same goal, they may wish to partner with each other, even if they belong to two separate sectors altogether. The importance of maintaining partnerships through quarterly meetings, dial-in meetings, and/or brown-bag lunches was emphasized.

Day two of the Law/Policy TTX focused on planning and leader training. Day two saw the ACI provide a more in-depth discussion of cyber incident response. The institute discussed the following vital steps:

• Performing a risk assessment;

• Prioritizing security issues;

• Creating a communications plan;

• Monitoring the network to identify cybersecurity breaches;

• Gathering information on incidents when they occur;

• Identifying the organizations that have the authority to address the cyber incident;

• Identifying thresholds for notifying external organizations of the incident;

• Containing and isolating the incident;

• Investigating the cause of the incident;

• Recovering from the incident;

• Determining an appropriate time period for testing; and

• Identifying lessons learned from the incident.

Next, the institute discussed the vital components of a cyber response plan. These include support from management and accounting, balancing the degree of detail with the degree of flexibility, knowing the organization’s stakeholders, and keeping the plan simple.

On day three of the Law/Policy TTX, a mock exercise was held that consisted of turns 1–4 of the scenario. The goal of the mock exercise was to refine the exercise scenario and maximize its usefulness to participants.

Execution TTXs

Over 200 individuals and over 60 organizations participated in the JV 3.0 exercise TTXs on September 22 and 24, 2020. Because the Charleston and Savannah exercises had been compressed into single, 1-day events, time only permitted turns 4–7 to be executed. Participants utilized the DECIDE® platform to receive scenario injects and Microsoft Teams to communicate across the tables containing the representatives from the respective industries and sectors (for example, DoD, nonDoD, and the energy sector).

ACI’s TTX facilitator asked discussion questions about participants’ hypothetical reactions to the scenario, whom they would contact, how they would be sharing information about the incident, the legal authorities that would govern their responses, and authorities that do not exist but would be helpful in the given scenario. The questions were usually directed at specific tables so the ACI could ascertain the actions that the given sector would be taking (or not taking) in response to the injects. The questions led to discussions among participants about their respective organizations’ capabilities, legal authorities, incident response plans, etc.

Following the TTXs, the ACI conducted an After Action Review; debriefed participants; and encouraged them to continue to stay engaged, network with one another, and analyze their organizations’ capabilities to prepare for a Cyber Worst Day scenario.

Table of Contents

• 1. FOREWORD
• 2. ACKNOWLEDGMENTS
• 3. INTRODUCTION - JACK VOLTAIC 3.0
• 4. JACK VOLTAIC RESEARCH METHODOLOGY
• 5. EXECUTION
• 6. FINDINGS
• 7. CONCLUSION
• APPENDIX A – ACRONYMS
• APPENDIX B – PARTNERS
• APPENDIX C – SCENARIO
• APPENDIX D – LAW/POLICY TABLETOP EXERCISE (TTX)
• APPENDIX E – LIVE-FIRE EXERCISE
• APPENDIX F – MILITARY TESTIMONIALS
• APPENDIX G – PRIVATE INDUSTRY TESTIMONIALS
• APPENDIX H – ALL HAZARDS ANALYSIS (AHA)
• APPENDIX I – CIRI FORT-TO-PORT DISRUPTION
• APPENDIX J – REQUIRED DELIVERY DATE (RDD) SIMULATION
• APPENDIX K – DSCA/DSCIR