Cyber Flag 21-2 Showcases New CYBERCOM Training Environment

WASHINGTON: CYBERCOM’s premier defensive tactical exercise, now underway, showcases one of the command’s new training capabilities, known as the Persistent Cyber Training Environment (PCTE).

This year’s exercise, dubbed Cyber Flag 21-2, takes place on a virtual network for a fictitious allied logistics depot. The exercise isn’t modeled on specific real-world cyber actors or past incidents, but does simulate “threats common in the Indo-PACCOM” geography, noted Lt. Cmdr. Gabe Edwards, Cyber Flag 21-2 exercise lead.

One fictitious cyber actor in this year’s event is motivated by cyberespionage, while the other is focused on “denial and destruction,” Coast Guard Rear Adm. Christopher Bartz, chief of exercises and training at CYBERCOM, said in a briefing for reporters. Edwards added that the exercise does include some familiar scenarios, including the possibility of a ransomware payload.

There’s also an emphasis on how cyber incidents can affect a wide range of operations. “Specific to this year’s iteration, we focused on the way the cyber domain crosses into other domains,” Bartz said. “We wanted to see all levels. Cross-domain effects were the actual meat of this year’s exercise.”

Cyber Flag 21-2, also known as Big Flag, is commonly called cybersecurity blue teaming. It tests cyber pros’ ability to respond to simulated cyberattacks in a virtual environment. This year’s event is occurring in virtual cyber ranges that are five times larger than previous years and is unfolding across three countries spanning eight time zones.

PCTE, first used last year during the global pandemic in a full-force exercise, allows DoD to conduct joint cyberspace training, exercises, mission rehearsals, experiments, and certifications. It also allows US and allies to assess missions that cross boundaries and networks.

PCTE came about because “we needed something bigger and better than we had,” Bartz explained.

“We can design any scenario we want to create,” Col. Ally Smith, CYBERCOM division chief of exercise design and planning, told reporters. “That puts us out in front of what our adversaries may want to do.”

This year’s exercise features 430 pros in 17 cyber protection teams (CPTs) from CYBERCOM’s component commands (Air Force, Army, Marines, Navy), across the Defense Department, National Guard, US House of Representatives, US Postal Service, and other federal agencies. Allies Canada and the United Kingdom are taking part as well. PCTE allows allies — three CPTs from Canada and UK each, in this case — to participate without leaving home, Bartz noted.

The participants are cyber operators responsible for the day-to-day defense of assets against real-world cyberattacks. The CPTs work independently of each other during the exercise, although they operate simultaneously on similar virtual networks facing similar cyber scenarios.

Smith said that PCTE acts a type of “proving ground” to evaluate different scenarios and how well teams respond. The exercise’s goal is to identify what makes effective CPTs and instill those lessons learned to improve real-world cyber defenses. There’s a particular focus on readiness and interoperability among teams.

Cyber Flag 21-2 is a type of “choose-your-own-adventure,” Edwards said.

CPTs must navigate the virtual cyber ranges to detect, identify, isolate, and counter the fictitious adversaries. As the exercise unfolds, new information comes to light, and teams must evaluate it and make decisions. Teams are challenged to employ a range of advanced defensive measures.

Edwards noted that PCTE includes the ability to create virtual industrial control system networks, which are how attackers can gain access to and control over technologies that let them carry out potentially destructive attacks against critical infrastructure.

Smith noted CYBERCOM has some “creative minds willing to push the envelop” in designing these exercises. Edwards noted, “You name [a scenario], and we’re going to try to model it.”

Ultimately, these exercises are designed to keep US and allied cyber talent sharp and best practices updated. “We’re continuously evaluating the proficiency of our force [and] new adversary [tactics, techniques, and procedures],” Bartz said. “We are evolving training at the speed adversaries are evolving TTPs. We must remain one step ahead. CYBERCOM is going to do whatever we can to defend the nation.”