How COVID-19 changed Cyber Command’s ‘Cyber Flag’ exercise

Even the military's hackers have to work from home.
cyber flag
(DoD News / Flickr)

This year when U.S. Cyber Command convened with allied countries to test how they would collectively defend against a cyber-operation targeting allied networks, the units came together for what appeared to be a straightforward simulation of an attack against a European airbase.

The worldwide coronavirus pandemic made the simulation less than straightforward.

For the first time ever, participants conducted the exercise from home on a new platform, according to U.S. military cyber commanders involved in the exercise. The annual simulation, which simulated an attack that impacted both information technology (IT) and operational technology (OT), took place on the Persistent Cyber Training Environment (PCTE).

“The impact of COVID-19 is pretty clear and it’s been a challenge for us. But it didn’t pause the action that’s been going on in cyberspace,” U.S. Coast Guard Rear Adm. John Mauger, the director of Cyber Command exercises and training, told reporters Wednesday. “Within Cyber Command we couldn’t stop and that’s really because our adversaries haven’t stopped during this pandemic.”


Although Cyber Command says it was planning to use the platform for the annual exercise, called Cyber Flag, long before the coronavirus started spreading, the pandemic forced the military commanders to reassess how they would work together virtually. It also solidified how important it is for the U.S. military to be able to work with and allies from afar in times of crisis.

“This really is about a new way of training and exercising for this command … the ability to operate over such a distributed format,” Mauger told reporters. “What we found through the rapid development and use of the PCTE is that … it reforms how we are moving forward with training. Our defense is only as strong as our weakest link. So we have to have the capability to train like we fight across the domain and bring in that broader group of allies and partners into the operations.”

The simulation

The exercise took place over the course of two weeks, with fake adversaries targeting virtualized industrial control systems and supervisory control and data acquisition networks (ICS/SCADA), military commanders involved in the exercise said.

The defenders, or blue teams, were made of several different sets of allied and U.S. cyber personnel, including those in the Five Eyes intelligence alliance from the U.K., New Zealand, and Canada, as well as participants from the U.S. Navy’s Fleet Cyber, the U.S. Marine Corps Forces Cyberspace Command, U.S. Army Cyber Command, the U.S. Coast Guard’s cyber branch, the U.S. Department of Energy, and the National Guard. Over 500 people participated in all.


On the simulated airfield, the red team pretending to be the adversaries — a team made up of just Cyber Command and U.S. Army 1st Information Operations Command staff — conducted “standard types of red team actions,” according to a technical director that spoke with CyberScoop. This included gaining initial access to a work station via spearphishing. The attackers then moved laterally to other machines to spread the infection and escalated their privileges.

The red team used all unclassified software to run their intrusions, such as the penetration testing tools Cobalt Strike, Metasploit, and PoshC2. The blue teams then were responsible for detecting the adversaries’ actions and stamping them out of their networks.

While many personnel participated from home, three teams did have to work together in person. To ensure that they could appropriately physical distance to reduce the spread of COVID-19, the operation took place over the course of two weeks, rotating teams in and out of facilities, according to Cyber Command.

The exercise wraps up at the end of this week, so the results are not yet available.

The real-world implications of this exercise are vast. For example, in 2016 when Cyber Command targeted and disrupted ISIS propaganda operations, the command could quickly build out all of its knowledge of ISIS operations in a PCTE simulation to better prepare to target the terrorists’ computer networks at a later date.


Cyber Command could also use the PCTE to train Department of Defense personnel and private sector entities on adversarial malware and tools Cyber Command finds when it hunts for adversarial malware on allies’ networks, such as Russian or Chinese malware.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts