Mar 29, 2024 - Technology

Major companies put U.S. cyber defenses to the test in simulated attack

Illustration of a cursor clicking on a folder with an American flag inside

Illustration: Sarah Grillo/Axios

Cyber defenders from major American infrastructure operators spent the last two days practicing for the day hackers try to take their networks completely offline.

Why it matters: The event was the first known cross-sector cybersecurity exercise involving utility companies, the financial sector, telecommunications firms and the U.S. government altogether.

  • Similar tabletop exercises have typically been limited to organizations in the same industry.

Zoom in: Employees from Mastercard, Lumen Technologies, AT&T, Southern Company and Southern California Edison met in Washington on Wednesday and Thursday to simulate a real-life cyberattack that took down their organizations' customer-facing operations.

  • Officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the office of Cybersecurity, Energy Security, and Emergency Response also took part.
  • Private sector players broke out into two teams where one group played as the malicious hackers and the other as the network defenders. Government members acted as themselves.

Between the lines: Executives told Axios after the event that the tri-sector simulation built trust between employees at each of the companies that will be essential during any possible future event.

  • "There's relationships that are going to be long-standing after this exercise," Jason Lish, CISO at Lumen Technologies, said.
  • Participants predicted they'll likely engage in more cross-sector information-sharing about the threats they're facing and how they warded them off following this week's event.
  • For CISA, the simulation helped to reassure the agency that their work to build trust across critical infrastructure sectors is on "the right track," Eric Goldstein, the agency's executive assistant director for cybersecurity, added.

What they're saying: "You come up with your plans sitting behind the desk with a nice cup of coffee and over cordial discussions," Ron Green, fellow at Mastercard, said.

  • "But if you haven't practiced it and you go to test it in real life, you're going to find out where the kinks are and those kinks are going to hurt."

Catch up quick: This is the second time this set of private sector companies have hosted this simulation; however, last time, the organizations were competing against each other to see who best responded to the same attack.

  • "We got a lot out of fighting each other," Green said. "But what we really wanted to get to [was] more realistic training. I think history has proven you will fight the way that you train."

The big picture: This week's exercise comes as the Biden administration has increasingly declassified information about the consequential hacking threats facing critical infrastructure.

  • Officials have started publicly warning about China's ongoing, persistent campaigns targeting American infrastructure.
  • Last year, Iranian hackers also broke into a series of municipal water systems just by using the default administrator password, "1111," on an internal tool.

Yes, but: The organizations participating in this week's tabletop exercise are already some of the best resourced entities in the country.

  • Many utilities, especially municipal-run organizations, don't have the money or employees to respond in the same ways to a cyberattack.

What's next: The organizations now plan to host this event each year and plan to add more realistic elements to it.

  • Green said the goal is to make the event a national endeavor, involving the specific agency teams that would work on such an attack and other U.S. companies.

Editor's note: This story has been corrected to say the Office of Cybersecurity, Energy Security, and Emergency Response took part in the exercise (not the Commerce Department) and to note Ron Green's title at Mastercard is fellow, not CISO.

Go deeper