U.S. armed forces routinely conduct live-fire exercises to prepare soldiers for actual combat — so why shouldn’t cyber-security professionals defending government and corporate computer systems train the same way?
A growing number of so-called cyber ranges across the country are providing facilities to do just that. The simulators allow participants to experience a real-world cyber attack in a controlled environment, an exercise that helps tech workers spot holes in their firewalls, identify warning signs and strengthen data-security practices.
Their popularity illustrates the extent to which Corporate America is going to address the growing risk posed by high-tech criminals who have targeted government assets like the Internal Revenue Service and voting systems as well as multi-billion-dollar companies like JPMorgan Chase, Sony and Target. According to Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021.
“The emphasis on these exercises is that they are a training event,” said Dr. Joe Adams, the vice president of research and cybersecurity at Merit Networks and director of the Michigan Cyber Range.
“You learn what you need to improve,” said Adams, who works with teams from Fortune 500 firms as well as small municipalities.
To carry out its exercises, the Michigan range built a training environment called “Alphaville” — a virtual town that contains a library, school, power and electric company, and a small manufacturing business. Network security teams can enter Alphaville to participate in a simulated attack against one of the facilities, and learn how to properly defend against data theft, malware or a denial-of-service campaign.
State governments and the public sector are getting involved both financially and strategically. The Michigan range is owned by the 12 public universities in Michigan and trains National Guard personnel from both Ohio and Wisconsin.
In Georgia, officials have invested $50 million to build a cyber-training facility at Augusta University that opened in early July, catering to both students and businesses.
That site and others play a big role in workforce development, with many providing a series of certifications that often lead to job offers. U.S. employers currently have 200,000 unfilled cyber-security positions, and the number is projected to rise to 2 million by 2020, according to Bruce Spector, the chairman of the Baltimore Cyber Range.
Spector, who says the range gets students up and running quickly, is using it to tap an unemployed Maryland workforce of 75,000 for more than 20,000 cybersecurity positions.
The most effective facilities create a simulation that participants forget is fake, said Caleb Barlow, the vice president of threat intelligence at IBM Security and the visionary behind X-Force Command, IBM’s Cyber Range.
Every company is going to be hacked eventually, “it’s just a matter of when,” he noted. “How you fare that day is going to be a derivative result of the practice and planning you put in place ahead of time.”
IBM’s facility in Cambridge, Mass., has trained more than 1,700 executives, students and security professionals. Originally, Barlow imagined spending most of his time preparing teams to combat data attacks but soon discovered that he needed to devote more time to how workers performed in the aftermath.
Businesses across all U.S. industries are trying to be more proactive in their data-security measures to avoid increased regulation, Adams said, and cyber ranges are playing a critical role. Attacks like that on credit bureau Equifax, which exposed personal identification data for nearly half the U.S. population, raised concerns that the government might respond too swiftly with new policies.
“The last thing we want is for little Mom-and-Pop manufacturers and local businesses to start getting crushed by government regulations and going out of business,” he said. “The great goal is to be self-regulating.”
Despite a string of Congressional hearings after the 2017 Equifax breach, however, there has been no concrete policy response at the federal level.
Republicans were hesitant to grant more power to federal regulators, and Democrats were concerned a weaker federal law could replace more protective state laws. Consequently, each of the 50 states are governed by separate rules that control how companies protect data and notify consumers of breaches.
The cost of complying with them all is too high, says Patrick Gaul, director of the National Technology Security Council, which is working with corporate information-security officers to advocate for a national law.
But Capt. Christopher Apsey, an Army consultant for Augusta University’s cyber range, says more research is needed before appropriate regulations can be developed.
“The government doesn’t have sufficient technical experts to navigate these policy questions at this point in time,” Apsey said.
