I’ll take it from the famous Mike Tyson quote– a punch to the face is painful.
So is getting slapped around, in a cyber security crisis, even if it was just imaginary. I was privileged to participate in the 2014 Cybersecurity Simulation sponsored by the Technology Association of Georgia. We gathered on February 25th at the Joint Forces Headquarters of the Georgia National, which also serves as cyber defense HQ for Georgia.
Each participant in the exercise was deemed to be an executive at a fictional company called “TLC” – The Logistics Company (an international company that might or might not have brown trucks and uniforms). In a two-hour period we had to repel seven attacks in a live simulation before an audience. Leadership of the exercise said that it’s one of the few “table top” exercises of its type in the US open for public observation.
Generals, Admirals and FBI Agents
I served as the Director of Facilities for the ill-fated TLC. In addition to the pressure of being attacked in public, and while on stage in a large auditorium, our every action was filmed. In order to keep everyone informed, the exercise had internal “reporters” who walked around with microphones interviewing executives of TLC for real-time status updates. In addition, there were 7 “Tweeters” in blue shirts who constantly updated a locked (private) Twitter account that was displayed in the venue on two huge screens next to the stage.
I was surrounded by high-ranking military officers, law enforcement officials of all types, and senior corporate executives who all had square jaws and serious faces. They weren’t there to kid around, and I felt out of place without a classified clearance. High and tight seemed to be the fashion of the day.
The morning, which was open to the media, consisted of a series of briefings on the latest thinking on cyber threats to corporate America and how to harden commercial enterprise.
During the same morning session, I presented a section on corporate real estate’s security concerns. I partnered with Gary Merrow, former head of real estate for Paramount Pictures and senior real estate official at The Home Depot. Among other things, we talked about the challenge of BYOD/CYOD (bring/choose your own device) issues for corporate America.
After lunch, the real fun began. The media was asked to leave, and the exercise commenced. We had 120 minutes for the drill and the planners (think Hunger Games) didn’t waste much time. A man who said he was in an East German uniform stepped to the “enemy podium” and informed the crowd that his team had just inserted a Trojan Horse program into a mission critical database and all our mobile units experienced a “large-scale” re-route. Oh, and the vehicles in question were part of a specialty transport group carrying human organs meant for emergency surgery. Uh oh.
We were also blackmailed with a ransom demand, the subject of a denial of service attack, the recipient of an active shooter at our main data center (fuel leaking and generators on fire), and several other derivations as well. The planners told us that a United States Senator halted a hearing in DC and gave a press conference because his granddaughter didn’t get her emergency kidney transplant. And we got sued by angry parents who gave their own press conference with many tears…talk about a bad day at the office.
I can’t tell you that we solved all the problems, but I do know that it was as real as it could be. My stress level was high and I could see furrowed brows from my colleagues on the stage. The exercise facilitators did a great job of making everything feel life (and death) like, including the bad guys who talked in foreign character accents. If I hear “death to America” one more time….
What Would John Grisham Write?
It felt like a spy thriller unfolding IRL – in real life. I took away a number of lessons/experiences, some of which I share here:
- The fog of war is real – even when we knew the attack was coming, and we were physically close, we often had a hard time communicating.
- Binary conversations are a luxury – new facts were coming in so quickly it was hard to process everything. We were solving one problem when two more came in.
- Getting everyone to focus was very hard because we were all trying to process large amounts of information. There were lots of conversations that started “did you hear….”?
- Leadership in crisis is amazingly important. Our CEO and my boss the COO were great listeners and not afraid to issue orders. I can report first hand that calm but decisive executives help everyone to calm down. Knowing that your boss has your back brings your stress level down a huge amount.
- Cost in a crisis is 8th or 10th on the list. The accountants want to rein you in, but we all felt compelled to serve our customers at virtually any cost. We even reached out to our competitor to get help with lifesaving deliveries.
- Don’t forget the lawyers. The decisions you make in a crisis may be noble from an execution point of view, but the lawyers just look at things differently. This was a good thing in our scenario; it kept us out of even more trouble from a legal perspective.
- Lines of authority must be clear. Some will try to “freelance” in a crisis and waiver from their assigned areas of responsibility. This will help no one and endanger the company and even lives.
Perhaps most of all, I recognize the value of a scenario like this in corporate America. We are all busy, and I know your email box is overflowing. However, if you will take time on a regular basis to “table top” crisis scenarios, you will have a much steadier hand when the real thing occurs. Like the promotional material for the exercise said” “jet jockeys have simulators, why shouldn’t…. executives?”
I’m thankful for the opportunity I had to participate in this exercise.
Now it’s your turn.