Inside the Pentagon's cyber war games
Tom Patterson, a participant in the Pacifica games, describes what DOD can learn
- By Tom Patterson
- Oct 12, 2010
Under a constant canopy of low-flying nuclear-capable B-52s, the brand new Cyber-Innovation Center in the shadow of Barksdale Air Force Base in Bossier City, La., provided the perfect setting for the Pentagon's latest cyber challenge — a public- and private-sector exchange focused on leveraging “the art of the possible” in a cyber war game setting. Unlike the war-games or exercises prepared for by Barksdale's nuclear strike force — the Global Strike Command — these cyber war games, held in September, help prepare America for a different type of battle altogether.
Not just Xbox anymore
Just to be clear, these war games are about the real effects of a cyberwar, not bloody Call of Duty avatars or losing your Second Life. This is about clever bad guys using bits and bytes to confuse, dissuade or shut-down people and systems, on the battlefield and across America.
This is also about making planes fall from the sky, ships sink or drift at sea, and cutting off forward deployed troops from their lifelines. This is about causing chaos in our streets at home due to sudden crashes in our critical infrastructure through manipulation of our banking, transportation, utilities, communications, and other critical infrastructure industries.
These are all real scenarios being considered both by the United States, our allies and our adversaries. These cyber war games are in place to ensure that we consider everything, get awareness to what capabilities exist and prepare for it in the event it's ever used against us.
Next: A secret weapon
A different kind of game
War-games usually start with a story-board, where two teams — Red for bad guys, Blue for good guys — are presented a fictional scenario and face off in a simulated conflict over some time-period (today or 10-plus years from now), where Red thinks up ways to attack and Blue thinks up ways to counter those attacks and defend U.S. (and global) interests.
Cyber ShockWave exposed missing links in U.S. security
New threats compel DOD to rethink cyber strategy
In the cyber realm, Red's been kicking Blue's butt, so Blue did something radical. They hired Riley Repko away from private industry to develop non-traditional ways to engage the private-sector — the “true owners” of the intellectual capital within the cyber domain.
Because these defense-centric war games have historically been classified exercises, the participants were always limited to those with security clearances. Although that has always worked well in the kinetic world of air, sea, and ground power, it fails when it comes to cyber power. Much of what is possible in the cyber world is being thought up by people who never would want, or never could get, a Defense Department security clearance. That's where Riley's cyber war-games come into play.
Repko is a veteran of both the military (having retired from the U.S. Air Force Reserves in 2006 after 27 years of service), and the private-industry (working 25 years in management positions, including over a decade for Larry Ellison at Oracle). He has come back to the government and is now serving within Air Force Operations and Requirements, leading their engagements efforts, specifically with the private-sector.
Because of his transformational thinking, he is currently detailed to the Office of the Secretary of Defense. He knew that if we wanted to tap into American ingenuity and creativity, he would have to change the rules of the game. And that he did. This starts with, as he puts it, “awareness to what's out there” (capabilities found in the private sector) and their capacity — specifically, does this solution exist, is it fielded or is it merely an idea still on a napkin?
Next: The strategy revealed
Setting up the board
The key to Riley's plan is the ability to utilize a trusted third-party to perform the “sanitization and anonymization” functions that shield any over-exposure to vulnerabilities while at the same time protecting the sensitive corporate intellectual property from being misappropriated.
This further allows for the widest population of experts (globally) to participate, no longer worrying about clearances or IP issues, and for focus to be given directly to the real war problems at hand.
In essence, extending the operational reach of the military through a nexus of collaboration between large and small businesses, the R&D and university communities, venture capital, the inter-agencies and even the 'wizards' — those hackers and patriots who must be part of the mix. That made this cyber war game unlike its kinetic forefathers — fully collaborative, quite interesting and demonstrating a new model for going forward.
In this game, the Air Force took the time to create an actionable scenario that did not divulge any sensitive or classified material, yet still challenged participants to bring to bear the most creative of technological solutions.
Next: The battle is joined!
Inside the Pacifica Games
After the Air Force set the stage by briefing us on the hostile events transpiring on the fictional island of Pacifica, we went to work. We were briefed in a real world environment, with bits and pieces of information coming in real time. As happens in war, the events escalated over time, with the Red team throwing wave after wave of attacks that were a blend of kinetic and cyber challenges.
We had several Air Force officers with our group, to help define the typical military response and requirements in these situations. And then it was up to us. We leveraged what is being thought of, developed and deployed in the private-sector, including IPv6 communications (for ad/hoc networks and covert communications), a variety of transportable identification and authentication systems, including magnetic fingerprints (which are used successfully in the payments world but never before in war), game theory, games development, advertising, social networks, search engines, and much more.
As a member of the Blue team, I was joined by technical experts from the intelligence community, former inter-agency federal leaders, academia and the communications, information security, financial, technology and other commercial sectors. The representatives from each of these organizations were not the typical business development types (for the most part), but rather that one person that most companies keep locked in their vault, as they know more about their subject than anyone else.
We knew this would be different from a typical business meeting when they had us all remove the batteries from our BlackBerrys and mobile phones, and completely power down our iPhones — explaining how advisories can load malware onto mobile devices that allow remote activation of our microphones. They didn't want us tipping our Blue hand before we even got out of the gate.
We had a Blue team member design on the board a new way to communicate, using adaptive lasers, despite the formidable enemy communications deterrence over Pacifica. This was something his company never deployed, because he knew of no commercial need, yet seemed to provide a workable countermeasure to the Pacifica “enemy.” We also developed a low-tech idea that repurposed soccer balls that also holds promise. In these games, everything was on the table.
Over the two days of the game, the Blue team offered over a dozen possible countermeasures to the Red team’s aggression, and followed our guidance to “find ways around the problem, if you can't stop it directly.” Lots of mash-ups were created that I've never seen before, which could well be steps toward defending our nation.
Stopping a real cyber-war
While I can't say that the Blue team “won” the game, I do know that this is the way to develop our defenses going forward. Cyber war is so radically different than kinetic war, and the participants got very realistic demonstrations about the how the mash-up of both is changing everything. This approach to the problem will be a critical success factor of the future. Yet we still need to do better.
These Pacifica games demonstrated both the need and ability of this approach, but DOD needs to make this a long-term trusted component of their planning, and that requires three next steps:
Step 1. Use the fruits of the Pacifica war-game by linking and sharing the most promising of ideas to their most appropriate government partner, and get them going as projects. By tapping into the private-sector, you will be amazed as to what the 'art of the possible' is near-term.
Step 2. Build out the collaboration framework elements identified and developed by Mr. Repko. The “sanitizer and anonymizer” mechanism managed through a trusted but neutral administrator could enable both the Defense Industrial Base and the 17 other Information Sharing and Analysis Centers, small technology businesses, research and academic organizations to safely register and collaborate their potential technologies, gaps and seams with DOD and inter-agencies' and assist them with defining their cyber-warfare requirements.
Step 3. Widen the circle of participants for the future games, more commercial experts from smaller and more unique companies, design in the use of tele-presence to lower the burden on small business to participate, and spread the word through all business sectors that DOD (and federal agencies) are now 'open' for business.
I was proud to both advise and participate in the Pacifica cyber war game workshop. Along with many of my commercial colleagues, I look forward to the Pentagon taking the next steps with the support of the science and technology communities of Congress, DHS, and especially the private-sector. We can and must leverage the best innovation our country has to offer in the defense of our freedoms.