1. 7. CONCLUSION
   1. Table of Contents

7. CONCLUSION

Cybersecurity is critically important for the United States now, and it will continue to be so in the future. Increasing threats from criminal and nation-state actors reinforce the growing need for collaboration, communication, and a whole-of-community approach to defending and responding to cyber incidents. Effective defense does not come without a cost; it requires significant planning, exercise, and leadership—leadership at all levels, but, particularly, leadership inherent to organizations with large reach and impact. The new presidential administration’s emphasis on cybersecurity, including recent appointments to the National Security Council and ongoing enhanced collaboration between DHS and the FBI as they work toward joint, proactive operations, indicates leadership at the highest levels are taking positive steps toward this effective defense.

Despite these positive steps toward cyber defense, gaps still exist in coordinating and resourcing municipality and private critical infrastructure resilience. The ACI’s JV series helps municipalities, counties, and critical infrastructure stakeholders improve their resilience through exercising their cyber incident response plans and improving their communication networks. The ACI has now completed three iterations of JV and placed significant emphasis on preparation and planning. The JV series provides an essential training and exposure venue to many small and medium-sized government agencies while enhancing the Nation’s ability to respond to a cyber crisis.

Findings from JV 3.0 highlight the value of the event to the U.S. Army in planning force projection and helping cities and counties improve their cyber incident response and information sharing. This research reinforces critical concepts of preparation that impact force projection, including whole-ofcommunity participation, interdependency comprehension and communication, and the perpetual merit of exercises with multiple critical infrastructure elements. Moreover, this most recent iteration of JV demonstrated that any distinction in municipality size is void when it comes to the potential for national and strategic implications stemming from a cascading cyber incident. Though JV 3.0 provided new insights into cyber incident response, it also identified several findings similar to those of previous iterations:

• There is no clear threshold for the declaration of a potential critical cyber incident;

• Traditional incident response continues to be more mature than cyber incident response; and

• Cross-sector communication continues to be a challenge.

The consistent theme of these findings throughout the JV series not only necessitates the continuation of multisector events, but also the enhancement and evolution of the program. Not only do the recommendations of the current and past iterations of the JV program provide an immediate way forward, but they also serve as a strong foundation for future cyber exercises that are likely to occur on an even more expansive scale. The Cyberspace Solarium Commission Final Report highlighted the importance of cyber exercises and recommended expanding coordinated cyber exercises and establishing a biennial national cyber TTX.⁴² These goals were furthered when they were addressed in the National Defense Authorization Act for Fiscal Year 2021, which calls for a biennial exercise that would involve federal, state, private sector, and international stakeholders.⁴³ The execution of JV has demonstrated the necessity of including local and private industry partners in these exercises

⁴² U.S. Cyberspace Solarium Commission, Cyberspace Solarium Commission Final Report.

⁴³ National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283 (2021).

and provided an example for how to accomplish coordination all levels. The continued evolution and expansion of the program is a critical element in our national effort to establish and maintain a robust cyber defense and response capability founded on partnership, collaboration, and communication. To be prepared and organized in advance of the next big event, critical infrastructure stakeholders, including the U.S. Army and the DoD, must continue to evolve. Practice is a critical and essential component of that evolution, and JV is a proven and effective foundation for that practice.

Table of Contents

• 1. FOREWORD
• 2. ACKNOWLEDGMENTS
• 3. INTRODUCTION - JACK VOLTAIC 3.0
• 4. JACK VOLTAIC RESEARCH METHODOLOGY
• 5. EXECUTION
• 6. FINDINGS
• 7. CONCLUSION
• APPENDIX A – ACRONYMS
• APPENDIX B – PARTNERS
• APPENDIX C – SCENARIO
• APPENDIX D – LAW/POLICY TABLETOP EXERCISE (TTX)
• APPENDIX E – LIVE-FIRE EXERCISE
• APPENDIX F – MILITARY TESTIMONIALS
• APPENDIX G – PRIVATE INDUSTRY TESTIMONIALS
• APPENDIX H – ALL HAZARDS ANALYSIS (AHA)
• APPENDIX I – CIRI FORT-TO-PORT DISRUPTION
• APPENDIX J – REQUIRED DELIVERY DATE (RDD) SIMULATION
• APPENDIX K – DSCA/DSCIR