In June 2001, a group of former US officials sat in a room in Washington and role-played ‘the end of the world’.
Called Operation Dark Winter (which may well have inspired Ubisoft’s The Division videogame) wasn’t a Marvel spin-off.
It was a bioterrorism simulation that reimagined a smallpox epidemic being deliberately set off in Oklahoma.
Within hours of the exercise kicking off, vaccine reserves were exhausted, hospitals were overrun and collapsed, governors were screaming down phone lines for help and support from the military, and the White House realised it couldn’t keep the peace.
Public order became a major issue.
That was 22 years ago. Three months later, 9/11 happened. Four months after that, anthrax was sent via the US postal service, leading to tragic loss of life.
Two decades later, COVID-19 showed us that the fictional preparations of Operation Dark Winter were necessary. But, even then, the cracks revealed were real, and not everything went as smoothly as it should have.
And that’s not just in public health.
Dark Winter was more than a footnote in biodefence history. Lessons like this – where we test the very fabric of the whole system’s ability to survive a brutal and major catastrophe – are a reminder of what happens when the systems we depend on get stress-tested to the point of fracture.
BCP is a Process, Not a Manual
Most organisations treat business continuity and disaster recovery like tick-boxes for the annual compliance check.
They write their plans, print the manual and stick it on the shelf, and sometimes (but not always) run polite desktop simulations (also known as tabletop exercises) once a year.
Then, it’s back to BAU and all is forgotten. Tick.
But that isn’t business continuity testing. It’s nothing more than compliance theatre, aimed at satisfying the needs of an audit.
You’re living in a fantasy if you think a three-hour tabletop will prepare you for the moment systems fail, communications channels become flooded, and decision-makers face multiple crises at once.
Real resilience is built at the whole-of-organisation level, through continuous learning, iteration, and adaptation.
It’s the difference between the body’s immune system and using a sticking plaster.
Your body doesn’t keep a malware response plan in the desk drawer. It has layered defences, redundancies, and self-healing mechanisms baked in. And when the germs come in, multiple response protocols kick in, each working towards the ultimate resolution of getting back to BAU.
That’s how organisations should think about ransomware, data loss, or supply chain compromise.
You’ve heard the old cyber adage: It’s not if, but when, you get attacked.
We need to, then, consider how we may stop it, as well as how we absorb the shock, reroute our resources to the incident and plan for our recovery to BAU.
Rethinking building cyber security resilience
What happens if we run a cyber version of Operation Dark Winter?
And I don’t mean just a tabletop penetration test using PowerPoint as our primary weapon, but a realistic scenario that tests the way your people, processes, and systems respond when things go wrong.
You don’t need to start big. Begin with a half-day simulation across two business units. Learn where your processes falter, then scale up. Like any muscle, resilience builds through repetition.
When you’re ready for a bigger challenge, here’s what I’d suggest you do:
Run a full week-long, whole of organisation simulation of a large-scale cyberattack, with multiple critical systems affected and multiple layers of attack (and failure) all at once.
Day 1 – A particularly virulent ransomware strain spreads rapidly through your organisation, seizing up file servers and critical information stores in minutes.
Day 2 – Your cloud provider starts throttling workloads under its own security emergency protocols.
Day 3 – Your suppliers can’t ship, and your customers can’t buy because your ERP is offline, and your e-commerce platform has no back-end database. The press finds out before your Board of Directors does.
Day 5 – The Chief Financial Officer wants to pay. The Chief Information and Security Officer says no. The regulator calls. What do you do?
Like Operation Dark Winter, this isn’t about whether your backups work or whether your Security Operations Centre picks up the attack.
It’s about watching your leaders, your processes, and your systems all perform under catastrophic strain.
Who breaks? Who adapts? What fractures reveal the hidden issues in the existing BCP manual?
COVID-19 was our real-world version of a cyber security Dark Winter. Every CIO remembers the moment when three days of stock became three months of chaos.
And we all learned that resilience isn’t just about our infrastructure. It’s about the speed of decision-making, and cross-functional trust, combined with our innate human ability to improvise and adapt in the dark.
Red Teaming Beyond the Firewall
I am talking about the whole-of-enterprise red teaming, where you take an existential threat, play it out, and force the system to show its weak spots.
Every decision is countered with a devil’s advocate, a ‘what if this happens’ question, and every single opportunity for things to go sideways is explored and discussed – and never, ever dismissed.
We sometimes call this defence-in-depth. But depth isn’t just about cyber controls like firewalls and endpoint agents.
It’s governance, crisis communications, cloud failover, insider trust models, even the cultural immunity of the people in the business.
CyBOK talks about security operations as a lifecycle: monitor, analyse, plan, execute, learn. That’s exactly what these exercises uncover.
It’s not just about having logs, but seeing infection spreading in real-time, working to contain it, flowing into recovery.
The real BCP test here isn’t whether you stop an attack, it’s whether you can recover with your reputation, your customers, and your people intact.
Minimising fallout is vital, but it’s really about countering the existential level of that attack to ensure your business is viable when you recover.
Start small: define a critical business service, simulate a disruption, and observe the recovery. Then expand. Over time, this becomes a continuous learning loop recommended by CyBOK: monitor, analyse, plan, execute, learn.
Understanding How Systems Fail
The uncomfortable truth is that crises will come. But with the right preparation, they don’t have to break us.
The good news is there are practical steps every organisation can take to strengthen its resilience:
- Run a small-scale scenario – Start with a short, cross-functional simulation.
- Map your dependencies – Know which systems and people you rely on most.
- Build your ‘immune system’ – Layer defences across technology, governance, and culture.
- Learn and adapt – Treat every incident, real or simulated, as data to improve.
Like our own immune system, organisational resilience strengthens every time it’s tested.
You don’t need to start with a full-scale ‘Dark Winter’. Start small, learn quickly, and make resilience part of your business rhythm.
Continuity isn’t just about surviving the storm. It’s about operating confidently through it.
Learn more about Kinetic IT’s Enterprise Security solutions.
About Tony Campbell
Share
