Last year I was fortunate to serve as an advisor during an executive table-top exercise surrounding a power outage from a cyber attack. Executive rule number one: when an executive keeps going back to a particular topic it should demand your focus. Over the course of these two hours I was reminded of this rule.
One executive kept coming back to a question of acting or not acting in order to not ‘tip off the adversary’ thereby making matters worse. The scenario did involve destructive malware (disk wiper) capabilities. Pointing this out once as a concern is one thing; but when one of the executives went back to this idea 4 times in 2 hours I tried to understand the context of the questioning. The discussions went well, meaning we ran over time and I didn’t have an opportunity to address the act/no act scenario effectively. Instead, I’ll recap my thoughts here.
At first I took the line of questioning to subtly divert responsibility away from industry and to government agencies (‘we need threat intelligence! We need attribution!’). As it continued I also got the impression that she genuinely saw this as a concern and was wrestling this question with respect to operations and planning. And the more she asked the question the more annoyed I became.
The chance that you have a contested network is frankly pretty reasonable. What is less reasonable is that you
- know it’s contested;
- know the adversary and motivations;
- are skilled enough to act/defend against it;
and yet haven’t already answered the act/no act scenario. This scenario had the company in the midst of reacting to a cyber attack leading to sustained power outage and IT systems disruption. Their response plans, skills, flexibility and knowledge should carry them through the day.
To be fair, this executive is used to weather related exercises. Hurricanes, earthquakes, tornadoes and their impact to power operations. It is much more likely to have (or perceive to have) perfect knowledge in these scenarios. “The storm winds are past 75% of our territory, we can begin deploying clean up crews”.
Cyber scenarios offer far more ambiguity than anyone would prefer. The line of questioning shouldn’t be around act/no act but instead should be centered around how one creates flexibility in response plans to account for accountability, safety, speed and accuracy. She was asking an operational question but in a strategic context. This aspect of the line of questioning is what, months later, is a source of my annoyance.
What I wish I could have reinforced in the discussions:
Perfect knowledge only exists during exercise, not the real world. Indeed, if you did have perfect knowledge then the attack wouldn’t have been successful. If a operational question such as act/no act isn’t already baked into your playbooks then you run the risk of creating confusion and complexity at a time when confusion and complexity should be reduced. You should train like you fight and not fight like you are training.