Although not new, cyber ranges have recently created a buzz with technology stakeholders and security practitioners on more than speculative benefits. In North America in particular, cyber ranges have garnered attention on their ability to solve what has become a global cyber capability issue rooted in a cyber skills shortage and a growing, long-term demand.
Within this, cyber warfare operations are jockeying to meet their own needs for skilled resources but also specialized development environments. If not met, the combined need for skills and improved security is a barrier with serious consequences to advancing technologies, industry and national security.
But together they share a synergy that may help solve each other’s problems while launching cyber ranges into the commercial markets. On that, let’s start with what cyber ranges are, why the trend is exploding and why they will stabilize as a future norm and how they impact to cyber skills development and cyber warfare.
Cyber ranges are like ‘Sandboxes’ …
Nope. And a little advice: avoid comparing them to ‘sandboxes’ with cyber range engineers (trust me). The simplest description of a cyber range is a closed, access-controlled virtualized environment of workspaces and test beds, created with devices, applications, systems and connectivity. Unique in enabling simulation and replication of scenarios under controlled conditions, they allow for refinement of offensive/defensive capabilities and skills by supporting complex functions on a massive but efficient and maintainable scale.
Emerging decades ago, cyber ranges were developed by government defence departments to support covert cyber weapons and technology programs that require intricate and controlled testing and detonation to measure effectiveness, operational readiness and stability. At their highest capability, these ranges functioned like advanced kinetic ranges, facilitating specialized weapons, cyber warfare training and operations and were meant to contain and withstand damage, keeping ranges ‘hot’ for extended periods of time.
As cyber ranges transitioned to secure environments for cybersecurity education, training and testing, the Michigan Cyber Range (MCR) was one of the first unclassified, private cloud platforms. Developed in 2012 by the White House top security leaders, the U.S. Department of Homeland Security (DHS) and Merit Networks, it was a milestone in providing an advanced platform for industrial control systems and product development for clients throughout the world.
Around the same time, the National Cyber Range (NCR) in Arlington, Virginia was developed by the Defense Advanced Research Projects Agency (DARPA) to execute ‘cyber war games’ and examine malicious code. Evolving to encompass for cyber warfare testing capabilities, Internet and Global Information Grid (GIG) research, the NCR also facilitates quantitative and qualitative scientific assessment and training on exceptionally virulent code under a recent $33.9 million order. It wasn’t long before other cyber ranges popped up leading to current initiatives:
· Hong Kong’s developed its first cyber range in 2016 for law enforcement agencies and financial services cybersecurity training;
· Palo Alto Networks developed a dedicated cyber range facility this year in Amsterdam with launches planned for the Americas and the Asia-Pacific regions;
· The RHEA Group is now developing the European Space Agency’s (ESA) specialized cyber-range to simulate space operations and mission control systems; and
· This summer the Virginia Cyber Range (VCR) developed in 2017 is hosting its first Cybersecurity Education Conference targeting high schools, colleges and universities.
Cyber ranges become a “Thing”
With several success stories behind cyber range technologies, they have been catching the eye of commercial technology markets and academia in the US, led by an increase in critical and integrated, interdependent systems. Whether for government, industry or academia, multiple levels of complex configurations, cyber ranges deliver much sought after dynamic agility, scalability and simulation of concurrent and integrated events.
Now, with these technologies maturing and costs are lowering, the extraordinary storage capacity and processing speeds make cyber ranges a feasible solution for Big Data analytics, Artificial Intelligence (AI), the Internet of Things (IoT) and increased video-on-demand for many sectors. Investments in cyber ranges are allowing “cyber warriors” and technologists test and develop technologies, as well as collaborate and train, for real-world functionality and scalability.
In Canada, we’ve yet to see a visible, commercial cyber range initiative despite substantial efforts in skills development, collaborative ecosystems, like CANARIE and programs at the University of New Brunswick and Carleton University, and R&D hot spots in Kanata, Waterloo, Calgary and Toronto. For Canadian government, the strategic value and cost-benefit of cyber ranges for cross-departmental cybersecurity testing, training and common services may prove to be transformative to centralized services.
Cyber workforce and skills development
A recent Harvard Business Review article suggested that the “best cybersecurity investment business leaders can make is improved, continuous training that responds to the asymmetry and complexity of emerging technologies.” Already in the US, the cyber workforce is being bolstered by cyber ranges in Arizona, Arkansas, Florida, Michigan, Virginia and Georgia and have become core to governments competing with the public sector for adequate skills.
Government and academia are well aware of the need for qualified cyber professionals, including those to develop and maintain cyber ranges, and industry isn’t far behind. Driven by concepts like complex and constant connectivity and autonomy, a wide berth of cyber skills will become part of core competencies in industry, creating a new competitive climate.
For those of us old enough to recall, the mid-1990s saw the same phenomenon. Around the world, software development converged with Internet technologies, multimedia, eCommerce and eBusiness, making talent a hot commodity. Many Canadian resources were courted by US high-tech firms of all sizes resulting in a ‘brain drain’ that starved innovation in some Canadian sectors and in others created a highly competitive environment in just acquiring and retaining talent.
Now, strained by a glut of vacant positions, the current skills shortage and growing gap is only second to the need to improve immediate skills in the workforce – much like what occurred in the 90s. But this time, the stakes are much higher.
Beyond the code: Cyber warfare
In 2010, John Chipman, director-general of International Institute for Strategic Studies (IISS), stated, “Despite evidence of cyber attacks in recent political conflicts, there is little appreciation internationally of how to assess cyber-conflict.”
For years, experts have warned cyber warfare is an advancing threat with challenges beyond developing cyber capabilities and cyber warfare detection. The lack of international cyber weapon agreements and tenuous political landscapes, such as China’s military diversification, Iran and North Korea’s nuclear programs and terrorist proliferation, leaves a jarring prospect. Still, more volatile danger may rest with non-state actors’ access to asymmetric and cyber warfare techniques.
With ISIL/Daesh’s aggressive technological trajectory of skills, it is not inconceivable that cyber warfare may land in the hands of brutal ideological groups intent on destabilizing Western nations. Daveed Gartenstein-Ross, senior fellow at the Foundation for Defense of Democracies, wrote on this recently, “… we have seen multiple failures in imagination as analysts tried to discern what terrorists will do with emerging technologies.”
With the realization that traditional war strategies and tactics exponentially strengthened by cyber warfare through the potential for multiple covert attacks meant to disable or destroy capabilities, economies and democracies, the impacts are clear: a successful cyber warfare attack would result in any number of devastating, cascading effects with unfathomable recovery periods.
As cyber warfare and cybersecurity threats blur, the trend will continue – as consumer technology becomes widely available, malicious actors will find a use for it through adaptation. If anything this underscores the importance simulations of multi-pronged attacks, development of counter attacks and simultaneous tests in varying classification and sensitivity levels – that rely entirely on skilled resources to build, maintain and operate them.
Whoever has the best platform wins
Undoubtedly, cyber ranges will increase in use by all levels of government, industry and academia to develop cyber skills, as well as a platform to develop cyber tools, techniques and processes. As they evolve to more collaborative models and move to commercial markets, the dependency between cyber capabilities and highly skilled resources will come into closer view.
With that, the ability to develop and deliver these ranges is more than a race to market: whoever has access to the advanced cyber ranges could dominate their respective space. For that reason, Canadian CIOs must forecast and invest in the technology to establish Canada’s competitiveness and national security preparedness as the landscape shifts.