I was one of the team leaders for a tabletop exercise held during the November 2017 Cyber3 Conference at Keio University in Tokyo. The following are some of the lessons learned from a joint task force tabletop exercise:
The most effective participants communicated rapidly with domestic and international partners, shared information, and formed conclusions that helped mitigate the DDoS attacks and the power grid disruption. Other teams chose not to make key recommendations to higher authorities because they questioned their legality. Some players tried to send requests directly up the chain of command to lead agencies, instead of sharing horizontally.
Aside from the importance of sharing information and communicating across regulatory jurisdictions, one of the most important lessons gained from the TTX is that participants need to develop situational awareness as events unfold. This involves understanding how the individual pieces fit into the bigger picture, as well as being aware of the timeline of phishing attacks transitioning to power grid disruptions. The same will hold for any large cyber incident.
Operation Rugby Daemon showed that Japan must develop a series of TTXs to raise awareness about cybersecurity for the upcoming sports events. It must develop experienced game veterans who can offer useful recommendations in real-world situations. Japan also needs experts with the ability to make decisions based on incomplete information – a stressful experience that can only be prepared for during TTX exercises like the Rugby World Cup scenario. Book knowledge and checklists are no match for the ability to coordinate, share information and make quick decisions that can have a huge impact in a crisis.
The exercise was quite enjoyable and an interesting exercise in seeing how representatives from disparate agencies can collaborate in real-time on important issues potentially impacting an important event. My team was a tough one. They were more concerned with the legality of some of the questions rather than taking quick action to resolve a situation.
It was quite eye opening, and actually more terrifying than anything. If the task force actually took these actions during the event the outcome would most likely have been catastrophic.