Tom Patterson

COMMENTARY

Inside the Pentagon's cyber war games

Tom Patterson, a participant in the Pacifica games, describes what DOD can learn

Under a constant canopy of low-flying nuclear-capable B-52s, the brand new Cyber-Innovation Center in the shadow of Barksdale Air Force Base in Bossier City, La., provided the perfect setting for the Pentagon's latest cyber challenge — a public- and private-sector exchange focused on leveraging “the art of the possible” in a cyber war game setting. Unlike the war-games or exercises prepared for by Barksdale's nuclear strike force — the Global Strike Command — these cyber war games, held in September, help prepare America for a different type of battle altogether.

Not just Xbox anymore

Just to be clear, these war games are about the real effects of a cyberwar, not bloody Call of Duty avatars or losing your Second Life. This is about clever bad guys using bits and bytes to confuse, dissuade or shut-down people and systems, on the battlefield and across America.

This is also about making planes fall from the sky, ships sink or drift at sea, and cutting off forward deployed troops from their lifelines. This is about causing chaos in our streets at home due to sudden crashes in our critical infrastructure through manipulation of our banking, transportation, utilities, communications, and other critical infrastructure industries.

These are all real scenarios being considered both by the United States, our allies and our adversaries. These cyber war games are in place to ensure that we consider everything, get awareness to what capabilities exist and prepare for it in the event it's ever used against us.

Next: A secret weapon

A different kind of game

War-games usually start with a story-board, where two teams — Red for bad guys, Blue for good guys — are presented a fictional scenario and face off in a simulated conflict over some time-period (today or 10-plus years from now), where Red thinks up ways to attack and Blue thinks up ways to counter those attacks and defend U.S. (and global) interests.


Related stories:

Cyber ShockWave exposed missing links in U.S. security

New threats compel DOD to rethink cyber strategy


In the cyber realm, Red's been kicking Blue's butt, so Blue did something radical. They hired Riley Repko away from private industry to develop non-traditional ways to engage the private-sector — the “true owners” of the intellectual capital within the cyber domain.

Because these defense-centric war games have historically been classified exercises, the participants were always limited to those with security clearances. Although that has always worked well in the kinetic world of air, sea, and ground power, it fails when it comes to cyber power. Much of what is possible in the cyber world is being thought up by people who never would want, or never could get, a Defense Department security clearance. That's where Riley's cyber war-games come into play.

Repko is a veteran of both the military (having retired from the U.S. Air Force Reserves in 2006 after 27 years of service), and the private-industry (working 25 years in management positions, including over a decade for Larry Ellison at Oracle). He has come back to the government and is now serving within Air Force Operations and Requirements, leading their engagements efforts, specifically with the private-sector.

Because of his transformational thinking, he is currently detailed to the Office of the Secretary of Defense. He knew that if we wanted to tap into American ingenuity and creativity, he would have to change the rules of the game. And that he did. This starts with, as he puts it, “awareness to what's out there” (capabilities found in the private sector) and their capacity — specifically, does this solution exist, is it fielded or is it merely an idea still on a napkin?

Next: The strategy revealed

Setting up the board

The key to Riley's plan is the ability to utilize a trusted third-party to perform the “sanitization and anonymization” functions that shield any over-exposure to vulnerabilities while at the same time protecting the sensitive corporate intellectual property from being misappropriated.

This further allows for the widest population of experts (globally) to participate, no longer worrying about clearances or IP issues, and for focus to be given directly to the real war problems at hand.

In essence, extending the operational reach of the military through a nexus of collaboration between large and small businesses, the R&D and university communities, venture capital, the inter-agencies and even the 'wizards' — those hackers and patriots who must be part of the mix. That made this cyber war game unlike its kinetic forefathers — fully collaborative, quite interesting and demonstrating a new model for going forward.

In this game, the Air Force took the time to create an actionable scenario that did not divulge any sensitive or classified material, yet still challenged participants to bring to bear the most creative of technological solutions.

Next: The battle is joined!

Inside the Pacifica Games

After the Air Force set the stage by briefing us on the hostile events transpiring on the fictional island of Pacifica, we went to work. We were briefed in a real world environment, with bits and pieces of information coming in real time. As happens in war, the events escalated over time, with the Red team throwing wave after wave of attacks that were a blend of kinetic and cyber challenges.

We had several Air Force officers with our group, to help define the typical military response and requirements in these situations. And then it was up to us. We leveraged what is being thought of, developed and deployed in the private-sector, including IPv6 communications (for ad/hoc networks and covert communications), a variety of transportable identification and authentication systems,  including magnetic fingerprints (which are used successfully in the payments world but never before in war), game theory, games development, advertising, social networks, search engines, and much more.

As a member of the Blue team, I was joined by technical experts from the intelligence community, former inter-agency federal leaders, academia and the communications, information security, financial, technology and other commercial sectors. The representatives from each of these organizations were not the typical business development types (for the most part), but rather that one person that most companies keep locked in their vault, as they know more about their subject than anyone else.

We knew this would be different from a typical business meeting when they had us all remove the batteries from our BlackBerrys and mobile phones, and completely power down our iPhones — explaining how advisories can load malware onto mobile devices that allow remote activation of our microphones. They didn't want us tipping our Blue hand before we even got out of the gate.

We had a Blue team member design on the board a new way to communicate, using adaptive lasers, despite the formidable enemy communications deterrence over Pacifica. This was something his company never deployed, because he knew of no commercial need, yet seemed to provide a workable countermeasure to the Pacifica “enemy.” We also developed a low-tech idea that repurposed soccer balls that also holds promise. In these games, everything was on the table.

Over the two days of the game, the Blue team offered over a dozen possible countermeasures to the Red team’s aggression, and followed our guidance to “find ways around the problem, if you can't stop it directly.” Lots of mash-ups were created that I've never seen before, which could well be steps toward defending our nation.

Next: Debriefing

Stopping a real cyber-war

While I can't say that the Blue team “won” the game, I do know that this is the way to develop our defenses going forward. Cyber war is so radically different than kinetic war, and the participants got very realistic demonstrations about the how the mash-up of both is changing everything. This approach to the problem will be a critical success factor of the future. Yet we still need to do better.

These Pacifica games demonstrated both the need and ability of this approach, but DOD needs to make this a long-term trusted component of their planning, and that requires three next steps:

Step 1. Use the fruits of the Pacifica war-game by linking and sharing the most promising of ideas to their most appropriate government partner, and get them going as projects. By tapping into the private-sector, you will be amazed as to what the 'art of the possible' is near-term.

Step 2. Build out the collaboration framework elements identified and developed by Mr. Repko. The “sanitizer and anonymizer” mechanism managed through a trusted but neutral administrator could enable both the Defense Industrial Base and the 17 other Information Sharing and Analysis Centers, small technology businesses, research and academic organizations to safely register and collaborate their potential technologies, gaps and seams with DOD and inter-agencies' and assist them with defining their cyber-warfare requirements.

Step 3. Widen the circle of participants for the future games, more commercial experts from smaller and more unique companies, design in the use of tele-presence to lower the burden on small business to participate, and spread the word through all business sectors that DOD (and federal agencies) are now 'open' for business.

I was proud to both advise and participate in the Pacifica cyber war game workshop. Along with many of my commercial colleagues, I look forward to the Pentagon taking the next steps with the support of the science and technology communities of Congress, DHS, and especially the private-sector. We can and must leverage the best innovation our country has to offer in the defense of our freedoms.

Reader Comments

Mon, Nov 22, 2010 Christine Robinson Arlington

Please note that the article Riley Repko and I wrote together about international collaboration for the cyber domain is linked on the Security Innovation Network website on http://www.security-innovation.org. This article will also be included in two separate books, one of which will be written by a United Nations NGO. My co-author of another upcoming article about security in a different light is a United Nations official.

Wed, Oct 13, 2010 HJ Beckstrom Idaho

Hard to read… name dropping is always distasteful but in this situation it may even be destructive. The article is very interesting. You might consider doing a little better to protect America's defense than to include an aggregate of sensitive information as displayed in your introduction. The name and location of the "new" cyber command didn't need to be disclosed. Neither did the co-located air asset need to be disclosed, including; name, owner, location, capabilities, etc. Disclosing results of a military operation, whether or not it is classified, to an open media source reflects poorly on the subject of the interview, the reporter, the magazine, and basically the American people. Let's keep in mind that we don't have to be a member of the Department of Defense to do our part in protecting America. Resectfully submitted,

Wed, Oct 13, 2010 Earth

Sad isn’t it. The internet and global transportation have made neighbors of us all and yet the West clings to 19th century racial nationalistic psychopathy. Where living system theory would have humanity, and by this I mean all beings of matter (human> humus> earth, water, wind, fire, four exemplars of the phases of matter) living in an ecosystem of life (a global living system) the US supports the ethnic cleansing of the holy land and creates enemies for itself from among those that would stand up for not doing to others what the US would not accept having done to itself (compare the portrayal of the smart bombs put down shafts of buildings in Iraq in the first Gulf war to 911 from a balanced objective viewpoint if you are capable of it (pretend you are an alien observing Homo sapiens) ) Aliens might conclude the only way to save Homo sapiens from itself would be to subvert the economies of those partitions that have developed nuclear weapons till they are incapable of maintaining their present arsenal. To quote Albert Einstein “I do not know with what weapons WWIII will be fought, but WWIV will be fought with stones”. He assumed life would be able to survive the nuclear fallout and such. That may not be true anymore.

Wed, Oct 13, 2010

The true enemy never reveals his hand in game playing. You pick and poke at specific points to understand if they are vunerable or not. Then sit back and observe who is involved and evaluate what happens. Knowing who is involved is as revealing as their expertise is known. As many an expert has stated to a young protoge - "I didn't teach you all of my tricks, kid". It is great that we're trying new ideas and getting private sector experts involved. But don't expect the true players to be on the team before a real situation is before us. Know who they are and be prepared to listen when they speak.

Tue, Oct 12, 2010 GC

Hmmm. Immediately prior to and during the 2001 9-11 attacks on NYC and DC, the Air Force was running a USA country-wide LIVE interception 'war game'. How could it have FAILED so UTTERLY...?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above