The news reports about the lawsuit between Apple and the FBI over a terrorist’s iPhone is fraught with misinformation and security theater. It has been characterized as privacy’s last stand or as the tech industry’s gift to criminals around the world, and everything in between. I assume you have read something about the case, so will start by providing two documents that you may not have links to. Both of them pre-date the Apple case.

First is the Keys Under Doormats paper, written by more than a dozen different security researchers report in July 2015. The paper does a very good job laying out the issues involved in decrypting our modern computing devices. Many of these researchers were involved in the Clipper Chip era of the late 1990s, when the government last tried to force their way into our devices.

While you should read the entire paper, here are some highlights. The paper concludes by saying that “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago.” They also say that providing decrypts would be “unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

The second document was written by the NYC District Attorney last November. It deals exclusively with whole disk smartphone encryption, which is the central issue of the case. It contains a proposal for device vendors to be able to unlock any phone under the request of a search warrant. The report has justifications and technical questions for both Apple and Google. Again, the entire document is worth reading, but between September 2014 and September 2015, the DA’s office was unable to execute approximately 111 search warrants for smartphones because those devices were running iOS 8, which automatically encrypts its information. They claim this feature benefits criminals and imperils the safety of us all.

Okay, here are some of my own thoughts.

Is the DA’s proposal a backdoor way around encryption? The government and law enforcement officials say no. I would disagree, and say that their proposal is probably better characterized as a side door. Having a way inside an encrypted disk compromises the disk’s security, no matter how it is done and who holds the keys.

Shouldn’t Apple, Google et al. want to cooperate with law enforcement? Sure they should but in a way that won’t be a threat to overall security of everyone. I side with the “doormats” folks on this one. The issue, as they say, is that “Law enforcement cannot be guaranteed access without creating serious risk that criminal intruders will gain the same access.”

The FBI initially stated that they were only interested in a single iPhone, and then later changed their statements. The FBI is being somewhat disingenuous here. If Apple develops the technology to break into a phone, this will certainly be used in numerous other cases. The FBI carefully picked a test case with a known criminal, a terrorist, to make their request more sympathetic to the courts and the public.

Don’t encryption tools benefit criminals? Many of us say that we have nothing to hide. Perhaps that is true, but why should citizens have their phones compromised by others who are either less sanguine about their rights to privacy or who are trying to gain access for illegal intent? Sure, gaining access to encrypted information isn’t easy: you might have read how the FBI arrested Ross Ulbricht for his activities with Silk Road. But that’s the whole point. The FBI got around the various encryption protocols he was using by seizing his open laptop at a public library in San Francisco, preventing him from closing his session so his identity could be verified and they could gain access.

Why can’t corporate IT departments make use of mobile device management tools to open their phones for the law? Indeed, this is sort of what happened with the San Bernardino case. However, his employer, the county health department, had only partially installed the MobileIron MDM tool. Because it wasn’t completely implemented, they couldn’t get all the information out of the phone. Certainly now many IT managers who have heard about this recognize the value of MDM. Perhaps they will finish their own installations as a result. But there will be many phones that other law enforcement staff will get their hands on that will be in a similar state: do we really want to pass legislation to compel IT workers to do their jobs properly? And just because I have a personally owned phone that is managed by an MDM doesn’t mean that IT can obtain any information from it.

When it comes to preparing for cyber attacks, there are a variety of tools and techniques that you should employ: firewalls and intrusion detection devices for sure. But some tools are less obvious, and involve more of the human organizational element. This is where a company called CyberGym comes into play.

In one of my favorite scenes from Jerzy Kosinski’s Cockpit, the secret agent protagonist is applying to become a spy. He is sitting in a room with his fellow recruits, waiting for the testing period to begin. What he and his compatriots don’t realize that is that the waiting room is actually under observation and part of the testing process to see how well the newbies will collaborate with each other. The recruits are subjected to a variety of temperature extremes and every so often an employee will come in to tell them that there will be additional delays before the tests will begin. The goal is figure out which of the recruits will get annoyed with the forced wait and how each one will endure these hardships. This is a lot like the CyberGym live fire exercise: you want to see how people do under pressure and how they will create allies. Who is going to crack and make things difficult with others? Who is going to demonstrate leadership?

CyberGym was co-founded by managers from the Israel Electric Corporation and has some specific facilities that relate to SCADA controls and power conditioning equipment that are found in the typical power plant. It has been used by global corporations from many different industries. The average engagement last several days as they run through a series of attacks and other malware intrusions.

I visited CyberGym‘s offices in Israel last month as part of a trip that was partially sponsored by the America-Israel Friendship League and the Israeli Foreign Ministry. Their operation is contained in a series of huts that are scattered around a historic eucalyptus grove about a half hour north of Tel Aviv. The notion is that nothing prepares a group of IT security workers better than having to be part of a live fire-fight exercise. One hut contains the attack team, a second contains the defending team, and a third is for judges and observers. Each team contains both security staff, IT and corporate management, and others from a specific company.

The idea is to replay a particular attack and see how the teams respond. Since its inception, CyberGym has conducted hundreds of these exercises, and they now have facilities in Portugal and the Czech Republic in addition to Israel. They look to see what the defenders do first, how they work together, and what things they fall down on. When I visited, the company’s founder Ofir Hason said that often the right response wasn’t anything technical, but coordinating what the team was going to do and how they actually worked together.

Fighting cyberthreats is a team effort, and involves a combination of technical and non-technical skills. Often convincing your management that you have to do something relies more on your power of persuasion than knowing how to block a remote shell executable or neutralize some malware. I like the name CyberGym too, because it implies that you need to condition your response “muscles” with real exercises, not just doing some academic threat management scenarios. Like a physical gym, you need to bulk up and do some resistance training to build your strength and add to your conditioning.

Sure, there are other teamwork-building exercises that can be done less expensively (everyone falling backwards or trying to climb through a ropes course) – but these aren’t specific to the cybersecurity realm and don’t really address this specific realm. If you want to see how your cyber team handles the next attack, you might want to book some time at the gym – the CyberGym that is.