The feds have launched sweeping initiatives to shore up cybersecurity throughout the government and critical infrastructure—and IBM’s X-Force wants them to train at its new Cyber Range in Washington, DC.
X-Force has previously built cyber ranges for its own in-house use in Cambridge, Massachusetts and Bengaluru, India, according to Troy Bettencourt, global head of X-Force’s Incident Response practice. IBM also has a business building ranges for third-party clients—all seven to date have been for universities, such as the University of Ottawa—and has even taken them on the road in trailers.
At a tour of the facility in early March, IBM staff demonstrated what they called its distributed virtual environment—most prominently a war-room-style security operations center complete with wall-spanning screens and dozens of terminals, but other areas that could stand in for board rooms, an operational technology (OT) station, and a hands-on lab. The space allows for groups to operate as multiple teams under realistic constraints, like their ability to communicate with each other.
Bettencourt said the DC facility is unique, however, in that it is X-Force’s first such project intended to cater mostly to the federal government and its suppliers. For the new target market, X-Force pivoted on content.
“If you’re a senior government executive—cabinet-level official or someone significant in an organization—and you have a cyber incident, you probably don’t need to talk about cyber insurance, you may not need to talk about your outside crisis communications firm,” Bettencourt told IT Brew. “You’ll have direct access, probably to the FBI or your inspector general, who will do the investigation.”
One crisis response scenario previewed to attendees simulated malfunctioning facial recognition scanner systems that caused hours-long lines at airports. The audience included administrators and directors from the Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration (TSA), and the Office of the National Cyber Director (ONCD).
Participants were tasked with everything from fielding the initial phone call alerting them to the issue and reviewing their business continuity plan to preparing an initial crisis comms statement as media coverage of the incident began to intensify. A key theme was how decisions (or oversights) in the heat of the moment can have ripple effects, some that might not be noticeable for days.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“None of us make a decision expecting it to be the wrong decision,” Jake Paulson, currently head of strategy and chief of staff for X-Force, told attendees. For example, he reminded trainees to verify the authenticity of the initial alert call as well as social media posts pushing dubious reports of mass flight cancellations.
The most common training scenarios other X-Force ranges have hosted are ransomware response exercises for multi-team groups or non-technical personnel like C-suite executives, Bettencourt told IT Brew. Banks and other financial institutions are particularly common customers.
“If the most senior person in the room has maybe a Cisco [certification], we’re probably going to deliver a more technical session to them,” Bettencourt said. “But we try not to go deep into the tech because this isn’t about testing your technology, it’s about testing your processes.”
The DC range has over 40 courses in total. X-Force can tweak pre-designed exercises to incorporate client data points and systems for more technical audiences, Bettencourt said, and full cloud-based replication of environments is possible, if costly. (IBM declined to share information about pricing other than that it “can vary widely,” though it said some exercises can involve bringing in experts from other IBM industry and business teams.)
“Not many clients want that level of investment,” Bettencourt told IT Brew. “We can still simulate their environment realistically enough that they’re working on the tools they have in their environment, in most cases.”
IBM is offering two no-cost training sessions in 2024, with an exercise for participants in the chemical, energy, and water industries slated for late April and another later in the year.