1. Cyber Strategy Workshop for African Union Member States July 23-27, 2018 Addis Ababa, Ethiopia

2. National Incident Response Discussion Exercise
This exercise is designed to examine Roles & Responsibilities among stakeholders as they might manifest during a realistic national cyber incident, and to highlight organizational and communications issues that might need to be addressed in the national cyber strategy development effort.
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case

3. Table Top Exercise: A Method for Identifying Stakeholder Roles and Responsibilities
Convene Breakout Groups
Review Scenario and Inject Handouts (5 minutes)
Discuss Injects 1 – 3 (10 minutes each)
Wrap-up and Summary (5 minutes)
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case

4. INJECT 1
Two major national banks are reporting that they have come under persistent distributed denial of service (DDOS) attacks. They report that their web and mobile services are severely degraded. The banks also notify that they are investigating the incident.
What is the appropriate operational response to a DDOS attack?
Who is the right authority to report this incident to?
Would any (other) government organization/agency involvement / awareness of the incident be necessary under the circumstances?
What guidance would you give the banks on handling this incident?
What additional information would be required to develop a government approach to this incident?
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case

5. INJECT 2
Similar (DDOS) reports come from the major telecom service provider of the country. The telecom company anticipates outages to continue for an extended period and says they will have to reduce their operational capacity to deal with the situation. They point out that a significant portion of the DDOS traffic is coming out of the nation of Obutuland. Obutuland is an AU member.
Is there a role for your organization/agency at this stage? If so, what should you do? If not, should there be a role for you?
Who do you contact/notify/consult regarding the attack both domestically and internationally?
What would you consider the responsibility of the country where the attacks seem to originate/be routed through?
How would you establish contact with the country where the traffic is originating?
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case

6. INJECT 3
The banks report having identified the perpetrator of the attacks. They point out that a group has published information about vulnerabilities in their networks. The group’s postings claim that there are serious security flaws in the online and mobile services of both the banks and the telecom provider. The banks request that government take action against the perpetrators and order removal of the published information.
How do you respond to the banks’ requests?
What kind of evidence would be required to attribute the incident to a group?
Where and how can such evidence be obtained?
What stakeholders should work together to address this Inject?
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case

7. Wrap-Up
Given this short exercise and discussions thus far, how would components of a National Cyber Strategy support cyber incident preparedness and response?
Legislative or regulatory measures
Organizational or structural changes
National, interagency and public-private cooperation
International, bilateral, regional and global, cooperation
Stakeholder roles and responsibilities
Governance and coordination processes
Introduce new tools or approaches
Testing components of the national cyber strategy
@ 2018 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution Unlimited. Case