Testing the resilience of the government, energy and financial sectors
For the past seven years in Qatar, we’ve been preaching policies, procedures, technologies and incident responses. We’re trying to simplify things: simplifying frameworks, simplifying technology, focusing on the human element.
Even though we’re a regulatory body, we have not been too strict in enforcing all these instruments. The reason was a fear that if we push hard, there would be resistance. And when there is resistance from constituents, nothing moves. So we started with an approach that uses policies and legal instruments to help constituents in sectors such as energy, transportation, water and banking build capacity when it comes to compliance.
In 2012, things were moving more slowly than we liked, so we decided to come up with something new, something to encourage constituents to adopt, accept and progress rapidly. What we came up with was a game, a national game that took the form of a recurring cyber drill.
To test the effectiveness of safeguards applied to computer networks, we organized National Cyber Security Drill Star 1 in 2013. The objective was to assess incidents, support business continuity, control escalation and improve decision-making. We wanted to see whether our constituents were capable of addressing these issues in a timely manner.
To prepare, we did a comprehensive study of other games played by international partners such as Cyber Storm in the United States, the European Network and Information Security Agency (ENISA) in the European Union, and the Japan National Information Security Center. We studied these drills for over a year: the objectives, the content, the conclusions and the impact. We simplified all these exercises to fit Qatar. Then we drafted and presented a paper to gain international recognition of our efforts and had our paper accepted by ENISA at a conference in 2013. We came back home and promoted our national cyber drill, stressing how we had gained that international certification.
At this point, Qatar’s Cyber Security – Q-CERT Division at the ministry of ICT had two options. Q-CERT could write letters to chief executives and force them to participate. After all, the Cyber Security Divison is the national regulator in the field of cyber. The other option was to use encouragement instead of enforcement, highlighting the benefits to the CEOs. We chose the voluntary approach, and I am happy to report that 20 organizations with 120 people agreed to participate.
When these officials from government, the energy industry and finance sat down for tabletop and technical exercises, we had to overcome initial fears that the drill would expose participants to ridicule from competitors in government and industry. It took many hours, full of questions and arguments, before we persuaded participants that the Star 1 drill would ultimately benefit them.
We scheduled this first national cyber drill for December 15, 2013, right before Qatar’s National Day. During our National Day you will see the Army, Navy and Air Force hold parades. We chose this date because we needed to display to the nation the existence of other forces, perhaps less visible, that were also hard at work protecting the nation’s assets.
We had a red team consisting of engineers devise attacks against machines we had given the organizations to protect. To relieve anxiety about capabilities, we created three levels of the drill in ascending order of difficulty: bronze, silver and gold. Some participants worried that if they sat in the same room with large banks and energy companies, they might be embarrassed if their equipment and skills were inferior.
The biggest goal of the exercise was to observe whether participants would talk to each other. So if I had Bank X sitting next to Bank Y, and they had similar issues with cyber security, our intention was for them to cooperate to solve problems during Star 1. It was a success in assembling and identifying strength yet discontent in terms of exchanging information, collaboration and sharing mitigating practices cross sectors.
We used these lessons in hosting National Cyber Security Drill Star 2 on the same date in 2014. Star 2 attracted even more attention: 32 agencies and companies comprising more than 320 participants. We changed the exercise a bit. We handed out virtual machines to members of each group to act as their network or server. Their job was to harden that virtual machine to try to protect it from the attacking red team.
The exercise took nearly 15 hours. Again, the objective was to see whether these experts would coordinate during national crises. To encourage that collaboration, we used scenarios that would affect each sector as a group: a telecom outage that would hit every government agency or an industrial control issue that would strike all energy companies at once.
We were sending out messages to these financial institutions, energy businesses and government departments announcing threats and asking them to act systematically and cooperatively.
We achieved our objectives. We simplified things to our partners, encouraged them to comply within a framework and motivated them to come up with solutions. They were asked to innovate, and that’s what they did. All of this was achieved with a simple game.
Based on this success, we would like to expand such drills to the region. The majority of countries experience similar challenges: Bahrain, Oman, UAE, Jordan, Egypt, Kuwait and Saudi Arabia. We need to do something similar together in cooperation with the U.S. government, which can help set common standards we can all adhere to.
This article was adapted from a presentation given by the author at the Central Region Communications Conference in Washington, D.C., in May 2015.