Cyber Shield 2021: Recap

By COL Brad E. Rhodes, G6/CIO, 76th Operational Response Command (USAR) and former Officer-in-Charge (OIC), Cyber Shield 2021

October 29, 2021

Cyber Shield is a national-level cyber defense exercise which takes place over the course of two weeks each summer. Before it became Cyber Shield in 2013, the event and its predecessors (such as Bulwark Defender) have annually brought together the top defensive cyber operations talent from the United States (US) military to support the defensive cyber readiness training requirements for the National Guard, Reserve, and even Active component participants. Designed, planned, staffed, and resourced by the Army National Guard each year, Cyber Shield is the Department of Defense’s largest unclassified cyber defense exercise, delivering ‘real-world’ training to cyber defenders in network security monitoring, internal defensive measures, and cyber incident response (IR). 

Cyber Shield 2021 was run from Camp Williams in Utah and drew more than 800 military and civilian cyber defense specialists from the Army, Air Force, Navy, Coast Guard, and a host of civilian organizations (called “Network Owners”) from government and commercial sectors across the nation. Including Camp Williams, Cyber Shield participants operated across 40+ US States and Territories. This year’s event was the largest in sometime and was truly a Joint and Interagency event where defenders faced an experienced Opposing Force (OPFOR) – sometimes called a Red Team – that did not hold any punches. Cyber Shield 2021 upped the realism factor by placing defensive cyber teams into IR assisting a civilian organization which had already been compromised. From the SolarWinds Orion supply chain attack to the Colonial Pipeline to the recent Kaseya ransomware incidents, there was no shortage of high-profile cyber incidents to draw from for this year’s exercise. In addition to OPFOR personnel leveraging the tactics seen in these events, exercise Cyber Defenders – called Blue Teams – drew on the lessons learned from them to implement their defenses.

“Cyber Shield is truly a team effort across 40 States and Territories,” COL Brad Rhodes, the Exercise Office-in-Charge (OIC) explains. “Our goal for this year’s event was to get the teams directly into IR while the Malicious Cyber Actors (MCAs) were still conducting activities in the compromised network. Our Opposing Force (Red Team) had incredible tricks up their sleeves that kept the defenders guessing — just like in real life.” 

Each iteration of Cyber Shield is designed to deliver a unique experience, drawing from current events to place defenders in as close to real-world events as possible. This is not possible without a platform for cyber defenders to operate on for the “fight”. For 2021, Cyber Shield was conducted entirely on the Persistent Cyber Training Environment (PCTE) range. One of the five elements of the Joint Cyber Warfighting Architecture (JCWA), the development of PCTE is being managed by the Program Executive Office, Simulation, Training, and Instrumentation (PEO STRI) (https://www.peostri.army.mil/persistent-cyber-training-environment-pcte). At over 4000 virtual machines (VM) spread across Blue, Gray, and Red spaces, Cyber Shield 2021 was the largest event successfully conducted on PCTE to date.

The US military views cyberspace in three distinct level layers (Physical Network, Logical Network, and Cyber-Persona) as shown here:

Image: https://csl.armywarcollege.edu/USACSL/Publications/Strategic_Cyberspace_Operations_Guide.pdf

One of the most unique aspects of Cyber Shield is that the exercise intentionally addresses the Cyber Persona layer. Employing Information Operations (IO) operators from the Texas Army National Guard, in addition to the technical aspects of IR, cyber defenders must contend with the noise of emulated social media which directly impacts the scenario. Couple the complex exercise story lines with the potentially suspect information from a “chirp” or “fakebook” posts and Cyber Shield participants truly experience the “fog of cyber war.” Following legal constraints and regulations, civilian mission partners monitored social media in conjunction with their Blue Team defenders. There were a variety of voices from news media outlets to cyber threat actors to the general public spanning Blue, Gray, Red spaces who all had their opinion about the happenings of the scenario. Just like in the real world, what is found on social media should be viewed with the healthiest skepticism.

The majority of Guardsmen and Reservists at Cyber Shield hold civilian cybersecurity job roles outside of the military. Simply participating in the exercise creates a direct cross pollination of experience and skills. In other words, participants receive crucial training that improves readiness for both their military and civilian work roles in cybersecurity. Guardsmen and Reservists get to practice the hands-on skills at Cyber Shield they might never try on either military or civilian networks. This arms them with a wealth of technical and cybersecurity expertise to bring to the cyber fight for the military and their civilian jobs. It is important to note that most Guardsmen and Reservists balance their civilian job requirements and military duties, which has become increasingly challenging in this era of the contested homeland.

“Speaking for all Cyber Shield participants, I want to thank all employers of Guardsmen and Reservists. I really appreciate the time you allowed for your employees to be part of this amazing event! We can’t do what we do without your support,” Rhodes said.

As discussed previously, Cyber Shield is an unclassified exercise. This allows the integration of civilian mission partners, National Guard State Partner Program (SPP) program countries, and the news media. In fact, this year Cyber Shield planners integrated press participation with a deliberate media day. The old adage is that “no-one tells your story better than you” and this year Cyber Shield did just that, sharing the benefits of the exercise with the public at large. Ultimately, all Guardsmen and Reservists live and work in the communities they may be called to defend. It is imperative the general public understand that there are cyber defenders in the Guard and Reserve ready to stand in the gap for them today!

In summary, Cyber Shield 2021 was one of the most successful to date, spanning the Joint services and interagency. Every participant went back to their civilian job having learned something, practiced important skills, and were challenged by world-class OPFOR. The fact that Cyber Shield is and always will be an unclassified exercise ensures its viability long-term. Just like the more recent Marvel movies, “Cyber Shield will be back in 2022”!  

Cyber Shield Network OwnersImage: https://www.dvidshub.net/search?q=CyberShield21&view=grid 
Awarding the Bronze Order of Thor to Mr. George Battistelli (Deputy G6, Army National Guard and Cyber Shield civilian Exercise Director)Image: https://www.dvidshub.net/search?q=CyberShield21&view=grid 
Cyber Shield operations at Camp WilliamsImage: https://www.dvidshub.net/search?q=CyberShield21&view=grid 

About the Author

COL BE Rhodes is a Cyber Warfare Officer in the US Army Reserves where he is the G6/CIO, 76th Operational Response Command. He holds multiple professional certifications, regularly speaks on cyber defense and incident response, and teaches at the graduate level. COL Rhodes enjoys building with Raspberry Pi and Arduino IoT devices to model SCADA/ICS to demonstrate kinetic-cyber effects for senior leaders. He has drowned countless Lego people over the years and helped many understand that connecting to unsecured WiFi is a terrible idea!  You can find him on LinkedIn and Twitter (@cyber514).