More than 650 cyber professionals from across the Defense Department, other federal agencies and partner nations worked together at the Joint Staff's facility in Suffolk, Virginia, as part of Cyber Flag 19-1, a weeklong cyber exercise designed to enhance readiness for cyberattacks and to build partnerships among those who would be called upon during a real-world event to keep malicious actors out of critical cyber infrastructure.
Twenty teams — including some that were multinational or multiagency — worked individually June 21-28 to thwart malicious attacks and intrusions on an Industrial Control Systems/Supervisory Control and Data Acquisition network built specifically for the exercise to simulate one that might be used by a U.S.-based port facility.
"Cyber Flag 19-1 focuses on tactical, on-keyboard defense against a live adversary," said Coast Guard Rear Adm. John Mauger, U.S. Cyber Command's director of exercises and training. "The exercise is set up to increase the readiness of the cyber mission force and deepen partnerships and increase the readiness of allies and interagency participants that are involved in the exercise."
All five members of the "Five Eyes" intelligence alliance — which includes the United States, the United Kingdom, Australia, New Zealand and Canada — participated in Cyber Flag. Interagency partners included the Department of Homeland Security, the FBI and the Department of Energy. Cyber professionals from the House of Representatives and the U.S. Postal Service also participated.
To ensure a greater understanding across participating agencies and nations, some of the teams were mixed. Army Cyber Command worked with the Texas National Guard, the Marine Corps worked with the United Kingdom, the Georgia National Guard was paired with Canada, and the Pennsylvania National Guard worked with the Georgia National Guard.
"We have more than half the entirety of the teams here with an outside person who doesn't belong intrinsically to their organization," said Capt. Shae Luhowy of the Canadian air force. "The teams jumped on it. We encouraged it, and we got an overwhelmingly positive response for this exact reason. The teams are very happy to be able to pick up some ideas and learn from the other teams they may be sharing with."
Mauger said this was the first time that the Persistent Cyber Training Environment was used to prepare participants for Cyber Flag. Cybercom and the Army are developing it to enable collective training. The PCTE allows cyber professionals "to recreate a bit of what we have done here, but recreate it on a frequent basis to get the sets and reps and do this at the training scale that we really need to further hone our warfighting capability," he explained.
Also for the first time this year, the exercise planner for Cyber Flag 19-1 is not an American. Luhowy has worked full-time with Cybercom since August, and he said he's been planning Cyber Flag since he came on board.
"This is the first time in one of these exercises we've intentionally merged two of the teams," he said. "We've had onsies, twosies, straphangers before. But this is the first time, where in this scenario we attached our Marine Corps cyber protection team element to the U.K. forces."
The two teams mesh in some places, and of course, they clash in others, he said. "When it comes to the guys down at the tactical edge, our host subject matter experts — who may focus on Linux, or Windows or databases — were able to easily spot the same skill sets on the other side and created a fusion cell to work towards that." Analyzing network traffic is the same, he said.
But the Brits and the Marines do some things differently that need to be ironed out — and Wild was there to smooth out the wrinkles. "The U.K. writes orders different than we do," he said. "They have different meanings for some of the tactical tasks than we do. And they also spell things a bit differently too. We found the best way to do that is get on a table together and put it on the big screen and go through it."
Army Capt. Jesse Nangauta, a battalion senior intelligence officer with Army Cyber Command’s 1st Information Operations Command, was the "red team" leader in charge of the 100 cyber professionals playing the adversarial role.
"We refined the plan based on the overall design of the range and what that network environment looks like, and really refined it in the last two months or month prior to the execution of the exercise," he said. "We really go in and test and rehearse."
The red team provided a contested environment for the exercise's cyber protection teams. "We are essentially trying to maneuver on the network, or conduct malicious activity on the network, like picking up the targets and moving them across the network and leaving indicators related to those targets," Nangauta said. "We also provide feedback to the cyber protection teams as to whether they properly identified us ... or appropriately conducted the defense measures to prevent us from continuing to maneuver with that malicious activity."
Most of the teams did surprisingly well at defeating his team's network aggression, Nangauta said, adding that based on what he saw at Cyber Flag 19-1, he's not concerned for the future.
"I would absolutely state I am very impressed with our abilities to adapt to meet the current threats that currently exist," he said. "We are doing all the right things when it comes to training."
To sufficiently challenge the teams in a way that prepares them for the pressures and the demands they'll face in the real world, Mauger said, Cybercom worked with the Pacific Northwest National Lab and the Sandia National Lab to build a complex ICS/SCADA network so that the teams could operate in a realistic environment against the red team adversary.
But the partnering was just as realistic, and that was the top priority during Cyber Flag 19-1, the admiral said.
"Our allies and partners are a key strategic warfighting advantage for the U.S.," he said. "When we go into combat, we do so with a whole host of support and capability and commitment from other nations. And that makes us unique, especially when contrasted against some of our key adversaries at this time."
"The depth of integration between our U.S. teams and our allied teams is something we just haven't seen before in this exercise environment," he continued. "I am confident that through the work that has been done in this exercise to integrate teams and have them work as one and fight together, that we will present an imposing force for our adversary in this space."