The 2019 Rugby World Championship and the 2020 Olympics and Paralympics in Japan are global events that are likely to attract attention from hostile cyber actors aiming for publicity, strategic advantage, and criminal profit. To address these risks, last October Sasakawa USA sponsored a tabletop exercise (TTX) titled “Operation Rugby Daemon” as part of the C3 Cyber Conference held at Keio University’s Tokyo campus. This exercise, which organized representatives from Japan’s Ministry of Industry, Trade, and Economy, Hitachi, NTT, and others into four World Rugby Cup Cyber Task Forces, led to important understandings about Japan’s cyber preparedness that should inform the country’s preparations for both the Rugby World Championship and the 2020 Olympics.
During the TTX, four teams dealt with notional cyber threats directed against the 2019 Rugby World Cup to be hosted by Japan. Each team played independently and was responsible for identifying cyber threats to the games, assessing their impact, and directing mitigation efforts. At the behest of Admiral (ret.) Dennis C. Blair, I helped lead this event. We gave each team two sets of injects, about 90 minutes apart, that provided both relevant and irrelevant information, challenging them to quickly assimilate and triage the information for action.
There were several notable results from the exercise. First, it’s clear from the number of Japanese officials participating that Japan takes the cyber threat seriously. This is important, because large-scale cyber attacks are complex and involve the use and abuse of assets that fall within the jurisdiction of multiple governmental agencies. Effective mitigation requires that all the impacted agencies have a place at the table.
Second, both the Japanese government and private sector have technically and operationally skilled personnel who participated in the TTX and were able to both separate actual threats from distractions, and direct appropriate mitigating actions. While the results varied among the four teams, the best was very good.
Third, it was clear to all involved that responding to a large scale cyber attack is a complex endeavor that requires an integrated team of responders who have practiced together and are familiar with each other’s roles and responsibilities.
The TTX reinforced in my mind a number of tactical points that also came up frequently during my years at NSA responding to real world attacks. First, in a real-world situation, time is the most critical factor – there is never enough of it. The best way to utilize the time you have is to be efficient. This means, above everything else, working effectively and harmoniously as a team. The only way to achieve that is for the team members to practice together. In the midst of a real cyber attack, you cannot waste time figuring out who your counterparts are or how to interoperate across government ministries, private sector, and international partners. To be effective, the team must already contain representatives from all the right organizations (or be able to reach out to a known point of contact quickly). And the team members must have practiced working together. The most effective team is one that has already done all this when the attack comes. They move past organizing and are able to dig into the problem and implement responses far more quickly.
During a real-world event, I also have frequently seen the need to make significant decisions based on partial information or take actions that require difficult legal or policy interpretations. Confronting your response team with scenarios that bring these challenges to the fore is valuable. With respect to partial information, I will never forget when my boss received a call informing him that a foreign government had broken into one of his most sensitive networks. The report was fragmented and contained some assumptions that could be confirmed by going out and collecting additional logs and other data. Instead of waiting to confirm his team’s suspicions, my boss shut the network down, knocking everybody off the network. For thousands of DoD personnel, the impact on productivity of this decision was severe, but my boss made the right decision — without waiting to confirm the partial information at hand. We found intruders in the network, kicked them out, and quarantined a relatively small area of operations. The rest of the network was up and running again in a matter of days, and a national security level disaster was averted. It is critical that a response team understand that waiting to collect complete information on an event can mean losing the chance to take preventative action such as this, exposing the network to far greater harm.
I have also seen leaders fail to act because the most obvious response to an ongoing attack raises serious legal or policy questions. During our TTX, two of the teams kept falling behind. It is not coincidental that the same two teams spent a large portion of their response time debating policy issues arising from the various response options that they faced. These issues are important, but a response team must focus on operational solutions, not debate. Ideally, some policy and legal issues can be predicted and decided ahead of time to facilitate quick implementation of a solution. For example, in Japan, are malicious packets sent by non-human bots as part of a DDoS attack really a protected communication that cannot be intercepted or blocked by government actors? If such questions cannot be answered, it is essential that the response team establish a point of contact within the agency capable of definitely answering the question when an attack comes. An operational task force should be focused on tactical outcomes and not get tied down in policy debates; therefore, the task force itself should not be deciding these matters. It eats up the team’s most precious resource, time, and the same issues end up being redundantly deliberated by the agency receiving the task force’s operational recommendations.
As the 2019 Rugby World Championship and the 2020 Olympics and Paralympics approach, it is essential that Japan build a response mechanism that involves the relevant private and public sector players and continue its laudable efforts to prepare for the games through an ongoing program of simulations and group exercises.
Richard H. Ledgett worked in the National Security Agency for 30 years, retiring in 2017 after serving as Deputy Director.