Cyber Yankee

By COL Woody Groton

June 20, 2021

National Guard Cyber Forces in New England conduct an annual cyber exercise, “Cyber Yankee,” to test cyber incident response capability in support of government and critical infrastructure partners. Using a realistic scenario, Cyber Yankee stresses National Guard cyber forces along with their partners from government and critical infrastructure to overcome a fictional nation state adversary. Cyber Yankee is a multi-echelon exercise ranging from tactical hands-on keyboard to Combatant Command and interagency level. Over the past six years, Cyber Yankee has grown in both its number of participants and its complexity and now includes participation from multiple private-sector critical infrastructure partners, state government entities, federal agencies, and United States Cyber Command (USCYBERCOM).

National Guard Cyber forces represent a robust cyber and readily available incident response force for state Governors and federal requests. When directed by their state leadership, Guard cyber forces conduct defensive cyberspace operations outside of the Department of Defense Information Network (DODIN) in support of state and local government including K-12 education and critical infrastructure. The Guard uses United States Cyber Command’s (USCYBERCOM) Cyber 9-Line (C9L) reporting tool in exercises and real-world events to provide indicators of compromise (IOC) and other pertinent information to the command’s big data platform (BDP). The C9L is a mechanism for two-way communication between Guard cyber elements and cyber analysts at the USCYBERCOM joint operations center. All data is automatically entered into the BDP to further information sharing. Cyber analysts from the Guard can query the BDP to find additional information on the threat actors as well as related IOCs. Analysts at USCYBERCOM’s JOC can also provide additional analysis in support of the Guard incident responders as well as real time malware analysis.

SSG Travis Chase conducts his incident response procedures at Cyber Yankee '20. National Guard Soldiers and Airmen used appropriate mitigation measures to continue training their readiness to respond to cyber incidents at local and state critical infrastructure despite the COVID-19 pandemic.
(U.S. Air National Guard photo by Staff Sgt. Charles Johnston)

The primary training audience for Cyber Yankee are National Guard cyber operators in a hands-on keyboard, tactical level exercise, with a live opposing force, using realistic threat tactics. The exercise is conducted at the unclassified level to facilitate participation by local government and critical infrastructure industry partners.

Cyber Yankee is multi-echelon training. While the primary training audience are the cyber operators at the tactical level, Cyber Yankee also exercises a whole of government approach at the operational level and includes participants from state government, utilities, Cybersecurity and Infrastructure Security Agency (CISA), Federal Emergency Management Agency (FEMA), Federal Bureau of Investigation (FBI), Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), sectors’ Information Sharing and Analysis Centers (ISACs), and National Guard/Department of Defense (DOD) personnel.

Cyber Yankee 2020, held July 20 through August 1, represented the sixth year of the exercise focused on the New England region (Federal Region 1/National Guard Region 1). Despite challenges associated with the COVID-19 pandemic the exercise had over two hundred participants with several teams, and the cyber joint task force headquarters, participating remotely. Cyber Yankee 2020 included participation from the USCYBERCOM Joint Operations Center (JOC) and the Cyber National Mission Force (CNMF). Participating Guardsmen used the Cyber 9-Line (C9L) platform to provide indicators of compromise (IOC) to the USCYBERCOM JOC who, along with members of the CNMF Task Force 5, analyzed the data and provided supporting information back to the Guardsmen to facilitate response. Cyber Yankee ’21, which concluded last week, further strengthened the relationship between Guardsmen in New England, National Guard Bureau, and USCYBERCOM. Additionally, Cyber Yankee ’21 added Oil and Natural Gas as a supported critical infrastructure enclave.

SGT James Mackey briefed his red team, comprised primarily of Reserve and Active Duty Marines, on an upcoming operation within Cyber Yankee '21. This red team provided realistic emulation of adversary activity for the participating incident responders.
(U.S. Marine Corps photo by Lance Cpl. Mitchell Collyer)

Cyber Yankee represents an excellent training opportunity for National Guard Cyber forces to prepare for cyber incident response in support of state and local government and critical infrastructure. In addition to the lower-level tactical training the multi-echelon nature of Cyber Yankee allows exercising operational and strategic level cyber response coordination between National Guard forces, the National Guard Bureau, USCYBERCOM, and the interagency.

About the Author

COL Woody Groton is an Army Cyber officer currently assigned as commander of the 54th Troop Command, NH Army National Guard. COL Groton is a Certified Information Systems Security Professional and holds a master's of science in cybersecurity from Regis University and a Master's in Strategic Studies from the U.S. Army War College. COL Groton is a Gold member of the Order of Thor and is Vice President of the New England chapter of MCPA. COL Groton is one of the founders of the Cyber Yankee exercise and served as exercise director in 2019 and 2020.