Written by Tony Campbell, Director Innovation & Research, Sekuro.
Home Affairs Minister Clare O’Neil is working to prepare Australia for a “dystopian future”, which will include new cyber exercises to help energy companies, banks, health providers and other critical infrastructure providers become more resilient in the face of evolving cyber threats.
This is a much-needed step in the right direction. War-gaming and scenario planning for all businesses will be critical to keeping Australian organisations and Australians secure amid the reality of constant and relentless cyber attacks.
To date, the standards that Australian businesses have been held to have not reflected the complexities and rapidly digitised nature of security threats, and a preventative approach to cyber security is long overdue.
As Australia embarks on this mission of preparedness, it will also be important to recognise that simply doing these exercises is not enough.
As was witnessed during the pandemic, many businesses that had security plans and business strategies in place were forced to throw these out the window once our society, economies, and ways of working were drastically disrupted.
They were planning for the challenges of today, not tomorrow.
War-gaming for cyber threats needs to be a regular exercise, incorporating current and future trends, while also creating room for uncontrollable external changes.
Simultaneously, there needs to be ongoing research and recognition into how comparable exercises have been done around the world to ensure Australian businesses are not operating and trialling scenarios in siloes, but improving upon what has already been tested in other geographies.
Dark Winter was a bio-terror war game exercise conducted in the US in 2001, using the scenario of a biological attack on America.
Over 13 days, the scenario saw multiple states and countries impacted, public health responses evolve, and the 24/7 news cycle impact political and community behaviours.
There was extensive analysis made of this exercise that Australia could learn from ahead of our own cyber exercises for critical infrastructure providers.
Australia should be conducting similar training programs that aim to prepare for large-scale, nationwide attacks.
The focus should be to simulate coordinated APT (advanced persistent threat) attacks against Australia’s critical infrastructure, while assessing the country’s ability to cope with both the cyber and physical fallout from these attacks and to enhance preparedness and collaboration among various organisations.
It would need to be cross-departmental and include all branches of law enforcement and cyber response.
Most importantly, the exercise would need to be focused on outcomes. Here are six testable outcomes that were shown as weak or could be improved upon in the Dark Winter test that Australia could learn from.
1. Importance of interagency coordination: Dark Winter demonstrated that effective communication and collaboration between various government agencies, private organisations, and other stakeholders are crucial to managing a crisis. The Australian exercise should similarly emphasise the need for a coordinated response to cyber-attacks on critical infrastructure, without leaving the responsibility or decision-making solely with one group.
2. Addressing communication gaps: During Dark Winter, communication gaps and misinformation led to public panic, which exacerbated the crisis. Managing public communication and ensuring timely, accurate information dissemination will be essential to maintaining public trust and minimising social unrest during a cyber-attack.
3. Resource allocation and prioritisation: Dark Winter showed that strategic decision-making and prioritisation of limited resources are critical during a crisis. Businesses need to incorporate scenarios that challenge participants to make tough decisions on resource allocation and priorities in the face of widespread cyber-attacks on essential services.
4. Preparedness and response planning: The exercise highlighted the importance of having comprehensive and adaptable preparedness and response plans in place. In the context of the exercise, this lesson can be applied to develop robust cyber security plans and strategies that can adapt to the evolving threat landscape.
5. Continuity of operations: Dark Winter revealed the need for ensuring the continuity of essential services during a crisis. Australian exercises should similarly emphasise the importance of maintaining critical infrastructure operations and services during a cyber-attack, focusing on both the immediate response and long-term recovery.
6. International cooperation: Dark Winter demonstrated that bioterrorism is a global threat that requires international collaboration. Similarly, cyber threats know no borders, and Operation Southern Shield should stress the importance of international cooperation and information-sharing among countries to combat sophisticated cyber-attacks effectively.
As Australia prepares for the evolving cyber era and consequent threats, it is critical for government agencies, businesses, and citizens to recognise there is no silver bullet to cyber preparedness.
War-gaming exercises will make a significant difference in building resilience and preparedness against attacks, but will need to be part of a multi-pronged approach.
The more collaborative and proactive Australia is against cyber threats, the more resilient our businesses will be for the threats of today and tomorrow.
