WASHINGTON — Units from the Army’s XVIII Airborne Corps needed to deploy rapidly to respond to a threat. However, coordinated attacks on Fort Bragg, the Corps’ home station, and the surrounding region, created a slew of issues including: cyberattacks on Supervisory Control and Data Acquisition systems causing an E. Coli outbreak, a flurry of drones with explosive charges targeting commercial electric stations on post, and an accidental hit to a fiberoptic line causing command and control degradation.
This was the scenario the Army gamed out as part of its inaugural Defense Critical Infrastructure (DCI) Summit at Fort Bragg, where 14 external partners ranging from federal agencies to local leadership and utility companies gathered with the Army to workshop how to respond if these events unfolded simultaneously. The scenario — which was a tabletop exercise, meaning no physical assets were used — aimed to see how such events could effect a unit’s ability in time of crisis.
“My biggest priority, I’d say the secretary [of the Army] would share, is making sure that in a time of conflict or need our forces and our equipment can get to where they need to go as rapidly as possible without disruption,” Brandon Pugh, principal cyber advisor to the secretary of the Army, told reporters this morning.
Scenarios like the one played out in the exercise have long been a concern: adversaries have sought to invest in resources to stymie US forces’ ability to deploy, often referred to as getting from the fort, to the port, to the fight. One of the challenges to remedying this threat is critical infrastructure is owned and operated by private companies, not the government or military.
XVIII Airborne was chosen to participate in this first exercise because its units typically need to respond to global events with little to no notice, with one unit, its 82nd Airborne Division, being known as the 9-1-1 force. The goal is to eventually be able to make the lessons learned into a repeatable playbook.
“How can we take best practices and lessons learned to put this into a playbook that a local garrison commander, who likely is not a cyber or physical protection expert, can apply these lessons learned to their garrison and their camps, posts and stations? That would really be the challenge for us,” Pugh said, though didn’t offer a timeline on when they expect that to come to fruition.
“The DCI playbook is really one of the most important tasks for my office in moving out. … That really should be done in tandem and coordinating with our interagency partners, so we can identify opportunities and resources and capabilities they have, so garrisons can learn from them.”
Winning the cognitive domain — A methodology built for democratic constraints
The challenge for Western democratic institutions is not a lack of capability — it is a structural one.
The Army Cyber Institute at West Point “furiously” wrote down lessons learned from the event, Pugh said, adding that he himself took down 19 lessons learned to share with interagency partners. He did not, however, share any of those lessons today.
The scenario sought ask the participants to be prepared to address three things: what actions would they take based on their authorities and capabilities, what dependencies do they have on other organizations or agencies, and what barriers exists for proactive mitigation for a faster, more integrated response.
Participants only had three minutes to respond, a purposefully short amount of time designed to see how current relationships, authorities and structures would work.
While the cyber threats were pretty agnostic to a specific actor, planners had Ukraine’s Operation Spider’s Web — where Ukraine hid drones in boxes and shipped them behind enemy lines for a coordinated attack against Russia — in mind from a drone perspective.
“We went after four operational challenges using a threat similar to Operation Spider’s Web, which occurred in Russia when Ukraine, deep into the country, was able to use drones to deeply impact Russia’s operational abilities,” Army Secretary Daniel Driscoll said in a statement. “We went after the physical threats from drones, cyber impacts, force projection, dependencies and information sharing lag, and we work with these partners to start conversations that we think will have a deep impact on our nation’s security.”