- BlogInfoSec.com - https://www.bloginfosec.com -

Another Fifth … Quantum Dawn Cybersecurity Exercise

Another Fifth … Quantum Dawn Cybersecurity Exercise

Following my BlogInfoSec column “Taking the Fifth …” posted on October 29, 2019, I came across other “fives,” the most relevant of which was about Quantum Dawn V, which took place on November 7, 2019. This is the  fifth in a series of desktop exercises conducted every two years for and by the financial services sector.

The reason for my interest is that I was on the team that initiated these exercises, along with Rob Schmidt, Jeff Schmidt, Andy Cutts, Phil Sussman, and others. It all started during the “hot wash” following “Livewire”, described here https://searchsecurity.techtarget.com/tip/Cybersecurity-exercise-helps-put-the-pieces-in-place [1]  in an article by the late Howard Schmidt, when I suggested that, while Livewire was a reasonable simulation of the technical side of the banking and finance sector, it did not address the business side, which was equally critical, if not more important than the technology infrastructure. We then engaged in a series of discussions with senior people from the financial services industry to try to raise the needed funds to develop such a model, but were not met with much enthusiasm as the industry was understandably intent on addressing physical security following the 9/11 attack on the World Trade Center.

Eventually, funding was obtained from Congress, thanks to efforts by NUARI (Norwich University Applied Research Institutes) and Delta Risk. There is a brief summary of this history at https://deltarisk.com/resources/case-studies/distributed-environment-critical-infrastructure-decision-making-exercises/ [2]  The awarded funds were managed through the Department of Homeland Security (DHS) by Doug Maughan. The resulting closed-loop simulation model, which was named DECIDE-FS®, became the basis of the Quantum Dawn (QD) series of exercises, mentioned above. NUARI subsequently obtained four patents relating to the processes underlying the simulation model. DECIDE is an acronym for “Distributed Environment for Critical Infrastructure Decision-making Exercises.”

The early runs of the QD exercises were relatively small affairs involving representatives from a dozen or so financial institutions. I helped to design the simulation, develop scenarios, and chronicle the results in after-action reports through QD-III. The number of institutions, associations and government agencies grew rapidly from one exercise to the next, as the capabilities of the model continued to improve and more firms and agencies realized the benefits of the exercises. Until this year, participating financial institutions were limited to U.S. domestic firms, but Asia, Europe and Canada participated in QD-V. Indeed, in 2019, there were more than 600 participants from over 180 financial firms involved in the exercise!

It is indeed gratifying to see how popular these exercises have become. I believe strongly that they are crucial components of building resilient infrastructures, and I am happy that I was able to help initiate the simulated environment that made the exercises so much more effective.

But financial firms are just the start. In March 2019, the S&T (Science & Technology) Directorate of DHS awarded $5.9 million to extend the DECIDE model to the energy sector, see https://www.dhs.gov/science-and-technology/news/2019/03/21/news-release-st-awards-59m-expand-critical-infrastructure [3]

My hope is that the model will eventually cover all critical infrastructures, both domestically and globally. What an exciting prospect. Congratulations to all involved in the project so far. I am indeed proud to have contributed at the outset to this monumental endeavor.