IBM’s cyber security crash course brings out the very worst in you

IBM cyber tactical operation centre

Cast your mind back to your exam-taking days, sat on a hard chair in your school's gymnasium or assembly room and staring at a piece of paper, the words on it rendering you catatonic. Your brain is in overdrive and you're panicking and sweating because what you're looking at has thrown you. You don't know what to do and you're convinced you'll fail.

I was lucky enough to experience that feeling once again when I was invited along with other technology journalists to see first-hand what it's like to be on the receiving end of a cyber attack.

For those of you that didn't catch our news story when it was released, IBM parked up its mobile cyber security training facility on London's south bank in January. Journalists were invited to take part in a scaled-down version of the same exercise which is used to train some of the world's leading cyber teams.

London was just one stop in a Europe-wide tour for the suite carried by an HGV, which saw cyber security training sessions brought straight to the door of IBM's UK customers, which includes NHS digital and a number of schools across the country.

On the inside, the setup looked like it had been pulled directly from an action blockbuster. The walls were jammed full of 4K screens, there was a dull but noticeable hum from the data centre and its cooling system in the next room, and each computer displayed streams of data - what I imagined nuclear launch codes might look like. I took my seat at the front of the three banks of desks as the room started to fill. I placed my notepad on the table, turned on my dictaphone and reclined in the chair.

Although we all knew we would be taking part in a cyber security simulation, we didn't quite know when it would start, or what to expect once it did. Once settled, the group and I started to relax.

Soon our roles were explained to us. I would take on a job within the HR department of Bane and Ox, a fictional Fortune 100 financial services company that was about to suffer a serious data leak at the hands of a live attack. I was told I would need to source information and distribute it around the other teams, something which I, somewhat naively, thought I would be good at, being a journalist and professional communicator of words.

The simulation room has been designed to make the experience as realistic as possible

More time passed with little indication as to when the exercise would begin. However, in what was clearly an effort to simulate the real world of cyber security, nothing happened for some time, but then, everything happened, all at once.

The first call came through, loudly and abruptly. Out of the six teams tasked with protecting the firm, we had to take the first call - we had to set the example. My teammate Jeremy and I looked at each other with dread - neither of us wanted to take that call. We just stared at each other, both saying nothing but our facial expressions were communicating just fine.

"You take it."

"No, you take it," we both said silently. The phone rang longer than a phone usually rings, but in the end, Jeremy broke first. I out-cowarded him.

At the end of the line was a convincing "journalist" who claimed to have just been told that data belonging to millions of our customers was sprawled across the internet. She asked us for comment, as journalists tend to do. In a visible panic, spluttering and choking, Jeremy blurted out 'no!' before he'd even verified the information was legitimate.

Despite my smugness at having shirked my responsibilities, I can't say I would have handled things any better. It was unsurprising to hear that the journalist was going to publish the story regardless - again, I would have probably done the same. That prompted a cry of "superinjunction!" from a nearby American-accented journalist.

IBM briefly set up its simulation near its Southbank headquarters in London

After a play-by-play breakdown of the mess that had just transpired from our IBM babysitters, there was another ten minute period of calm, followed by what can only be described as a bombardment of calls to the other teams.

It wasn't just one loud phone ring that filled the room with its obnoxious noise, more came in, each more unwelcome than the last. Being part of HR, I was supposed to liaise with these teams and find out what they knew, but the flurry of activity was so distracting that I could barely collect my thoughts, let alone follow a company-wide communication strategy.

The individual teams were tasked with working together to combine what we knew into a coherent picture. We had all received phone calls from different external sources and we were supposed to analyse those at pace while communicating it to other departments. The big picture was that the initial data leak had led to a much more serious cyber attack, of which we were in the midst.

Specific details were scarce, but information sourced from another team revealed that attackers had managed to cripple company systems, even leading to some of our employees becoming trapped in a lift. Reporters were also at the front doors of our headquarters, demanding answers to the rumours.

Our IT team crumbled under pressure. The sheer number status reports coming in, some of which provided conflicting information, meant that many teams started to ignore calls that came in, in an attempt to avoid making the situation any worse. It was simply impossible to know what information was true.

The IBM guys stepped in when things started getting truly out of hand. They said we needed to elect a leader - someone to organise the chaos that consumed us. Amid the madness, we, a group of confused and somewhat frightened journalists, had to delegate a leader of the pack.

Picking leader brought a brief semblance of order as we tried to organise ourselves and assess what information we had was in fact true. But it wasn't long before the shouting resumed. The panic and stress had re-emerged.

For a moment I stepped out of the HR role I assumed and became a fly on the wall. In the space of an hour, the task had effectively crippled our ability to communicate. The simulation was designed to demonstrate what happens if you don't have a cyber security strategy in place, and in this, it was an unmitigated success.

Data breach surge post GDPR

IBM is taking its X-Force Command big rig on a European-wide tour

The exercise came to an end when the reporters decided they had enough to run the story. We had failed enough times to let more information fall into the hands of the pesky reporters. It was done, the torment was over. I had never been so glad to fail.

Still, our mediocre performance wasn't the worst the organisers had experienced. We were told of a time when a major hospital in Cambridge, Massachusetts completed the exercise and repeatedly ignored the trapped person in the lift, even after IBM actively tried to get the team to focus on the person in danger. The hospital's decision to focus on minimising profit loss instead of rescuing the trapped individual eventually resulted in a death. It was good to know that despite our woeful performance, at least we didn't kill anyone.

We didn't expect the exercise to begin without warning, but that was the beauty of it. It was abrupt and unwelcome, just as if it was a real cyber attack, and, what is likely to reflect a large proportion of businesses, we were completely unprepared to handle it.

Unfortunately, the reality is that data breaches have become a fact of business life. We recently reported that since GDPR's implementation in May 2018, less than a year ago, almost 60,000 data breaches have been reported across Europe - that's almost 200 every day, just in Europe.

The sad truth is that your business will be affected by a cyber incident sooner rather than later, so it's important you're ready.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.