Cybersecurity has become an ecosystem in which the public and private sector must work together to ensure safety. Recognizing this, the Army’s cyber think tank has staged an ongoing series of exercises looking at how domestic cities respond to major cyber incidents (and what testing the seams reveals about how the local infrastructure cybersecurity can affect overseas deployments).
The Jack Voltaic series, put on by the Army Cyber Institute (ACI) at West Point, is now in its third iteration. The next Jack Voltaic is looking not at one city, but at a whole region — Charleston, South Carolina, to Savannah, Georgia — and is also plugging into the Army’s Defender 2020 exercise. Defender 2020 will simulate a deployment to Europe and game how quickly Army units in the United States can get all their equipment there.
“The theory is something happens and you need the forces to go to Europe ... so you’ve got forces that are at Fort Stewart [Georgia] that are going to need to go through Savannah to deploy. You’re involving Savannah and you’re looking at the critical infrastructure that goes from the post to the port [and] the different ways that someone could disrupt the movement,” Col. Andrew Hall, director of ACI, told Fifth Domain during a July visit to West Point.
“You’re looking at what the attack could be on the city’s infrastructure to delay the arrival of the U.S. forces, because by delaying them a couple of days you’d be able to turn the tide on some activity you were trying to do within Europe.”
The fight to get to the fight
Overall, the Jack Voltaic series is aimed at empowering the local communities, building them up so they won’t have to rely upon the military to defend them in the case of a massive cyber incident.
“One of the things that we found is that with us working with our partnerships, we would have access to critical infrastructure with some of the different organizations to look and help figure out how do we defend because it’s much easier to enable a city to defend than to align the Army to defend the city,” Hall said.
In part, Hall said the series and associated research efforts came about as a way for the military to think about how to defend the nation as a whole from a cyber perspective, a top, yet challenging priority for U.S. Cyber Command.
While such an endeavor might appear to be more under the jurisdiction of a domestic agency, such as the Department of Homeland Security, rather than the Department of Defense, Hall said the unique research mission of ACI enables them to initiate the event as a research project feeding not only into the Defense Department, but also the local government sectors and others.
“The first [Jack Voltaic] we took a look at New York and it was not very tightly tied in to the military department, but we had a lot of first responders and we had some National Guard,” said Hall.
However, Jack Voltaic 2.0, in Houston, proved more to have more tight integration between civilian and military departments.
"We got a chance to really work with the National Guard, the governor’s office, as well as [Northern Command] and Army North to see what would happen in Texas,” said Hall.
Lt. Col. Douglas Fletcher, the lead planner for Jack Voltaic, said that the public-private partnership involved with the event is critical for ensuring a more holistic cybersecurity.
“It’s going out so that people don’t see me wearing green and say, ‘Hey, I’m the government, I’m here to help.’ They see me as Doug Fletcher, somebody who has a vested interest in improving their cyber resiliency,” he told Fifth Domain. “We’re going to be cyber resilient as a country, we have to be resilient at all levels.”
Fletcher noted that many major cyber exercises stop at the regional level neglecting the smaller scale cities and towns. But there’s a lot of critical services that, if denied or disrupted at the city level, could have reverberations up the scale, Fletcher said.
“That kind of thought process is what spurred … [ACI] to pursue Jack Voltaic,” he said.
Jack Voltaic 3.0
The next iteration of the event, Jack Voltaic 3.0, will occur in February 2020 and involve the Lowcountry region.
“You have two governors and we’re starting to look at some of these issues that would happen at the seam between a couple of states,” Hall said.
From the purely Army standpoint, Fletcher said what he wants feedback from Jack Voltaic to provide the service a better understanding of the critical infrastructure it relies upon locally.
“We know a lot about our defenses within the fort … But really when you go from fort to port you are reliant upon the civilian critical infrastructure,” he said.
“I’m not saying their posture is inferior, I’m just saying it’s unknown … If a commander knows that at a city level you have all of these dependencies and they’re all linked in some shape, way or form with this thing called cyber, it’s a big deal.”
Something like a ransomware attack on a port could delay equipment overseas for an indeterminable amount of time, so insight on how this might force goods and services to be redirected to another port — or what an overload for that second port looks like — could be invaluable and reinforce the ways and means cyber could be improved.
“What we’re really trying to provide the cities is an opportunity to exercise themselves if they have a cyber response framework to exercise that and given them a safe environment where they can get better at this,” Fletcher said.
“Getting those people on the keyboard, you may have a situation where maybe they’re not that good at it. We can give them an environment where they can get a little bit better but we can also give that environment that gives the leadership an understanding of this is what’s happening on the range, what decisions do you have to make.”