UC prepares to host statewide cybersecurity exercise
OCRI leaders benefit from experience gained at DOD cyber defense exercise
University of Cincinnati
Experience gained at the largest Department of Defense (DOD) unclassified cyber defense exercise is helping the Ohio Cyber Range Institute (OCRI) at the University of Cincinnati develop the nation's premier civilian cybersecurity operation in Ohio.
More than 800 National Guard soldiers, airmen and civilian cyber professionals from around the world attended Cyber Shield 2023 last month in North Little Rock, Arkansas, including several people from UC.
Bekah Michael, associate professor-educator in UC's School of Information Technology and executive staff director of the OCRI, said the experience from the DOD exercise has been directly applied to building cybersecurity exercises in Cincinnati.
“It gives us a large-scale example of the best way to run cyber exercises. The DOD is far ahead in how they run exercises and how they assess the performance of an incident response team in an exercise,” said Michael, who volunteered at Cyber Shield the past two years. “By being immersed in the training team, seeing the whole thing all the way through execution and after where the assessment teams are building the reports, we’re able to see exactly how to implement that guide, why certain things are important and how to set everything up at this huge scale.”
This summer, UC will host teams from the Ohio Cyber Reserve for a validation exercise. It will be the second consecutive year for a statewide cybersecurity exercise in Cincinnati.
“An exercise like this where you have live people working against each other is at the top end of sophistication for a cyber exercise,” said Scott Petersen, executive director of UC Digital Futures-Cyber Development. “It’s how the military trains. It’s pretty unique to have that experience as a civilian.”
The exercise hosted by the OCRI will include three teams from the Ohio Cyber Reserve, a volunteer force under the command of the state’s adjutant general. The reservists hail from throughout Ohio and represent Cincinnati, Columbus and Cleveland units that can respond to cybersecurity incidents anywhere in the state.
“Oftentimes unless an incident occurs, that whole team is not working together,” Michael said. “This is a volunteer organization, and so they’re working in their day jobs as cyber analysts or intel analysts, and they only come together when something bad happens, and that’s not the time to get to know each other and learn how to perform well as a group.”
Last year's exercise in Cincinnati included one team from the Ohio Cyber Reserve. With three teams, the OCRI has to triple its staff for this year's exercise.
This year's exercise also will differ from last year as it will be a validation exercise rather than a training exercise.
“The validation stress will kind of be like an exercise if you had 14 teams,” said Albert Klein, Jr., an assistant professor educator in the School of Public and International Affairs within UC's College of Arts and Sciences. “There’s a degree of focus and frustration or elation depending on the outcome.”
In a training exercise, the teams responding to an attack are able to consult with and receive guidance from the event organizers and the group performing the cyberattacks. In a validation exercise, they don't receive that extra guidance as they have to demonstrate they can respond to a critical cybersecurity incident.
Based on their performance, teams can be recommended for validation to the adjutant general of Ohio.
“They are seeing this all within the virtual environment and made to believe, even though they know it’s a game, but made to believe that these truly are hackers and APTs (advanced persistent threats) that are attacking this network that they need to protect,” Michael said. “Once they’re validated, that means something for the State of Ohio. That means they are a validated incident responder in the Ohio Cyber Reserves, and when a city has an incident, then they will want to send out those validated cyber reservists because they know that they are prepared.”
The cyber exercises include blue teams, who are the reservists responding to the attacks. The red teams perform the cyberattacks, which could be from state-sponsored groups, insider threats, criminals seeking monetary gain, hacktivists who are seeking to make a political statement or people simply causing chaos for fun.
The white cell coordinates the exercise.
Michael served as lead for white cell communication at the DOD's Cyber Shield event. With her, Christine Bourgholtzer, a cybersecurity and information technology student who is entering her final year of studies at UC, also attended and worked with the white cell.
“It was amazing,” Bourgholtzer said. “In every room and every situation, through everyone you talked to, there was something to learn. It was a great learning experience. It was overwhelming, but it was awesome.”
Klein worked with the blue teams at Cyber Shield as general counsel. While attackers work outside of what is legal, cyber reservists have to operate within the law.
“We have definite limitations imposed on us by the Department of Defense as well as some of the computer agencies, and the network owners themselves can impose some limitations,” Klein said.
Also helping Ohio prepare its cybersecurity defenses is a $4.2 million grant from the Cybersecurity and Infrastructure Security Agency (CISA), a large portion of which will go to the OCRI to improve the cybersecurity posture of Ohio.
With the additional funding, the OCRI will develop Ohio Persistent, which will be cybersecurity training for county and municipal groups throughout the state.
With increasing reliance on digital tools, it's imperative that Ohio be ready to respond to and prevent cybersecurity incidents, Petersen said.
“This is a really unique and tremendous capability that the Cyber Range has developed for the State of Ohio,” he said.
Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.