COL Jeff Erickson, U.S. Army Chief of Staff
Army Cyber Institute West Point, New York
Improving Resiliency of Public and Private Critical Infrastructure:
The Jack VoltaicTM Research Project
How did we get here?
• Historically, civilian infrastructure has been so reliable, military planners have taken the support for granted.
• Similarly, geography and U.S. military dominance has guaranteed security of civilian infrastructure from serious foreign military action.
• The introduction of cyberspace as a domain of warfare often places civilian infrastructure on the front line; the military cannot guarantee similar levels of security.
• Response to cyber-attack now relies on multi-layered public/private partnerships, using equally multi-layered application of resources.
Planners were knowledgeable and experienced in cyber, emergency plan procedures and were involved throughout the designing, execu:on and evalua:on of the exercise.
Component 1: Live-‐Fire-‐Exercise (LFX)
Component 2: Table-‐Top-‐Exercise (TTX)
Component 3: Planning Commi@ee
Correlated
Addressing the Situation: Jack VoltaicTM
What is Jack Voltaic? Jack Voltaic is the ACI’s focused research on both cri:cal infrastructure and public/private partnerships. It is a local government and industry focused experiment that examines a city’s ability to respond to a mul:-‐sector cyber-‐aEack. What was JACK VOLTAIC 2.0? JV 2.0 was a 3 day mul:-‐sector, public-‐private, cybersecurity research project that culminated in an exercise in Houston, TX (August 2018). • Explored how a large city would respond to a simultaneous physical and cyberspace aEack that could impact mul:ple
cri:cal infrastructure sectors. • JV 2.0 explored the employment of the total Army force to defend the Na:on in the face of a physical and cyberspace
aEack on a large U.S. port city as well as the cyber resilience and readiness of Army-‐operated Defense Cri:cal Infrastructure.
Research Goals
JV 2.0 Research Goals
1
Develop a framework in which to exercise a city’s ability to respond to a combined physical attack (e.g., a natural disaster) and cyberspace attack affecting multiple infrastructure sectors.
2 Evaluate the cyber resilience of key Defense Critical Infrastructure in response to a combined physical and cyberspace attack.
3
Evaluate and examine the military’s coordination process for providing cyber protection capabilities requested by civil authorities, including the ability to communicate and share information among the city, the private sector, and response partners.
4 Showcase the City of Houston as an emerging state and national leader in cyber incident response.
Planning Timeline for Jack VoltaicTM 2.0
Acronyms: JV: Jack Voltaic IPM: Ini:al Planning Mee:ng MPM: Mid-‐Planning Mee:ng FPM: Final Planning Mee:ng TTX: Table Top Exercise LFX: Live Fire Exercise (digital range)
Jack VoltaicTM: Key Findings
1. Must develop a repeatable risk management framework that is adap:ve to a rapidly evolving threat.
2. The U.S. military and its allies are dependent on civil and commercial infrastructure in and around ci:es.
3. State military departments need to evolve cyber response processes, including partnership strategies, and capabili:es more rapidly.
4. States need to develop campaign plans for more scalable incident response and rapid informa:on sharing.
5. Policies and legal authori:es need to be reviewed and adjusted to beEer help ci:es against sophis:cated physical/cyber threats.
Where do we go from here?
• Jack Voltaic 3.0 • Moving from a city to a regional focus • Savannah, GA & Charleston, SC
• Execu:on of Regional Workshops focused on key port ci:es
• Complete repeatable framework to allow for scaling to more ci:es
• Iden:fy solu:ons for increased use of cyber training environments
Army Cyber Institute hEps://cyber.army.mil/
Jack VoltaicTM Research Paper
hEps://digitalcommons.usmalibrary.org/cgi/viewcontent.cgi?ar:cle=1045&context=aci_rp
Questions & Discussion
Fb @ARMYCYBERINSTITUTE Tw @ARMYCYBERINST Li @THEARMYCYBERINSTITUTE