Preparing for National Cyber Crises Using Non-linear Cyber Exercises

Cyber exercises are a well-received and established means to strengthen the problem-solving skills of personnel and to prepare staff for future cyber incidents. While this concept seems to work for the majority of expected issues, where practicing the application of specific processes, tools and methods to mitigate the effects of large-scale cyber attacks is key, existing cyber exercise approaches are just of limited use for crises management. The reason for this lies in the very nature of a crisis. While ‘common’ incidents appear to be more predictable and can usually be dealt with thoroughly prepared standard procedures and well-rehearsed responses, crises however, are inherently uncertain, and off-the-shelf solutions may even be counterproductive. Complex decisions are to be made in short time-frames, influenced by a lot more stakeholders compared to internal incidents, including regulators, the media, and even the general public. These decisions can barely be guided by prepared plans or checklists, thus new forms of preparation are required, which challenge the participants to practice decision making under pressure, but further give them the opportunity to re-consider choices, walk alternative paths and enable them to find the best possible solution for a given situation. For this purpose, this paper discusses a new approach for non-linear cyber exercises, which allow branching points to develop a storyline, and employ new techniques, such as ‘Fast Forward’ to quickly progress to the critical stages of long-lasting crises, ‘Playback’ to consolidate gained skills, and ‘Pause-Adapt-Repeat’ to play through alternative paths. In this paper, we discuss limiting factors of today’s cyber exercises for large-scale cyber crises preparation, and introduce concepts for non-linear exercises to compensate these issues.