Cyber-Exercises are an important part of national and international cyber-crisis-management within several communities. In this talk we present our 3J4E concept, which adresses the following three challenges of (international) cyber exercises. Encouraging international / inter-community information sharing within cyber-exercises keeping in mind the expectations of players(JIGSAW) Optimizing utilisation of limited exercise-time (JUMPSTART) Adressing top crisis management level within an international exercise (JUNCTURE)
The 3J4E concept is modulary, which means that the three parts can be used independently. It consists of three modules presented below.
One often-seen showstopper for information sharing in international operational cyber-exercises is the fact, that all participating teams get the same set of information from the scenario. As all players hold the same information there is no need or desire for information sharing. Another problem regarding to inforamtion sharing are the different levels of involvement and expectations among the playing teams. Players with a low involvement often don't share information actively so that the whole exercise due to the lack of participation of single playing teams. Our JIGSAW module tries to solve these two challenges of information sharing by separating the scenario into several so called JIGSAW-pieces and providing them to the players regarding to their level of participation and expectation. Besides scenario elements also the players need to be clustered regarding to their level of involvement. The idea behind JIGSAW is that each player just holds a little piece of information and just by sharing with others the whole situational picture becomes visible. Sharing should take place regarding the level of involvement and expectation. To split up the Scenario in pieces and clustering the players regarding their expectation we present a concept that we call the Multilevel Clustered Exercise Framework.
A well known problem of cyber exercises is the limited time frame for the exercise play. This problem even increases if strategic top level decision makers participate. A crisis timeline follows the five phases Pre-Crisis, Detection, Reporting / Alerting, Response and Wrap-Up, while the exercise timeline consits of three phases, Pre-Ex, Ex-Play and Post-Ex. In a classic exercise setup often the two timelines are aligned that way, that the Ex-Play phase covers the Detection and the Reporting / Alerting Phase of the crisis timeline. The Response phase often is just touched slightly or even not played at due to the limited playing-time. For a JUMPSTART into the exercise it is neccessary to align both timelines that way that the begin of the Ex-Play (StartEx) is aligned with the end of the Reporting/Alerting Phase. This means that the players directly start within the Response phase and can initiate the crisis management procedures right away. To reach this aim, the JUMPSTART concept shows ways how to create exercise material to cover the first three phases of crisis mangement before StartEx. This requires a more detailed preparation among planners and players but leads to a strong involvement of the stakeholders in the exercise right at StartEx. To illustrate the benefits of the JUMPSTART concept we use the well known OODA loop (Observe, Orient, Decide, Act) and activity diagrams showing national and international crisis management play.
The aim of the JUNCTURE module is to design scenario elements which reach the strategic top level of crisis manangement within an operational exercise. Besides the strategic top level decision makers this also includes staff dealing with strategic decision preparation. To reach this aim, we developed two ways of creating scenario elements, that reach the intended strategic management level: „By Aggregation“ and „By Singularity“. While the „By Aggregation“ approach deals with a large number of incidents that lead to a crisis, the „By Singularity“ approach focuses on one single high impacting incident which triggers top-level management decisions. To design scenarios which fit to one of these two approaches, we recommend a technique, which we call Consequence-Backtracking. In this method consquences of top management decisions in real crisis situations (cyber and non-cyber) are analysed to understand which level of impact is neccessary to trigger decisions on the particular mangement level. Based on this backtracking in the following step cyber scenario events are developed, which imply the same consequences as the examined real crisis.
The overall quality of cyber exercises both in governemental and business context is improved. Satisfaction of top management players will be improvend.
Significance for the audience
The audience is able to understand the three concepts and see the advantages for future cyber exercise. Due to the given implementation examples the audience is able to generate ideas for own implementations.