Cybersecurity is only in the spotlight when it fails. After high-profile, large-scale data breaches, it takes a beating. But cybersecurity provides critical layers of infrastructure in our modern, cyber-dependent society. Rehearsing for potential failures is always worthwhile.

Executives tend to relegate cybersecurity to the IT department. That is a mistake, because cyber incidents affect the entire organization. We should conduct regular cybersecurity drills, as we do fire and safety drills. That’s where tabletop exercises can play a big role.

At last month’s Cyber3 Conference Tokyo 2017, international stakeholders from academia, industry, government and civil society gathered at Keio University for the third annual conference on cybersecurity. The meeting was an opportunity for ministries and agencies to align on cybersecurity, and for the private sector to follow suit. Japan’s private sector has the lowest efficiency and productivity in the G7; improving its cybersecurity could change this.

During the two-day conference, a tabletop exercise (or TTX) simulated cyber-attacks on Japan’s forthcoming 2019 Rugby World Cup. The simulation generated insights applicable not only to large-scale sports events such as the 2020 Tokyo Olympic and Paralympic Games, but also to the national cybersecurity infrastructure of Japan and other countries.

Hacking the Rugby World Cup

The simulation, dubbed Operation Rugby Daemon, was aimed at helping Japanese government agencies, businesses, and other stakeholders understand, coordinate and better respond to potential cyber threats to information flows and critical infrastructures. It was sponsored by the Sasakawa Peace Foundation USA.

Three types of cyberattacks were simulated between a theoretical date range of September 20 to November 2, 2019: (1) phishing e-mails to acquire access to critical industrial control systems, (2) disruption of the power grid based on network access gained from these e-mails, and (3) distributed denial of service (DDoS) attacks against the Rugby World Cup website and related internet addresses.

In the TTX, four teams of eight to 10 people from government and industry acted as a public-private task force to ensure security during the World Cup. They were given clues through a series of injects on two dates, with information coming from domestic and foreign sources. The energy grid penetration and the DDoS attacks occurred simultaneously, emulating the ‘fog’ of cyberwar. The teams were challenged to identify the sources of the attacks and prevent serious consequences. They were also asked to present a five-minute summary of their response to a control team of observers.

Image: Financial Times

In the phishing attack, hypothetical adversaries sent emails to staff at a large Japanese power utility, industrial conglomerates, and Japan’s Ministry of Economy, Trade and Industry (METI). The phishing e-mail contained a description in Japanese that concealed malicious code. In the scenario, a utility worker clicked on the attachment, giving attackers a foothold in the utility’s local area network (LAN).

If team members failed to take effective steps, there would be a power failure at Yokohama Stadium during the World Cup’s final game. If they took remedial steps, a small part of the grid would go down, but the utility would be able to react quickly and compensate.

In the DDoS attacks, websites associated with the Japanese prime minister, the Rugby World Cup, and other public and private entities were hit with more than 700 Gbps of incoming traffic, causing them to go down. A ransom note, purportedly from an anti-whaling group, was sent to the utility’s CEO. The attacks appeared to be foreign botnet operators conducting the DDoS through an overseas address. The scenario included diversion-tactic information sent to Japan’s National Police Agency. Teams that took effective steps were able to mitigate the extent of damage from the DDoS attacks.

Image: Financial Times

Lessons learned

The teams were encouraged to coordinate and act quickly. This tests a very real-world problem of authority’s ability to respond in crises. Aside from the need to coordinate horizontally, government officials must know what they can and cannot do. Otherwise, they will lose precious time sending permission requests to higher-ups, who may then send them further up the chain of command, slowing the response and wasting crucial time. As Paul Maddinson of the UK National Cyber Security Centre told conference attendees, the most useful thing he could do when managing a team of responders during the WannaCry attack was to order pizza for them. They knew their roles, responsibilities and authority. Mr Maddinson stepped back and let them do their job.

The most effective participants communicated rapidly with domestic and international partners, shared information, and formed conclusions that helped mitigate the DDoS attacks and the power grid disruption. Other teams chose not to make key recommendations to higher authorities because they questioned their legality. Some players tried to send requests directly up the chain of command to lead agencies, instead of sharing horizontally.

Aside from the importance of sharing information and communicating across regulatory jurisdictions, one of the most important lessons gained from the TTX is that participants need to develop situational awareness as events unfold. This involves understanding how the individual pieces fit into the bigger picture, as well as being aware of the timeline of phishing attacks transitioning to power grid disruptions. The same will hold for any large cyber incident.

Operation Rugby Daemon showed that Japan must develop a series of TTXs to raise awareness about cybersecurity for the upcoming sports events. It must develop experienced game veterans who can offer useful recommendations in real-world situations. Japan also needs experts with the ability to make decisions based on incomplete information - a stressful experience that can only be prepared for during TTX exercises like the Rugby World Cup scenario. Book knowledge and checklists are no match for the ability to coordinate, share information and make quick decisions that can have a huge impact in a crisis.

“The fact that we store our wealth and treasure in databases in computers more than banks makes us vulnerable,” Richard Ledgett, former deputy director of the U.S. National Security Agency, told conference attendees after participating in the TTX.

“Cybersecurity underpins our daily existence and democracy. These threats are serious and real. With the tabletop exercises, we highlighted how hard it is to respond. We need to practice, practice.”

Several of the security industry’s leading vendors and academic institutions now offer cyber range centers, which provide testing and training to simulate cyber attack preparedness and response in much the same way TTX do. Any technology vendor should have a good answer when asked about training resources. Keeping cyber skills sharp can make as much difference during a crisis as any other investment in people, process or technology.