Written by Tony Campbell, Director Innovation & Research, Sekuro.
War-gaming and scenario planning for cyber attacks have finally become part of Board and executive-level discussions.
While overdue, this is good progress. Organisations across the country are waking up to the reality that threats are ever-present and only getting more sophisticated and widespread.
The government recently announced it will be working with businesses managing critical infrastructure to undergo cyber exercises, and I recently covered how Australia could learn from past war-game exercises overseas, like Dark Winter.
However, if we want to reach Home Affairs Minister Clare O’Neil’s goal of becoming the most cyber secure country by 2030, we need to be prepared not just for multiple scenarios, but also the worst-case scenario.
This means not shying away from the domino effects that a nationwide attack could have on our government, private sector and citizens, and the role that each business and political leader will need to play at every stage.
Cyber exercises should be coordinated similarly to a military wargame.
There is a lot the corporate and public sectors can learn from organisations like the NATO Cooperative Cyber Defence Centre of Excellence, which for example, has run annual military cyber exercises called Locked Shields since 2010.
We are seeing a growing appetite for businesses wanting guidance around how best to visualise, prepare for, and stay updated with what a worst-case scenario could become.
Here are some of the main aspects that businesses should incorporate into those war-gaming exercises.
The initial attack
Assessing recent approaches to cyber attacks by peers in your industry, or looking at high-profile attacks and asking internally what you could have done better can be a good place to start conversations internally around the importance of cyber resilience.
However, it will not be enough to prepare the organisation for what lies ahead.
In a war-game scenario, envision a large-scale cyber attack targeting critical infrastructure and services in Australia, launched by a nation-state actor.
This could be a DDoS attack, which is highly destructive and disruptive, while also requiring a lot of resources to address it.
The attack would aim to cripple key services, such as power grids, transportation networks, financial systems, and communication networks through the use of sophisticated malware and hacking techniques.
Revealing the hidden motivation and specific target of the real attack
Next, envision a secondary attack that involves multiple advanced persistent threats (APTs) that have joined the initial attack to steal data and defraud citizens.
These APTs would target a range of sectors, including healthcare, education, and government agencies. This secondary attack is what organisations need to be more prepared for, and their goal would be to cause widespread disruption and chaos.
Government and private sector involvement
Australia has recently joined the US and other Five Eyes cyber agencies to identify China as the primary instigator of nation state attacks, which follows from the Home Affairs Ministers vowing to hold China accountable for sustained attacks against MS Exchange servers in 2021.
As we have already seen through these public announcements and joint political efforts internationally, there is a clear and multifaceted role the government needs to play in the event of a nationwide attack.
When scenario planning, factor in the various government agencies that would need to be involved, each of their responsibilities and capabilities, and how their involvement and roles would impact the private sector and broader society.
The Australian Signals Directorate (ASD), the lead agency for cybersecurity in Australia, would be the primary agency responsible for responding to the attack.
Other departments involved would include the Australian Cyber Security Centre (ACSC), the Department of Defence, the Department of Home Affairs, and the Australian Federal Police (AFP). For government agencies directly related or indirectly linked to these agencies, time is of the essence.
There needs to be clarity around the internal roles and responsibilities, when and how to escalate the issue to other departments, when and how to alert the private sector and public, what information to release to media, and more.
The private sector would also play a crucial role in responding to the attack, particularly in terms of maintaining critical infrastructure and services.
Every person within the organisation – from the front desk to the CEO and Board – should have access to a comprehensive toolkit, which they would have been trained on recently and indicates exactly what they should and should not do.
Coordination and communication
The response to the attack would require close coordination and communication between government agencies, the private sector, and international partners.
The ASD would likely establish a central command centre to coordinate the response, with representatives from relevant agencies and sectors involved.
Communication channels would include secure online messaging systems, dedicated phone lines, and regular briefings and updates to stakeholders.
At this stage in the war-game, the Board and executives should already be discussing:
- What are the key messages we can and should be sharing with staff, customers, partners, investors, the government, and the media?
- Who is the spokesperson for each of these audiences, and who can each of these audiences direct their concerns or questions to?
- How do we prioritise actions, and who is responsible for each?
- What are we legally responsible for, required to report, and should ethically act on?
- What actions should we be taking now to stop further impacts of this attack and start addressing the fallout so far?
- How much worse could this get, and how can we prepare for that now?
To conduct all of this effectively will require proper funding and resources.
The adversaries are well-funded and well-coordinated, and Australia needs to be as well.
The need for sufficient financial and skilled support has heightened in recent years and will likely continue to grow as Australia continues to support the US and the UK in its stance against Russia.
Considerations and context
By this stage in the war-game, it should be clear that the response to the attack would require a multi-faceted approach, including technical and operational measures, as well as communication and public outreach efforts.
The government would need to quickly identify the source of the attack and assess the extent of the damage caused.
The response would need to prioritise the restoration of critical infrastructure and services, while also identifying and neutralising any ongoing threats.
Local or state-based police, crime, or emergency responses plans would also need to be taken into consideration.
The coordination between federal and local governments and police forces can be a common way for collaborative efforts to break down.
In addition, the links between the public and private sector need to be seamless – if the public sector is taking an ‘all hands on deck’ approach while the private sector is assuming the government can address the issue on its own, the outcomes could be catastrophic.
The severity of the situation needs to be clearly communicated to all levels of the corporate community.
Preparing for the next threat
While this level of caution and the breadth of the exercise may seem excessive, the reality is this is just step one.
Military drills and actual war games happen often, and for good reason.
There is no point in undergoing a scenario plan or war-gaming exercise, only for the result to be a lengthy document that is stored in everyone’s cupboards for months or years, and then considered too outdated, complex, or difficult to action when an actual attack occurs.
If agencies and the private industry recognise the importance of these exercises to national cyber health and resilience, they should also recognise these exercises need to be conducted in-depth and on a regular basis.
This is the only way to ensure Australia is practically ready for both the current and upcoming threats.
