CyberWire Daily - Jack Voltaic: Army Cyber Institute's critical infrastructure resiliency project, not a person. [Research Saturday]
Episode Date: May 15, 2021Guest LTC Erica Mitchell from Army Cyber Institute joins us to talk about their infrastructure resiliency research project called Jack Voltaic. The Army Cyber Institute’s (ACI’s) Jack Voltaic (JV)... project enables the institute to study incident response gaps alongside assembled partners to identify interdependencies among critical infrastructure and provide recommendations. JV provides an innovative, bottom‐up approach to critical infrastructure resilience in two unique ways. Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated. Furthermore, JV deviates from other cybersecurity and national preparedness exercises in that it builds around areas of interest nominated by the participants. Although JV events include national-level capabilities and resources, they are conceptually driven by the concerns of the cities and their infrastructure partners. Through this approach, the ACI, the Army, and the Department of Defense (DoD) are able to harvest insights about potential roles, dependencies, partners, and support requests, while cities are able to discover potential capability gaps and expand their critical infrastructure information-sharing networks before a potential disaster strikes. Research links: Jack Voltaic Cyber Research Project Jack Voltaic 3.0 Cyber Research Report Executive Summary Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers
and analysts tracking down threats and vulnerabilities, solving some of the hard
problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Well, Jack Voltaic got its start back in 2016.
That's Lieutenant Colonel Erica Mitchell from the U.S. Army Cyber Institute.
Today we're discussing Jack Voltaic.
That's their critical infrastructure resiliency research project.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
My predecessor, Chief Warrant Officer for Judy Escobel, was looking for a research project and started thinking about,
we have these mutual assistance agreements for energy companies.
If there's a major natural disaster, you get linemen from all over the nation coming to help whatever the affected area is. And her thought was, what if we could
do something similar with cyber? You know, we have struggles in having the appropriate number
of cyber personnel. We have a negative unemployment rate in cyber. So what if we could lift and shift personnel when there's a
major disaster? And so that's how the Cyber Mutual Assistance Workshop in 2016 happened.
And at that workshop, they discovered that there was difficulty in translating things across
companies and across sectors. And so the broader research became, how do we help these
sectors talk with each other and leverage each other in the event of some type of cyber incident?
And so they conducted Jack Voltaic One in New York City in partnership with Citi.
New York City in partnership with Citi. And from Jack Voltaic, one, they tested a terrorist attack with a cyber attack that occurred afterwards, particularly targeting the finance, transportation,
and energy sector. And the data that came out of that showed that we weren't really prepared for opportunistic cyber attacks.
And so New York City was able to leverage that research and have since stood up their very own cyber command.
And then you move on to Jack Voltaic 2. What was the program there?
So with Jack Voltaic 2, we decided that we were going to take a look at another major metropolitan area.
In this case, it was Houston.
And with that, we also incorporated Beaumont, Texas, which is where we do a lot of port activity.
The Surface Deployment and Distribution Command, they move stuff out of the port of beaumont
and so we brought them into the scenario and we were looking at what happens in the event of a
hurricane and then a cyber attack kind of preying on the chaos that surrounds hurricanes and what
we learned from that is one during, during a hurricane, all the ships
are going to be pushed out of the port. So any cyber attacks that happen after that are basically
overcome by events and don't have an effect. But what we also learned is what we tend to think of
as the center of gravity, you know, you look at energy particularly, isn't going to always be the center of gravity.
For Houston, water and wastewater was actually a bigger issue because of the amount of water needed to shut down the chemical plants there.
And so these Jack Voltaic events kind of pull these threads that no one's gone, you know, all the way down the rabbit hole on, and we learn new things every time we conduct one.
Well, today we're going to be focusing on Jack Voltaic 3.
Before we dig into what you all did this time around, I'm sure there's some folks in our audience who are wondering about the name itself, which I'll admit I find a bit delightful. Can you give us a little of the backstory? How did it come to be called Jack Voltaic? Well, sure. So in the army and the military in general,
we tend to give things these two word names. And so Judy really liked the term voltaic and kept kind of trying to figure out what would go with that
and then hit upon Jack. And the bad thing about Jack Voltaic is it's often caused people to ask
us who Jack Voltaic is and expect a man to show up for these discussions. But it's a great name.
but it's a great name.
No, it's certainly catchy and easy to remember. And I think fitting for the type of exercises you're doing here. Well, let's dig into the third iteration. What did you all set out to
do this time round? So I'm going to go back just a little bit. Right before we did the third
iteration, we were asked to go do a series of workshops across America.
We went to six different port cities, and this was Jack Voltaic 2.5.
And what we saw was that these port cities, even though they're all port cities, every single port city is different.
is different. And so that kind of led us in Jackville Take Three to not just look at port cities, but also make it more of a regional focus. It's kind of trivial, not completely trivial, but
fairly trivial if you can pivot from one port to another that's within a couple hour drive.
Where it becomes difficult is when you have two ports that are
in close proximity to each other that are both experiencing problems. And then you've got to
start looking further away to pivot to a different port if you're trying to do a forced deployment.
And so for JV3, we were looking at pulling the thread that we couldn't pull with Service
Distribution and Deployment Command, or Deployment and Distribution Command during JV-2 and seeing
whether an attack on civilian critical infrastructure without targeting the DOD
specifically could interfere with our force projection mission if we had to send people
and equipment out the door. And what we learned during JV-3 is that it absolutely has an impact.
And we also saw some more of the information sharing that we've seen during JV-1 and JV-2
in that we had equipment that was moving to the port, but the cities that it was passing
through weren't necessarily informed that it was coming there. So when they had these strange cyber
issues, they weren't suspecting that it may be part of a bigger motive that's targeting DOD passing through their city. And so what we see is that the
information sharing piece is one of the biggest components of Jack Voltaic and the findings
every time we do it. You know, looking through the report here that you published,
one of the things that struck me, and I think this is just me coming from my own point of view, is, you know, that when you list your scope and objectives, the top of the list was to examine the impact of a cyber event on Army force projection.
And I think it's not reflexive for me to think about Army force projection within the continental United States.
I think most of the time I'm thinking of the Army going to other places and doing things, but
this is part of your mission. And I think for whatever reason that has sort of fallen out of
the popular imagination of the types of things that you all do, but still an important part
of the mission, yes? Absolutely. So a lot of times we assume away any risk in the homeland,
or we assume that we're going to have this uncontested homeland, and that if I need to
move equipment from Fort Hood to Beaumont, nothing is going to stop me. If I need to move equipment from
Fort Gordon to Charleston, which coincidentally I did back in 2003, nothing is going to prevent me
from being able to do that. And so with cyber, that is no longer a good assumption the way it was
20 years ago or 30 years ago when we didn't have to worry about
anyone being able to come over and start a fight in the homeland. Right, right. The very nature of
cyber is such that people can cross those borders virtually and affect things from a distance.
virtually and affect things from a distance. Exactly. And so what we're trying to do,
one of our big focuses at the Army Cyber Institute is preventing strategic surprise.
If we can dream it, someone can do it. And so that is why we're focusing so heavily on preventing that strategic surprise in the homeland and having cyber prevent us from being
able to complete our force projection mission. Well, let's go through the scenarios here and
how you organize things, the varying degrees of types of events and impacts that could have on
things both within the military and the cities themselves.
Can you share with us, how did you go about planning this?
So we had a team that got together, and we actually researched events that have happened.
So for example, for some of the train injects, there was a young boy in Europe who, at 14 years old, managed to derail a train throughs. There was a young boy in Europe who at 14 years old managed to derail a train
through hacking. And so we based everything on existing malware that could deliver the
injects that we had and on existing events that had already happened. And that way,
it kind of prevents people from fighting the scenario.
You know, when you come up with something
that's completely off the wall,
people don't really want to trust in the scenario
and they're more likely to say,
oh, well, that can't really happen.
But in this case, we were able to say,
look, everything we're saying can and has happened.
And that was our main focus,
was to make it a realistic scenario
using real world events. Can you walk us through then, how does it play out? I mean, do you start
with low impact things and sort of crank up the heat from there? So in this case, absolutely.
We went with a death by a thousand paper cuts type scenario. And that's because what we're looking for is at what threshold are people going to recognize that this may be an actual cyber event?
And then for the next step, at what threshold are they going to declare that it's a cyber event?
it's a cyber event. Because from a legal and policy perspective, there has to be a declared event for certain things to trigger certain support from the federal government and for
states to get involved. And if there's no incident declared, then nothing is going to happen until
said incident is declared and support is requested. And that's what we were really looking at.
Where are those thresholds?
And what did you learn?
I mean, what can cause a delay between something happening,
the suspicion that it may be one thing, and an official declaration?
So a lot of the delay is we're still in a mind state where we don't expect the cyber attack.
So, for example, when we had the traffic lights that were acting funny,
the first thing people want to look to is mechanical failure
because, you know, at this point, that is a far more likely scenario
than someone, you know, hacking from another nation state.
And so we left everything nebulous to see where the
communication was. And the communication initially goes from, you know, the city to their DPW
equivalent, not all of them are named DPW, but Department of Public Works equivalent,
who then sends somebody out. And so you get the delay where they're going out
checking the physical equipment or replacing the physical equipment. And then if there's still a
problem, then they may go to the next level and start to look at, well, is it possibly cyber?
So you've got a pretty long time delay between a cyber interference starting and it actually being
recognized as cyber if you keep it low level, non-catastrophic. Can you give us an idea of
who were the various groups sitting around the table here? Who was taking part? Oh, so we had participation across industry. We had the local governments from the cities of Charleston and Savannah and town of Mount Pleasant. We had the local energy companies, Dominion Energy, Georgia Power.
We also had federal participation as well.
We brought in during the law and policy tabletop exercise.
We had representatives from U.S. Cyber Command, U.S. Army North.
We also had the Office of the Secretary of Defense for Cyber Policy represented.
And so it's this whole of community approach where we kind of bring everybody together. We even had the Charleston City School District, the Savannah School District brought in because a lot of times people don't really think that directly affected the public schools, you started to lose personnel to work on your mission because they had to go pick their children up or they were worried about their children.
And so we really tried to take a broad, holistic look at everything that could possibly go wrong and cause a delay.
Did you have many sort of aha moments along the way? I mean, were there any things that stood out
to you where, you know, people were looking around the room, looking at each other across
the table and saying, hmm, that's interesting? So one of the big aha moments, and I kind of just gave it away with my answer before, during the law and policy tabletop exercise, we kind of stepped through some scenario pieces there.
And we brought up the potential of an alert going out about a shooting at a school.
about a shooting at a school. And the horror, the tension in the room was absolutely palpable.
You know, and when you think about it, a lot of the people that are working in these offices have school-age children. And even though they knew it wasn't real, it was, you know, a room full of people discussing a scenario.
You could feel the tension and the stress coming off of all the parents in the room.
And you could tell that that would be an immediate reaction.
It doesn't matter what else is going on.
That is going to be handled before anybody's ready to continue work.
Yeah, that's fascinating, isn't it?
I mean, I guess you can't really underestimate the human side of all of this,
particularly as you mentioned at the outset,
when we're dealing with things like natural disasters
and then having cyber put on top of that,
people's emotional state is really an important part of all this.
Exactly.
I know in some of the workshop discussions we had,
when we were talking about earthquakes and flooding, depending on where we were,
people will take care of their families before they can focus on the mission.
And so a lot of incident response planning depends on a best case scenario where you have 100% of your workers and they're completely focused on the mission. or any other type of physical event, people are going to definitely put a lot of focus
on making sure their families are safe
before they focus on the actual job.
What were some of the main take-homes here?
At the end of the day, what did everyone learn?
So at the end of the day,
I will say one thing that I've got to put in there
that kind of trumps all of the actual lessons from JV3 itself is that we managed to conduct this fully distributed virtually online.
And that's a whole new thing in tabletop exercises.
Ordinarily and up until the end of February, we were bringing everybody together in a room where
they could interact, talk face-to-face, build this trust. And then with COVID travel restrictions,
we had to lift and shift and move the entire thing online. And now I absolutely prefer the online methodology because realistically, that's what's going to happen if there is an event.
You're still going to be in your office, especially as long as we saw it take for people to recognize that it may be a cyber incident, even though they were participating in a cyber exercise.
Participating in a cyber exercise.
So I think us moving this online and doing it 100% virtual far better mimics real life than actually bringing everybody in a room together where you kind of have a shortcut.
You don't have to pick up the phone and call someone or email someone.
You can just talk across the table.
Right.
And also, in addition to that, what we've learned is we need more of these. And that's not me trying to toot our horn or anything like that. The reality is our structure
and our framework has basically brought as many questions as it's answered. And so with us doing one every couple of years, we've found that that is not
going to get to the heart of the problem in the same way that having cities able to do their own
would, where they can do them more frequently and they don't have to go through the process we have
to go through of coming into a new area, trying to understand
the local landscape, finding the right partners, establishing trust between all the parties.
And what we're hoping to do and what we've been working on is making it where these cities and even possibly, you know, regions and state level can conduct their own exercises and start to evaluate their progress on top of where they are now, but be able to continue to do them and evaluate progress from there.
Yeah, I mean, it really strikes me that there's an advantage to the cities of having you all from the Army Cyber Institute kind of take the lead on this because you're not coming into an area with a set of biases. You don't necessarily know all the ways that this particular locality does things. And so you're not liable to have that sort of, you know, that old chestnut about,
well, that's the way we've always done things.
You know, you're able to bring fresh eyes to the situation.
Right.
But now we're trying to use our framework to bring those fresh eyes
without us having to go there ourselves.
And it's just for, you know, economy of scale, right? I have a small team. We have three to five people at any given time. And so trying to go out to a lot of different locations isn't going to get us where we need to be quickly. And so that's why we've developed a suite of tools that allow cities to go in and without
necessarily seeing the scenario up front, they can share what sectors and subsectors they want
to have participate, how long they want the exercise to be, whether it's a half day or a
three-day exercise. And they can input a certain level of
information about what they're looking to do. And then what our tools do is it basically fills in
the Mad Lib forum and hands them back an exercise guide and a player handbook. And it also gives
them a data collector guide, like what information do they need to know,
what questions do they need to ask. And then at the same time as they get their documentation to
run their exercise, it's also sent over to the Norwich University Applied Research Institute's
Decide platform, and they can actually play the exercise online in the Decide platform.
And so what we've done is we've kept it low cost and low impact for the cities,
but we've also managed to spread what we can do with just a handful of people.
And what's the response been so far with the cities that you've partnered with? How are they feeling about having gone through this exercise together?
leverage the results of the exercise to get grant money to improve their cybersecurity.
Charleston and Savannah are working on that, but they're still very early in the process.
And they've all requested to do it again. I actually just spoke with someone a few days ago about the potential for Houston doing it again. And so what we're offering is for Houston to be able to use these
tools and develop their own exercise using our framework. And so that's what we're hoping to do
because we would love to have that repeat exercise feedback as opposed to, okay, we've done this one
area and we're never going to see you
again. We would love to be able to follow up and have people continually do these so they can see
where they've improved, what areas they still have for improvement.
Our thanks to Lieutenant Colonel Erica Mitchell from the Army Cyber Institute for joining us.
If you'd like to learn more about their Jack Voltaic project, we'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.