In March 2015, the UK Government Communications Headquarters (GCHQ) held the largest cyberattack simulation in British history. Over the course of two days, 42 cybersecurity experts dealt with a staged terrorist attack featuring a group of hackers taking control of the guns on a battleship and pointing them at London City Hall.
So what was the point of all this?
GCHQ spent their time and money on the exercise in order to find new talent to recruit. However, this is not realistic for most organizations - it's an expensive way to find new employees - so is there a point in simulating cyberattacks at all?
Leading voices in the cybersecurity sector certainly think so. In fact, major simulations are becoming more common in this industry. EU law enforcement agency Europol's European Cybercrime Centre (EC3) recently held a major simulation alongside MasterCard, in order to promote best practices in the retail industry.
Held at Europol’s headquarters in The Hague, the Mock Retail Cyber Hack exercise involved simulated threats such as infiltration to payment systems and distributed denial of service (DDoS) attacks.
Steven Wilson, the head of EC3, said the simulation "provides a plan and the necessary know-how for merchants to be able to immediately remediate any such hack in real life and protect the financial data of as many of their customers as possible".
The benefits of simulations
These simulations provide vital practice without risk. In an actual cyberattack situation, staff might be scared to try new things in case they fail, as there is so much on the line. These tactics could be key to defeating cybercriminals, so IT professionals need a chance to try them out in a safe environment.
Dr John Saunders of the National Defense University also points out that simulating attacks allows teams to discover responses to questions they didn't know needed asking. For example, a simulated attack could show how a network would react to a hack, or how communications would be disrupted.
Summing up these benefits, Dr Saunders said: "Through simulation exercises, responses to these questions can be learned. It is too late to formulate a proper response after the crisis has occurred or after the system has failed to perform."