Case study: cyber-informational exercising with the UK Armed Forces

Written By Patrick M

Outline:

  • This case study is based on an engagement conducted by a member of the Tyburn team with a branch of the UK Armed Forces.

  • The focus of this exercise programme was on cyber security threats to the service’s ability to sustain operations.

  • A key requirement was ensuring the credibility of the exercise for a discerning audience.

  • Exercises employed multimedia injects and AI generated content to drive immersion and to demonstrate capability.

  • Exercises helped to raise senior-level awareness of the threat posed by blended cyber-informational campaigns.

Introduction

This case study examines a programme of exercises conducted by a Tyburn St Raphael associate for a branch of the UK Armed Forces. The details of the exercise are largely obscured given its level of classification. Nonetheless, this case study illustrates two important lessons about exercise design and delivery.

Ensuring exercise credibility to a senior technical audience

An unusual characteristic of this programme of exercises was that the senior level participants were also technical specialists, in a way that underlined the importance of technical fidelity in scenario design. Participants in the exercises were senior leaders within the service, but they were also deep experts in the platforms and systems at the centre of the exercise. Any technical inaccuracies in the presentation of the exercise would therefore rapidly undermine participant immersion and call into question the credibility and realism of the exercise.

Ensuring technical fidelity is particularly challenging in cyber security exercises, which by their nature focus on instances where digital systems are acting in unexpected ways. Many cyber attacks rely on well-understood and documented means of exploiting systems. However, other attacks will exploit previously unknown vulnerabilities or behaviours of systems at the logical and physical levels of digital systems.

The potential for unexpected edge cases to emerge in the interaction of information technology (IT) and operational technology (OT) systems is exacerbated in a military context, where the services are operating complex technological platforms in atypical environments. Grounding the offensive cyber capabilities represented in the scenario in current research and threat intelligence was therefore crucial. In a separate paper, we provide guidance on scenario development.

Innovative delivery techniques to drive immersion

Senior officers have very many demands on their time. In addition to the requirement for credibility, there was also a strong emphasis on creating an immersive experience that demonstrated capability from the very beginning.

In this case, the facilitator found that the use of multimedia scenario materials was an effective means of increasing the immersion of the senior-level exercise participants. This included pixel-perfect recreations of the real information systems and productivity tools that participants would encounter in the course of their duties.

Generative AI tools were also used to create materials such as television broadcasts, radio interviews, and synthesised imagery to build out the world of the scenario. All the information conveyed in these materials could more easily have been delivered through dry textual briefings. However, using more innovative techniques served to generate interest and immersion.

Moreover, the incorporation of these materials provided a demonstration of capability. The realisation that the materials delivered were created at no or low cost using widely available tools was one of the key learning points for exercise participants. In this way, the mode of delivery of the exercise itself provided a valuable learning experience. The consideration of format and psychology of exercising is key to ensure successful exercises.

Driving awareness of hybrid risks

The inclusion of simulated media broadcasts in the exercise points to the second key lesson from this case study. The inclusion of aspects of the information environment in the exercise allowed participants to explore the broader implications of operations in the cyber domain across the full-spectrum of conflict and competition.

The exercise programme was focused on cyber security threats to the service’s ability to sustain operations. For example, the scenario for one exercise in the programme explored the impact of a cyber security incident leading to the loss of availability of a key platform during an operational deployment. Another exercise explored the impact of the loss of availability of a key piece of operational technology necessary for the maintenance of some of the service’s platforms.

This focus aligned with the sponsor’s objective of exploring the disruptive potential of adversary cyber operations targeting platforms and systems. However, in the design of the exercise, the facilitator explored the range of indirect effects that could exacerbate the disruption caused directly by the cyber attack on the platform.

As noted above, one exercise focused on the loss of availability of a key platform during an operational deployment. As the participants discussed and implemented plans for responding to this incident, news of the loss of availability of the platform broke on social media (in the world of the exercise). The scenario painted a credible picture of information that could be derived from open-source monitoring and media scrutiny. Yet at the same time, participants were forced to consider the possibility that this was a deliberate leak, as part of an adversary information operation intended to amplify the disruptive impact of the cyber operation.

Such indirect effects were not explicit in the sponsor’s objectives for the exercise, which focused on cyber operations and security. However, a focus on the ends rather than the means used to achieve them, in the context of a holistic appreciation of the security environment, led to the delivery of an exercise that addressed the sponsor’s requirements while also highlighting additional threat vectors.

Learning points:

  • Executive-level exercises often abstract technical details, but must retain technical fidelity nonetheless.

  • The depiction of cyber threats in the exercise should reflect current intelligence and security research.

  • Online tools and generative AI can produce convincing multimedia to drive immersion in the exercise.

  • Using these tools can also provide a demonstration of capability for the participants.

  • The impact of cyber operations can be amplified via information operations.

  • Part of the art of exercise design is recognising the underlying concerns driving the sponsor’s stated objectives and responding accordingly.

Patrick M
Previous

How to quickly identify a good OSINT report
Next

Case study: exercising as part of an incident response retainer (IRR) for a large organisation