Preparing for the ACSC Collaborative Defense Simulation: A Public Sector Perspective RADM (ret.) and ACSC Board Member Michael Brown
In anticipation of the ACSC’s second annual Collaborative Defense Exercise on September 20 at the Federal Reserve Bank of Boston, we are speaking with our event co-organizers, ACSC Board members Michael Brown and John McKenna.
Our conversation with John McKenna provides perspective on the value of the ACSC cyber incident simulation exercise for commercial organizations. John’s co-organizer, Michael Brown, brings the extremely valuable public sector element to the ACSC program. Brown, Rear Admiral, United States Navy (Ret.) is the founder and president of Spinnaker Security LLC, a cybersecurity consulting business focused on understanding, identifying and mitigating business risks associated with cybersecurity. Brown also serves as the Board Clerk for the ACSC Board of Directors.
Over the course of his 31 years in the United States Navy, Brown had significant leadership positions within the Departments of Defense and Homeland Security regarding cybersecurity. Brown’s last position on active duty was as the Director, Cybersecurity Coordination for DHS where he was responsible for increasing interdepartmental collaboration in strategic planning for the nation’s cybersecurity, mutual support for cybersecurity capabilities development, and synchronization of current operational cybersecurity mission activities for the Departments of Defense and Homeland Security. He also served as DHS Deputy Assistant Secretary, Cybersecurity and Communications, Acting Assistant Secretary, Cybersecurity and Communications and as the Assistant Deputy Director Joint Interagency Task Force for the Office of the Director of National Intelligence.
What drives you to be on the ACSC Board? Tell us about the role you’ve played, your contributions, goals, and interests.

In 2011, I delivered the opening keynote for the first ACSC meeting. I was with the Department of Homeland Security (DHS) at the time and familiar with government and private sector initiatives, but the ACSC was the first example that was driven by the private sector. As such, the ACSC fills a huge gap.
In February 2012, I retired from the Navy and moved back to Massachusetts to work for EMC. Once I was settled in the new job, I joined the ACSC as a board member. My goal is to continually grow the ACSC in its ability to meet the needs of members and to let members know what they need. Having worked in government forever, I know that no one government agency can do everything to meet a cyber threat. Collaborative defense is so important, but it requires both the private and public sectors -- on both the Commonwealth and federal level -- working together.
Companies can’t wait for an incident to figure out how to work together. From an operational perspective, the ACSC understands the roles and responsibilities of both sectors, how to take advantage of them and begin working together.
What benefits, in your opinion, does the ACSC bring to its members?

First, the ability to collaborate with both public and private sectors and to leverage each other. In 2011, the ACSC was truly the only organization where you could have high level threat information in a trusted setting. Now, the world has matured; threat information sharing has matured and become automated. The value-add from the ACSC is collaboration: the ability to operationalize processes so that members can be aware of malicious activity, mitigate and remediate those vulnerabilities.
You and John McKenna are helping the ACSC plan the second annual collaborative defense initiative. From your perspective, what is the value of this event?

First, the simulation exercise brings public and private sectors together in a venue where they can get to know and understand what their organizations can do. Instead of members meeting for the first time in a real incident, the event helps them prepare upfront and start to operationalize their response so that they are more prepared for when, and not if, an incident occurs. 
Second, the ACSC simulation is the only event bringing public and private organizations together to operationalize plans and to make sure the plans are executable. The simulation exercise lets us ask: Do plans work as written? Are there changes needed? Can we make it better? A dynamic plan takes into account the fact that technology, threats, and people change. We need to see where our plans need to change, and we need to exercise them. It’s similar to the military, which draws up plan after plan. A plan is only as good as its first engagement. This is why the Defense Department constantly exercises their plans.
What do you see as the integral components of the simulation exercise? How will the 2019 event differ from last year’s event?
Participants in the 2018 simulation got to understand their roles and responsibilities. We had solid representation from both public and private sectors. DHS, DoD, FBI, National Guard and NEMA at the federal level participated in addition to the Executive Office of Public Safety (EOPS), and the Executive Office of Telecommunications and Security Services (EOTS) from the Commonwealth. Private sector companies represented financial services, healthcare, higher education and technology, among others.
The event offered an executable and realistic table-top scenario so that people can see what can and has happened. The exercise is realistic enough so they can see when to make decisions and when to ask for help. We also compiled a “Lessons Learned” after action report.
As a result of the 2019 simulation, we recognized there is a learning curve. We have to learn how to roll over, then crawl before we walk and run. Last year was “roll over.” We tried to understand everyone -- the ACSC, members, government -- and what our internal processes and capabilities were. But the teams were self-contained and focused on internal processes and capabilities.
In 2019, we want to crawl. In addition to assessing organizational response, we will bring together participants by role - CISOs, legal counsels and communications executives – to learn from each other, collaborate and bring everyone’s level of competency and awareness up.
Why should organizations participate in the collaborative defense exercise?

The ACSC Collaborative Defense Exercise helps participants to understand their true capability when involved in cybersecurity incidents. It also enables them to collaborate proactively to understand what exists out there, to leverage available capabilities and skills, and not wait until a cyber threat happens.
How does the ACSC's cross-sector, public/private collaboration help a commercial organization with their preparation and response to advanced threats?

The ACSC’s public/private collaboration focuses the various government agencies to work together. As I mentioned above, there are a bunch of departments with different roles and responsibilities, and they need to work together to be effective.
Secondly, the public sector relies on the private sector for critical infrastructure; roughly 80% to 85% is in the hands of the private sector. They need to understand its capabilities in order to be effective in a time of crisis and not just reactively. They need to begin the proactive process of working together.
Tell us what excites you the most personally in regards to the work being done by the ACSC?

The number one thing is it’s not being done anywhere else. The ACSC Collaborative Defense Exercise demonstrates the art of the possible for collaboration between the public and private sectors and makes it effective for participants. Last year people didn’t know what it would be like. The event got them fired up. People wanted to bring it to the next level.
In 2010, when DHS drew up the National Cyber Incident Response Plan, Massachusetts did not take part. However, I'm pleased to say now Massachusetts is working on an incident response plan. ACSC Executive Director Michael Figueroa is working with the MassCyberCenter on the plan and, as chair of Governor’s Cyber Security Council, so am I.
In 2020, when the Federal government does their next exercise, there will be an opportunity for the ACSC to demonstrate what our capability is.