Cyber Yankee, now in its 11th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side-by-side with the private sector, utilities and other entities to protect critical infrastructure — which includes operational technology and industrial control systems — in a simulated attack.

A small utility in Littleton, Massachusetts, nearly 40 miles from Boston and roughly 20 miles from New Hampshire, was notified in 2023 by the FBI that it had been compromised by the Chinese entity dubbed Volt Typhoon.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Other high-profile threats include Salt Typhoon, which targeted and breached telecom companies.

Littleton Electric, Light, and Water Departments provided a briefing to the participants of Cyber Yankee this year during a “lunch and learn” event in what proved to be an eye-opening and educational experience for attendees.

“Volt Typhoon penetrated their network, had access to IT systems and potentially OT systems. That’s the type of thing that our exercise scenario is built around,” Lt. Col. Matthew Dupuis, exercise director for Cyber Yankee with the New Hampshire Army National Guard, said in an interview.

Officials said after that briefing, there was a noticeable shift to more of the military members focusing on the OT track of the exercise.

The briefing was new to Cyber Yankee this year and it was so useful, planners hope to have more companies with similar experiences do the same thing next year.

“It was great being able to hear that from real, live people,” Dupuis said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems. When threat actors — from hacktivists to ransomware deployers to nation-states — compromise private critical infrastructure companies, the Guard often acts as a surge force when called up by the governor to aid in the remediation of threats on private networks.

Exercises like Cyber Yankee allow trust to be built between the Guard and private companies, who ultimately own the networks and have to invite Guardsmen to come in and help.

The operational technology for a water treatment plant is different than an electric power generator or a grid operator or natural gas pipeline, and thus it’s important for each sector and the government to come together through different tracks to rehearse and learn.

Cyber Yankee rotates every year, taking place in a different New England state. This year, it was held in New Hampshire May 5-16. By the end of the exercise, it saw almost 400 participants, which included 240 military, 20 government, 35 private industry — such as water, power and utilities — and 40 international partners from Albania, the Bahamas, El Salvador, Israel, Kenya, Paraguay and Uruguay.

While last year was the first iteration to introduce foreign partners, only a few actually played in the exercises as most observed. This year, the majority were slated to be active participants alongside their U.S. counterparts.

The scenario that plays out is unattributable cyberattacks against critical infrastructure in the New England region. Guard cyber forces are activated by governors to support the critical infrastructure companies with incident response.

“Everyone knows who our pacing threat is. China is our pacing threat, if you look at our strategic guidance from the president. China is an active threat, as we’ve learned from Volt Typhoon. We’ve seen Volt Typhoon [in] the news and the other ‘typhoons’, [including] Salt Typhoon,” Col. Cameron Sprague, deputy director for Cyber Yankee with the Connecticut Army National Guard, said. “This year’s scenario is focused on that peer, near-peer nation-state threats against United States critical infrastructure specific to the New England region.”

The exercise uses real-world scenarios and open source tactics, techniques, procedures and exploits to simulate the most realistic environment for participants as possible. It uses open source products purposefully to keep the event unclassified.

“We base the scenario on real world from an open source standpoint, so we can keep it completely unclassified because of the foreign, coalition partners that are here, as well as the civilians from [critical] infrastructure. That way, it allows us to have a good interaction without having to be concerned with security clearances. There’s enough open source material that’s very realistic for the scenario that allows us to do that training,” Col. Barry Groton, Unified Coordination Group lead for Cyber Yankee with the New Hampshire Army National Guard and one of the exercise’s founders, said. “We could do this at the [top secret] level, but it wouldn’t be the same. A lot of these utility folks, they do have some that have clearances, but it would just be really difficult … what happens at a utility that’s not classified.”

The companies find the exercise useful because it’s something that they can’t just go out and buy, officials said. They receive top-notch training that they can’t get anywhere else by partnering with the Guard as well as other companies in their sector.

For the Guard, it also aids in their homeland defense mission as a critical resource to the federal government.

The “National Guard [is] looking at the potential homeland defense mission in support of defense critical infrastructure, which the working definition of that is, critical infrastructure that supports military installations and military ability to project power and to have habitual relationships — and specificity with those particular nuances of the different utilities because it’s not generic,” Groton said.

From an active-duty military perspective, there has been growing interest in recent years. While last year was the first year the Space Force observed Cyber Yankee with a small contingent, this year additional guardians came.

Their interest is the operational technology aspect, as the Space Force’s cyber element focuses a lot on those types of systems.

The post National Guardsmen receive brief from Volt Typhoon utility victim at cyber exercise appeared first on DefenseScoop.

“If we were to go back to 10 years when we started this, there were a lot of challenges working through what to do in this space. You have eliminated the gaps where law or policy or public private partnerships have stretched,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said May 15 during the distinguished visitors day at Cyber Yankee 24, which ran from May 6-17 at Joint Base Cape Cod.

Cyber Yankee, now in its 10^th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other entities to protect critical infrastructure — which include operational technology and industrial control systems — in a simulated attack.

Barrett noted that the exercises year after year have incrementally worked to take down barriers, further partnerships, and illuminate ideas, gaps and areas to change policies.

“Among the things that keep me awake at night is the resilience of our critical infrastructure, and particularly operational technology and industrial control systems, both on military installations and in the homeland,” Barrett said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems.

“We have to be ready and our governors when the bad day happens, the first response local, and it’s going to be state and the governors are going to say, ‘What do I have? What resources do I have here in the state before the federal government gets here? What can we do now?’” Lt. Col. Tim Hunt of the Massachusetts National Guard and Cyber Yankee exercise director, told visitors. “One of those resources is the National Guard, so we have to be ready for this. That’s why Cyber Yankee [is important] and that’s why we’re here.”

The event simulated cyberattacks stemming from an unknown actor against critical infrastructure across all of the New England states, with the governors mobilizing the Guard to respond.

The goal is to build relationships with utility companies so that in the event of a real-world incident, there is trust among responders as the Guard will have to operate inside utility networks. These exercises lay the groundwork for the utilities to understand what the Guard can do and vice versa, helping illustrate that Guard members aren’t trying to go places within the network where they’re not supposed to be.

While the exercise had five fake utility companies, members of real utility companies served as role players of the CIOs at the fictional companies.

The exercise is of interest to the active duty component and Army Cyber Command given that it runs the largest portion of DOD’s network.

Army Cyber Command is also responsible for cyber operations within the Northern Command area of responsibility, which includes the U.S. homeland.

Of particular interest now is the Chinese actor Volt Typhoon, which was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly scared officials regarding Volt Typhoon is the paradigm shift of Chinese actors moving from espionage and intellectual property theft to holding critical infrastructure at risk.

“I would be remiss if I didn’t mention the biggest thing to hit the cybersecurity landscape since you all gathered for Cyber Yankee a year ago, and that is what we are seeing happening [with] Volt Typhoon,” Barrett said.

“What got everyone’s attention is the seeming paradigm shift from cyber exploitation and traditional military targets or industry targets for foreign intelligence or espionage … to a new set of targets — aviation, water, energy, transportation. In other words, our critical infrastructure,” she added, noting that this actor will just sit and lurk with the purpose of disrupting these services at the time and place of its choosing.

In fact, there was a simulated actor within the exercise to replicate, as close as possible, Volt Typhoon.

At its initial instantiation, U.S. Cyber Command and its subordinate units, such as Army Cyber Command, were focused on Internet Protocol-based networks. However, Army Cyber Command in particular in recent years has worked to get more into the operational technology and ICS space.

Events like Yankee Cyber “inform what we’re doing at Army Cyber … [and] the mission that consumes easily 80% of my time, resources and people is operating and defending the Army’s portion of the DOD Information Network. The Army’s network is 1.2 million people spread across 288 posts, camps and stations. It is the DOD’s biggest network if you count both on premises and cloud,” Barrett said. “We are converging these networks, not just to get efficiencies … but really to substantially improve our resilience against an advanced persistent threat like Volt Typhoon.”

Army Cyber Command also must set the theater for the combatant commands it supports, meaning it must enable them to transition swiftly from crisis to conflict should deterrence fail.

Army Cyber Command has additionally placed a greater emphasis on hunting methodology in order to identify living-off-the-land techniques. Barrett noted that recently, following Russian cyber events, it had two of its high-end defensively oriented cyber protection teams focused on industrial control systems.

More broadly, the command’s cyber protection brigade is working more closely others to defend hydroelectric power plants and supply depots, with specializing training to defend industrial control systems.

This work is building toward the recent decision that Army Cyber Command is the organization in charge of the Army’s operational technology. Officials are in the process of providing how it will do that to senior leadership.

“This will enable us to move from the episodic CPT engagements on critical infrastructure to something that is more enduring, [with] continuous monitoring that is absolutely necessary in order [stay ahead of] a persistent threat,” Barrett said.

She noted that when U.S. Cyber Command was first created, it was focused primarily on nation-state threats. However, digital threats are much more pervasive now with both nation-state and independent actors executing ransomware attacks.

State Partnership Program

This was the first year in which international partners participated in Cyber Yankee.

The State Partnership Program was started at the conclusion of the Cold War and pairs state National Guard units with other nations’ militaries.

Cyber Yankee 24 saw participation from the Bahamas, Cyprus, El Salvador, Israel, Japan, Kenya, Latvia, Montenegro, Paraguay and Uruguay.  

Additionally, outside of the New England states, members from the Michigan, New Jersey and Maryland Guard units participated. This was also the first year that members of the Space Force joined in the event.

“We think that’s really great because when we go on engagements in these countries and we’re talking about cyber, some of the things that they’re most interested in is the United States, what we call whole of government. And really with this it’s expanded to kind of whole nation because we’re doing public and private,” Hunt said during a media engagement May 8. “They’re really interested in that how we worked with the military, with the Department of Homeland Security, with our private industry, how we work together in this industry, or in this field of cyber. That’s something that our foreign partners are really interested in learning about. And … we’re really interested in learning about how do they do things in their country or what has been their experience — because learning from each other is really the key of the State Partnership Program.”

The program was lauded for the role it played in helping Ukrainians counter Russia’s invasion of their country, based on the support and training that troops had received. The benefit, officials have said, is that relationships and trust are built and maintained long before crisis or conflict occurs.

“It all starts with … Lt. Smith and a lieutenant from Kenya or whatever country meeting each other in person, breaking bread together, training together and just getting to know each other,” Hunt said. “In 10 years, when those two officers are now majors or lieutenant colonels, they know each other, they have a relationship and they have trust.”

He noted that cyber knows no bounds and what happens overseas will likely affect the continental U.S. and vice versa. Working together and learning from each other is mutually beneficial and makes each partner stronger.

The post Army Cyber Command taking key lessons on critical infrastructure defense at National Guard exercise appeared first on DefenseScoop.

This year’s Cyber Yankee exercise, which took place June 5-18 in Connecticut, sought to mature the Guard’s partnership with Cybercom through a threat-sharing portal called Cyber 9-Line.

This tool allows participating Guard units from their respective states to quickly share incidents with the combatant command’s elite Cyber National Mission Force, which conducts operations aimed at disrupting specific nation-state actors. The force is able to provide analysis of discovered malware and offer feedback to the states to help redress the incident, while also potentially taking action against the threat outside U.S. borders. Cyber Command can also, in turn, share threat data discovered in their operations outside U.S. networks with these states as a warning against potential attacks.

Cyber Yankee is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other federal agencies to protect critical infrastructure in a simulated attack.

Given many defensive cyber teams in the Guard are spread across several states — and the fact that in the event of an incident, Guardsmen will have to work in private utility networks — the exercise acts as a dress rehearsal, enabling the organizations involved to gain partner trust, work through technical chops, and learn how to better run incident responses and operations.

“We had this year probably the strongest partnership we’ve ever had with Cyber Command in using the Cyber 9-Line tool,” Lt. Col. Cameron Sprague, executive director for Cyber Yankee and a Connecticut Guardsman, said in an interview. “I think last year, we might have done one or two Cyber 9-Lines. This year, I believe we did over 30 Cyber 9-Lines into Cyber Command.”

Those 9-Lines went directly to Cybercom’s joint operations center floor where they were actioned as part of the exercise.

Improving this relationship and exercising the use of the 9-Line had a two-pronged effect, Sprague said: First, it educated Guardsman in the six New England states on the tool and how to employ it.

“There are people that go home and realize, ‘Hey, this thing exists and I used it in an exercise. If something happens in my state, I can then use it during that incident,’” Sprague said.

He found the 9-Line beneficial in an actual real-world situation when in 2020 the city of Hartford, Connecticut, was hit with a major cyberattack.

One of the first real-world instances of using the 9-Line, Sprague said it was very successful with Cybercom exploiting the intelligence the state provided it and taking action with it.

“Our goal this year [at Cyber Yankee] was to push that experience out to the other states in New England and train all their people how to do that,” he said.

The second effect was Cyber Command continuing to mature the 9-Line and even beginning to develop policy guidance for it.

“They’re going to go out and develop more granular policy and what they’re looking for, which will benefit like everyone nationwide,” Sprague said.

Cyber Yankee “really advanced the 9-Line quite a bit,” he said. “It will be very critical if this ever happens in the real world.”

This year’s exercise also saw unique participation from active-duty cyber teams under a construct known as Defense Support to Civil Authorities. The U.S. military is barred from conducting operations on domestic soil unless explicitly asked to assist in disasters under this mechanism.

“If there was a large-scale cyber event, we want to do it with active components. That’s why we exercised it this year,” Sprague said of the active-duty participation from the Navy, Coast Guard and Air Force.

The goal is to work on these relationships before a crisis occurs.

Improved communication

One of the key successes at this year’s event, according to Sprague, was standardized communications and platforms to share information among the participants.

In the past, participants have been confused as to where information is posted, be it email, a Slack channel or elsewhere.

“We’re able to standardize a lot of that and print a playbook. That really, I think, lessened the confusion and enhanced training value of all the participants,” Sprague said. “This year we centralized on one communication platform, Hive-IQ. We also used that platform for assessments and it was this year much, much better than the previous patchwork of platforms we used in the past. We had a much, much smoother exercise. There weren’t as many hiccups.”

The playbook has been shared with other states so they can improve their cyber defenses.  

“Any state that wants to do a regional exercise, we like to bootstrap them into doing it,” Sprague said. “We have people come visit us all the time. I think we have people from Illinois this year, with the intent of taking our material and running their own infrastructure, their own regional exercise with our infrastructure, our stuff … our playbook, things like our scenario.”

The simulated threat this year was also more advanced than in years past.

“The biggest difference from last year to this year is that we elevated our game because the threat has elevated,” Sprague said. “The very first day we kicked off the hands-on exercise, we had a real world FBI threat brief with all of our private sector partners in the room. That further drove home the point that this isn’t just a notional thing anymore. This is real world, this could really happen and you need to take it very seriously.”

The post Cyber Yankee exercise helps National Guard mature partnership with Cyber Command appeared first on DefenseScoop.