Army Cyber Command taking key lessons on critical infrastructure defense at National Guard exercise

JOINT BASE CAPE COD, Mass. — An annual National Guard exercise known as Cyber Yankee helps demonstrate gaps in policy and partnerships — an initiative that’s proving useful for the Army’s active duty force, especially as it looks to combat threats to critical infrastructure.

“If we were to go back to 10 years when we started this, there were a lot of challenges working through what to do in this space. You have eliminated the gaps where law or policy or public private partnerships have stretched,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said May 15 during the distinguished visitors day at Cyber Yankee 24, which ran from May 6-17 at Joint Base Cape Cod.

Cyber Yankee, now in its 10^th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other entities to protect critical infrastructure — which include operational technology and industrial control systems — in a simulated attack.

Barrett noted that the exercises year after year have incrementally worked to take down barriers, further partnerships, and illuminate ideas, gaps and areas to change policies.

“Among the things that keep me awake at night is the resilience of our critical infrastructure, and particularly operational technology and industrial control systems, both on military installations and in the homeland,” Barrett said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems.

“We have to be ready and our governors when the bad day happens, the first response local, and it’s going to be state and the governors are going to say, ‘What do I have? What resources do I have here in the state before the federal government gets here? What can we do now?’” Lt. Col. Tim Hunt of the Massachusetts National Guard and Cyber Yankee exercise director, told visitors. “One of those resources is the National Guard, so we have to be ready for this. That’s why Cyber Yankee [is important] and that’s why we’re here.”

The event simulated cyberattacks stemming from an unknown actor against critical infrastructure across all of the New England states, with the governors mobilizing the Guard to respond.

The goal is to build relationships with utility companies so that in the event of a real-world incident, there is trust among responders as the Guard will have to operate inside utility networks. These exercises lay the groundwork for the utilities to understand what the Guard can do and vice versa, helping illustrate that Guard members aren’t trying to go places within the network where they’re not supposed to be.

While the exercise had five fake utility companies, members of real utility companies served as role players of the CIOs at the fictional companies.

The exercise is of interest to the active duty component and Army Cyber Command given that it runs the largest portion of DOD’s network.

Army Cyber Command is also responsible for cyber operations within the Northern Command area of responsibility, which includes the U.S. homeland.

Of particular interest now is the Chinese actor Volt Typhoon, which was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly scared officials regarding Volt Typhoon is the paradigm shift of Chinese actors moving from espionage and intellectual property theft to holding critical infrastructure at risk.

“I would be remiss if I didn’t mention the biggest thing to hit the cybersecurity landscape since you all gathered for Cyber Yankee a year ago, and that is what we are seeing happening [with] Volt Typhoon,” Barrett said.

“What got everyone’s attention is the seeming paradigm shift from cyber exploitation and traditional military targets or industry targets for foreign intelligence or espionage … to a new set of targets — aviation, water, energy, transportation. In other words, our critical infrastructure,” she added, noting that this actor will just sit and lurk with the purpose of disrupting these services at the time and place of its choosing.

In fact, there was a simulated actor within the exercise to replicate, as close as possible, Volt Typhoon.

At its initial instantiation, U.S. Cyber Command and its subordinate units, such as Army Cyber Command, were focused on Internet Protocol-based networks. However, Army Cyber Command in particular in recent years has worked to get more into the operational technology and ICS space.

Events like Yankee Cyber “inform what we’re doing at Army Cyber … [and] the mission that consumes easily 80% of my time, resources and people is operating and defending the Army’s portion of the DOD Information Network. The Army’s network is 1.2 million people spread across 288 posts, camps and stations. It is the DOD’s biggest network if you count both on premises and cloud,” Barrett said. “We are converging these networks, not just to get efficiencies … but really to substantially improve our resilience against an advanced persistent threat like Volt Typhoon.”

Army Cyber Command also must set the theater for the combatant commands it supports, meaning it must enable them to transition swiftly from crisis to conflict should deterrence fail.

Army Cyber Command has additionally placed a greater emphasis on hunting methodology in order to identify living-off-the-land techniques. Barrett noted that recently, following Russian cyber events, it had two of its high-end defensively oriented cyber protection teams focused on industrial control systems.

More broadly, the command’s cyber protection brigade is working more closely others to defend hydroelectric power plants and supply depots, with specializing training to defend industrial control systems.

This work is building toward the recent decision that Army Cyber Command is the organization in charge of the Army’s operational technology. Officials are in the process of providing how it will do that to senior leadership.

“This will enable us to move from the episodic CPT engagements on critical infrastructure to something that is more enduring, [with] continuous monitoring that is absolutely necessary in order [stay ahead of] a persistent threat,” Barrett said.

She noted that when U.S. Cyber Command was first created, it was focused primarily on nation-state threats. However, digital threats are much more pervasive now with both nation-state and independent actors executing ransomware attacks.

State Partnership Program

This was the first year in which international partners participated in Cyber Yankee.

The State Partnership Program was started at the conclusion of the Cold War and pairs state National Guard units with other nations’ militaries.

Cyber Yankee 24 saw participation from the Bahamas, Cyprus, El Salvador, Israel, Japan, Kenya, Latvia, Montenegro, Paraguay and Uruguay.  

Additionally, outside of the New England states, members from the Michigan, New Jersey and Maryland Guard units participated. This was also the first year that members of the Space Force joined in the event.

“We think that’s really great because when we go on engagements in these countries and we’re talking about cyber, some of the things that they’re most interested in is the United States, what we call whole of government. And really with this it’s expanded to kind of whole nation because we’re doing public and private,” Hunt said during a media engagement May 8. “They’re really interested in that how we worked with the military, with the Department of Homeland Security, with our private industry, how we work together in this industry, or in this field of cyber. That’s something that our foreign partners are really interested in learning about. And … we’re really interested in learning about how do they do things in their country or what has been their experience — because learning from each other is really the key of the State Partnership Program.”

The program was lauded for the role it played in helping Ukrainians counter Russia’s invasion of their country, based on the support and training that troops had received. The benefit, officials have said, is that relationships and trust are built and maintained long before crisis or conflict occurs.

“It all starts with … Lt. Smith and a lieutenant from Kenya or whatever country meeting each other in person, breaking bread together, training together and just getting to know each other,” Hunt said. “In 10 years, when those two officers are now majors or lieutenant colonels, they know each other, they have a relationship and they have trust.”

He noted that cyber knows no bounds and what happens overseas will likely affect the continental U.S. and vice versa. Working together and learning from each other is mutually beneficial and makes each partner stronger.