IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity Tabletop Exercises: How Far Should You Go?

With global cyber threats and other international tensions growing, what scenarios should state and local governments consider when conducting exercises to test their people, processes and technology?  

AI illustration of cybersecurity office
Adobe Stock/Tetlak
When conducting cybersecurity and other emergency management tabletop exercises, how far should you push your teams into uncomfortable situations?

While goals of these exercises generally focus on testing the people, processes and technology that will be used if a significant incident occurs, what scenarios go too far?

How can federal, state and local governments, and the private-sector groups that support them, best prepare for global events that could shift paradigms and impact the business of government in major ways, such as the events that occurred before, during and after the COVID-19 pandemic?

Beyond tabletop exercises on topics such as data breaches, ransomware, elections and even Cyber Storm exercises that many governments participate in, should more public and private organizations be testing their defenses against cyber attacks on critical infrastructure like water systems?

Or, to give a specific example as we enter April 2024, should non-Department of Defense organizations be preparing for scenarios like China invading Taiwan?


Backing up for a moment, consider these recent cyber threat-related media headlines and see if you can connect any dots:

Here’s a quote from the last item (last week’s blog), which covered the alarming update from several three-letter agencies earlier this month in Washington, D.C.:

“My favorite session was entitled ‘China in Your Digital Backyard’ with T.J. Sayers, director of intelligence and incident response with the Center for Internet Security; Dave Frederick, assistant deputy director for China with the National Security Agency; and Andrew Scott, associate director for China operations with the Cybersecurity and Infrastructure Security Agency. The session was moderated by Katherine Gronberg, head of government services at NightDragon. What frankly shocked me from that session was the level of concern from the intelligence community over current attacks that are coming from China.

“Scott said, ‘In the last six months, our incident response effort has confirmed that the People’s Republic of China cyber actors have been on our critical infrastructure networks for in some cases up to the last five years.’

“‘They have the access that they need, and if the order was given, they could disrupt some services in this country right now,’ he added.”

(As a related aside, CISA just released their draft Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements document this past week. You can submit your comment now.)


Here are a few more recent headlines to consider:


So how could an organization prepare with tabletop or other exercises?

First, here’s what the DoD is doing to prepare.

Also, this NBC News article describes an exercise between federal lawmakers who played various roles in a recent exercise.

In addition, another article from The Hill discussed other lessons learned from these exercises: “The wargame was carried out behind closed doors on Capitol Hill as a tabletop exercise between lawmakers, playing the role of the Taiwanese, and defense experts at the Center for a New American Security, playing the part of the Chinese. The game lasted for about two hours and reinforced the resolve of many lawmakers to address vulnerabilities they were already concerned about, said Andrew Metrick, a fellow with the Defense Program at CNAS and co-creator of the wargame.

“'I was impressed with all of the members and their thoughtfulness, their seriousness, and I would say their commitment to taking the lessons from these types of exercises and applying them to deterrence so that this never comes to pass,’ he said.”

Here are a few tabletop exercise examples from leading industry experts on geopolitical situations that may arise should China invade Taiwan:


I want to be clear on one point: I sincerely hope this scenario never happens. In fact, I believe that preparing and talking openly about this topic may make cyber events with China invading Taiwan less likely.

Nevertheless, I wrote this article to help break out of the box that has been placed around most of the current cyber tabletop scenarios I am seeing governments test around the country.

Even if you disagree that this scenario is important for federal, state and local governments to include in near-term tabletop exercises, I challenge you to find other new scenarios, possibly other cyber conflicts or escalations short of a China invasion of Taiwan, to consider in order to test your teams.

I also recognize that the majority of government organizations are focusing tabletop exercises on the 2024 elections and various scenarios surrounding ransomware attacks and/or data breaches, which are vitally important learning situations. I applaud these efforts.

But if history teaches us anything regarding preparing our teams for the unknown, it’s that we can’t become complacent regarding current world events.

In the past four years, we have seen Russia invade Ukraine, a global pandemic and an ongoing surge in nation-state cyber attacks against U.S. and NATO country civilian targets. Ransomware and other cyber attack statistics continue to climb, and government technology leaders must work with our emergency management partners to do our best to prepare to respond to these situations no matter what comes next. This means moving further out of our comfort zone.

This message will certainly mean different things to different audiences. But I ask you: When is the right time for a tabletop exercise scenario that includes China invading Taiwan?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.