Q&A: Lessons Learned From the Middle East's National Cyber Drills

Some 170 organizations were tested by Qatar's National Cyber Security Agency in its National Cyber Drill exercises last month.

Such drills are an established part of cyber-resilience in the Middle East. Ethical hacker Suleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs, who has been involved in cyber drills elsewhere in the region, talked to Dark Reading about how they work.

Suleyman Ozarslan, Picus Security

Dark Reading: What kind of entities participate in these simulations?

Suleyman Ozarslan: Entities participating are typically from critical infrastructure sectors, including government, energy, finance, utilities, telecommunications, transportation, and healthcare. For example, NATO's Locked Shields often includes energy firms and tech companies, and US Cyber Storm exercises involve a variety of critical sector companies.

DR: Is participation mandatory for companies, or can they choose not to participate?

Ozarslan: Participation is generally voluntary, but governments may strongly encourage involvement, especially for entities in critical infrastructure sectors. Some key industry players may be compelled to participate due to regulatory requirements. Companies may opt out for reasons such as concerns about exposing vulnerabilities, resource limitations, or competitive reasons, although this could mean missing out on valuable insights and improvements to their cybersecurity readiness.

DR: What do the exercises entail?

Ozarslan: The exercises in these simulations can vary widely but usually involve responding to simulated cyberattacks. These scenarios can include managing a data breach or a ransomware attack, defending against complex, coordinated attacks on critical systems, or recovering from them. For example, Financial Sector Cyber Drill in Turkey included a live-fire ransomware attack simulation involving real-time threat response.

DR: Who typically organizes the drills?

Ozarslan: These simulations are typically organized by national or international government entities. For example, Cyber Guard is part of the US Cyber Command's training program, and ENISA is responsible for Cyber Europe. These organizations collaborate with participating sectors and sometimes involve third-party cybersecurity experts or simulation platforms to create the exercise scenarios.

DR: What happens with the results?

Ozarslan: The results of these simulations are compiled into detailed assessments that highlight successes, failures, and areas for improvement. These results are used to refine strategies, improve policies, and guide cybersecurity investments. Information is usually shared among participants to enhance their individual and collective readiness, but confidential details are kept private.

DR: Is there a concern about failing in these simulations?

Ozarslan: Yes, participants are concerned about failing in these simulations due to the potential for damage to their reputation and the risk of adversaries discovering and exploiting weaknesses. To address this, detailed results of the simulations are rarely made public. The goal of these simulations is not to pass or fail, but to identify weaknesses in a low-risk environment and use that information to enhance overall security. Ensuring confidentiality helps participants feel more comfortable with the process and reduces the fear of negative consequences associated with any shortcomings identified during the simulations.