When U.S. Cyber Command simulated a cyberattack against a seaport last month, military personnel hunted for adversaries who appeared to be using malware against a critical trade hub.
It was the latest version of an annual weeklong test known as “Cyber Flag” that teaches cyber staffers better defend against critical infrastructure attacks, military commanders involved in the exercise told reporters in a briefing Tuesday. By imitating an attack that blocked the seaport’s ability to move cargo — potentially affecting international trade — military leaders tested their readiness for a real-world incident and looked for ways to improve their response. The simulation also included officials from throughout the U.S. government and from allied partners to emphasize stronger coordination.
“Cyber Flag is the command’s annual tactical exercise series that features teams working on keyboard against a live opposing force,” said Rear Adm. John Mauger, Cyber Command’s director of exercises and training. “The environment is really intended to challenge the teams both as individuals and their knowledge as analysts and operators — but more importantly as a collective team and their ability to work together to achieve mission outcomes while fighting through a contested environment.”
More than 650 cyber professionals — comprised of the Cyber Mission Force, Marine Corps personnel and National Guard from Georgia, Nebraska, Texas, and Pennsylvania — were split into 20 offensive and defensive teams, according to the Pentagon. Teams also included other U.S. government staffers from the FBI, the Department of Homeland Security, the Department of Energy, the House of Representatives and the U.S. Postal Service, as well as representatives from each of the Five Eyes countries — the U.K., Canada, Australia, and New Zealand. Private sector participants from utility providers also were a part of Cyber Flag, according to the Pentagon.
Roughly 100 of the professionals played as adversaries in the exercise. They used publicly available, open source malware to run malicious operations on targets and test whether defenders were properly hunting down the attackers. The goal was for red team attackers to ultimately simulate blocking a port from moving cargo, which they did, staff told reporters.
As part of working through the scenario, members from the U.S. Coast Guard in the Hampton Roads region in Virginia also participated in an exercise to run through how they would respond to a real cyberattack on ports, Mauger said.
Ports are frequently targeted by cyberattacks around the world. The world’s largest shipping company, Maersk, was hit with the NotPetya ransomware attack, costing the company 4,000 servers, 45,000 PCs and hundreds of millions of dollars in damages. Last year, several major ports around the world reported being victims of cyberattacks, including the Port of Barcelona and the Port of San Diego. The Coast Guard this month revealed that a vessel traveling through international waters was hit with a “significant” malware attack.
Refocusing to hunt adversaries
Cyber Command’s focus in this simulation exemplifies how, a decade after being established, and one year after achieving combatant command status, the military unit is training its troops to meet its new operational strategy, known as “persistent engagement.” The idea is to keep U.S. cyber personnel constantly engaged with adversaries, just below the threshold of armed conflict.
Specifically, Mauger said this year Cyber Flag worked on focusing its Cyber Protection Teams on hunting for adversaries instead of focusing only on cybersecurity and “mission protection.” Cyber Protection Teams typically work to deter cyber threats by protecting network infrastructure.
“For the extensive intelligence that they have, we want them to be the experts in hunting for adversaries’ activity,” Mauger said. “We’ve really focused the skills for the Cyber Protection Teams away from some of the cybersecurity and cyber support and mission protection functions, which we see as missions of local network defenders, and really towards that adversary hunting.”
Cyber Command received new authorizations to work outside of Department of Defense networks last year to run offensive operations against adversaries. Just last year, too, Cyber Command’s 133 Cyber Mission Force teams achieved full operational capability, meaning they can achieve their missions independently.
But even as the administration pushes ahead with offensive operations — U.S. national security adviser John Bolton recently said the administration is focusing on expanding offensive operations — cyber military commanders have said they want to focus on training.
Cyber Command’s director of operations, Maj. Gen. Charles Moore, said during a rare briefing in Fort Meade, Maryland, this May that his division is now working on operationalizing Cyber Command through training, not just building up the 133 Cyber Mission Force teams.
“We’ve transitioned to really operationalizing this command,” he said, adding that the goal is for Cyber Command to “sustain the readiness” over a long period of time.
Why training matters
As Cyber Command works through confronting and gathering intelligence on adversaries more as part of persistent engagement, personnel operating in the digital realm often have a host of new skills to learn, Mauger said.
“As the command has matured and we’ve moved to an operational strategy of persistent engagement, we’re now a force that attempts to engage with adversaries below the level of armed [conflict] on a recurring basis,” Mauger said. “In order to be able to do that we had to reorganize the force, establish new tasks, and new skills and capabilities that they needed to have. And so we’ve been drilling that into the force over the course of the last year.”
The port exercise did not emulate any adversary in particular, Capt. Jesse Nangauta, a senior intelligence officer with Army Cyber Command’s 1st Information Operations Command, said in the briefing. Instead, the teams running offense were focused on espionage and disruption intended to get the defensive teams to respond, and hunt after them.
“We were trying to emulate an adversary that had two objectives such as obtaining information as well as causing disruption, not only in the IT infrastructure but also in the [operational technology] infrastructure,” Nangauta said.
Last year was the first year Cyber Command ordered teams to hunt for adversary activity in a simulated ICS/SCADA networks, control system networks that drive infrastructure for businesses, governments, and militaries, such as water distribution systems or gas pipelines. This year is the first time the command has used the Persistent Cyber Training Environment, the Pentagon’s cyber training platform, to prepare for Cyber Flag.