The Center for Cybersecurity and Policy and Law (Center) conducted a multi-stakeholder tabletop exercise entitled “Examining Critical Infrastructure Cybersecurity and Resilience” on March 26. The purpose of the exercise was to explore the ability of government and private sector stakeholders to address the level of disruption a nation state with sophisticated cyber capabilities may cause to critical infrastructure if given extensive freedom of action. It was intended to help identify technical and policy approaches that may effectively bolster cybersecurity and resilience against such an attack.

The exercise outcomes supported a number of findings related to nation-state cyber threats and information sharing that are the basis of this report’s recommendations:

• Evaluate and Revise Cyber Information Sharing Processes
• Take Proactive Measures to Improve National Cyber Incident Response Capacity and Assess Offensive Cyber Policies
• Harmonize Cybersecurity Standards and Regulations  
• Address IT Concentration Risk

In addition to informing these recommendations, the exercise identified numerous areas for further research and assessment, along with some questions the exercise was not designed to answer. This after-action report supports the proposed recommendations, underscores areas in need of further exploration, and should spur further discussion on this topic due to the increasing likelihood of such an eventuality. 

Exercise Background

To further the Center’s mission, it sought to explore how a sophisticated nation-state cyberattack intent on causing severe operational disruption among critical infrastructure and government entities might play out when a threat actor operates unburdened by the need to disguise attribution and is instructed only to act below obvious thresholds for war. 

In particular, the Center sought to assess the effectiveness of modern technical and policy approaches to cyber defense and resiliency to identify effective measures and areas in need of improvement. This included:

• Examining how foundational resilience in information and communication technology (ICT) may be more effective than trying to defend against every possible attack.
• Seeing that the effectiveness of infrastructure resilience requires rapid and comprehensive adaptability to meet the shifting tactics of attackers and the ever-expanding attack surface; 
• Documenting that resilience requires a continuous feedback loop between consumers, providers, and governments.

The catalyst for the exercise’s development was the recent uptick in geopolitical tension between the U.S. and China, including the notable cyber operations targeting U.S. government and critical infrastructure entities carried out by Chinese threat actors Volt Typhoon/VANGUARD PANDA and Salt Typhoon/OPERATOR PANDA. The exercise is also timely, as it coincides with a presidential administration seeking to reshape U.S. government policy and capabilities on the internet and the protection of critical infrastructure and government assets from cyber threats.