T-REX 2021 After Action Report
T-Rex … wow, was that a wild 48 hours?
And, it wasn’t even real.
I can’t imagine the chaos and confusion that would accompany a real world emergency. I’ve spoken to one person who experienced the Alfred P. Murrah Federal Building bombing in Oklahoma and he described overwhelming chaos and confusion. Another friend shared with me stories of being caught up in the aftermath of Hurricane Katrina, confined inside the Louisiana Superdome. His stories will raise the hairs on the back of your neck.
Despite my personal beliefs about our federal government over-reach and especially police state like activities of FEMA, I’ve got to give them some credit for the emergency communications systems they have constructed since 9/11 and the work they’ve done to better prepare the citizenry. My training received as a CERT member and FEMA ICS training, for example, is useful in organizing and delegating responsibilities among our local AmRRon team. That, and other training from ARRL, ARES, SATERN, and other emergency communications organizations will be emphasized more in our group in the future.
Sadly, in my opinion, the government and FEMA have also failed miserably to engage the public as most are still apathetic with regards to emergency preparation. They still believe, “it can never happen here.”
Well folks, I don’t think it’s a matter of “if it will ever happen here”… but when it will happen. And when it does, the scenes depicted in the TV series, The Walking Dead, will resemble your new normal.
What am I talking about?… the AmRRon T-REX 2021 annual exercise.
T-REX 2021 Scenario
Like T-REX 2019, this years scenario (August 6-8) was based on a nationwide cyber attack resulting in grid power being disrupted and the shutting down of conventional communications including the Internet being shut down. Based on my real world observations of current political/technological/societal events, this scenario was not too unlike what might really happen in a real world cyber attack.
T-Rex exercise reports started earlier in the week with the mainstream media reporting cyber attacks against major telecommunications, electrical power grid, and economic sectors. By Wednesday, cyber warfare intelligence reports indicated worldwide infections of critical infrastructure with time-delay ransomware ‘worms’. Governments, NGOs, and private critical infrastructure organizations around the world received letters indicating the ‘release’ of the worms at midnight on Saturday, August 7th, Greenwich Mean Time, unless a ransom of “one trillion US dollars” is paid via crypto currency by the deadline.
World leaders held an emergency virtual summit with their cyber security experts with the World Economic Forum (WEF) playing a key role. After reviewing previous WEF cyber warfare modeling exercises, the nations collectively decided the following:
- Temporary global ‘quarantine’ of all internet-capable devices. Deemed as necessary to isolate the ransomware worms, preventing them from spreading to otherwise healthy systems.
- Passing emergency protocols requiring internet service providers, routing systems, and servers to shut down until a solution can be found.
- International agreement by UN, EU, NATO nations to require shutdown of all internet access at 19:00 hours, Greenwich Mean Time (aka. UTC or Zulu).
The responsible party was unknown, but suspected to be a state actor posing as a criminal hacker syndicate. Indicators point to Russia, China, Iran, and North Korea, but forensics experts believe this is an intentional deception tactic by the responsible party to confuse and mislead investigators.
Friday morning, AmRRon operators received alerts that communications and Internet services were shutting down and thus began the T-REX 2021 exercise at 19:00Z.
I learned from the AmRRon IES (Initial Event Summary) that commercial power, telecommunications, and the Internet was all shut down at 19:00z. CISA (The Cybersecurity and Infrastructure Security Agency ) indicated the international disruption was intentional and necessary to avoid a “cyber pandemic.”
Some T-REX Key Take Aways and Issues Revealed
Overall, I think the exercise was a resounding success. I accomplished nearly all the goals I had set out for the exercise, i.e. to practice with my communications equipment under simulated austere conditions, to include: off-grid power; establishing and conducting a local 2 meter net in accordance with the Signals Operating Instructions, with emphasis on generating Status Reports and successfully submitting and receiving those STATREPs during scheduled nets; and to pass, receive and/or relay pre-developed traffic exercise traffic. The only two goals not accomplished was uploading our localized STATREP upstream to a AmRRon HF NCS, and not making contact with JS8Call.
While I stayed mostly on-grid for most of the exercise, I did encounter a real-world failure of my station power supply and successfully transitioned to back up batteries with little disruption. My batteries only consist of multiple 7.5 Ah SLA batteries and I was reminded that I need to improve my battery backup setup, to include the ability to recharge with solar panels.
Although my JS8Call software appeared to be working correctly, I expected to begin receiving PIRs (priority intelligence requirements) from other stations. I had previously exercised with this software, exchanging PIRs, etc., but for whatever reason was unable to receive any of those and as best I could tell did not successfully submit my PIR.
Other than that, my radio equipment, antennas, and software worked essentially flawlessly. I did have to reset the COM port in my FLdigi software once when it stopped transmitting. I was also pleased with my increased skill using FLdigi and believe I was more comfortable managing that software. I do need to get that software off my desktop computer in the future and operating on my laptop which would be more energy efficient.
Although not practical for me right now, I can see the advantage of having additional HF transceivers enabling me to monitor voice and digital at the same time. It was a bit cumbersome switching back and forth my Icom 7300 from voice to digital mode and changing antennas where necessary.
Knowing beforehand my inability to work the 80M band on my Alpha Delta DX-CC antenna, I deployed my recently acquired Wolf River Coils TIA antenna with an additional three counterpoise wires and tuned it for the 80M band. It worked great and allowed me to work 80M. Also, my recently acquired dual band Tram 1481 antenna worked great.
Wichita/Sedgwick County 2M AmRRon T-REX Activation Net
When the exercise began, I first took to HF frequencies to find out what was going on. Within the hour, we also activated our local 2-meter net to inform others what happened and began to acquire local STATREPs.
I was especially pleased with our Wichita/Sedgwick County AmRRon team that successfully went on the air with 5 scheduled 2 meter nets (146.420 MHz) in accordance with the AmRRon SOI accepting local STATREPs and sharing national SITREPs received on HF bands. Numerous other reports were filed about criminal activity in the area and public safety announcements. Overall, AmRRon radio operators were on the air for over 30 hours over the three days of the exercise taking approximately 52 check-in (many duplicates).
It was interesting to see how we tried to make it feel realistic while only an exercise. I’m sure if this had been a “real world” emergency it would have been much more active and chaotic. One thing that occurred to me towards the end of the exercise was that because much of the official AmRRon traffic did not pertain to our local area, I could take that traffic and re-write it, making it more local and pertinent to our 2 meter participants. After all, in a real emergency it’s great to know what’s going on in other parts of the country, but more important to know what’s going on in your local community.
Even though there were times during the activation it appeared nobody was listening to the NCS and there were no check-ins, I think it’s important to remember there may be numerous people listening from the bleachers.
The NCS needs to treat their conduct of the net “as if” people are listening and the exercise should be treated as “real world”. The information presented needs to be precise and informative as people need direction. People need guidance of what is expected from them and how to orderly check in. The NCS also needs to regularly ask for check-ins and provide regular status updates.
It was also difficult for the NCS picking up a later net to know what had transpired earlier and what the latest intel was. As a team we need to hand off one net to another with a briefing, sorta how the Incident Commander described in ICS would pass from one person to another. Of course, with no email, that could be difficult. I’d love to explore ideas of how that could be done.
A local net issue that arose was the importance of taking recurring roll calls of those checked in, especially those that were providing intel, to see if they were still present and if they had updates to provide the net. We will be incorporating that practice into future activation scripts.
Personally, I liked practicing keeping a Net Control Station (NCS) Log and Communications Log as provided in the AmRRon SOI. I found them very useful for organizing the tracking logins to the net, QSO’s, and SITREP information received on HF and traffic on 2 meters. It got mind boggling real quick with the inflow of net checkins and updates and I found those AmRRon forms very helpful to document our localized SITREPs and keeping everything somewhat organized.
One thing our group discussed was how helpful it would be teaming up NCS’s with a Scribe or logger to take some of the work off the shoulders of the NCS. It was noted to make that work, we would need to have more participation from other AmRRon members.
Another interesting idea from one of our NCS was that you could take some of the more repetitive parts of the net, like recurring IDs and asking for check-ins, and record those portions to play back over the radio. While my IC 7300 has that ability for HF, my 2 meter IC 2730A does not. I may look at upgrading to radio like the IC 9700 or other modern radio with the record/playback option.
I also noticed our 2-meter NCSs were not practicing local communication outside the formal net to other ham frequencies, emergency services, etc. Although we had developed plans for that in our local SOI, we did not implement those procedures. I would like to address those practices more in future local training exercises.
In a “real world” emergency, I would not want to rely on just AmRRon or any other individual source for intel. Instead I would want to monitor other emergency nets, traffic nets, over the air news radio, and social media if possible.
As a group working this exercise together, it would also be helpful if the leadership and/or NCS had some sort of other communication channel available to pass more organizational or tactical traffic. Since the Internet and cell phone service was down we could not communicate by email or text messages. It would be nice if we could all afford satellite phones or some other technology that’s still working. That’s something, too, we might want to explore in the future.
Perhaps my biggest disappointment in the exercise at a local level was the limited participation by our Wichita/Sedgwick County AmRRon group. Fewer than half our members showed up to check-in and/or participate in our 2 meter net. While I’m grateful for the few dedicated members that did take the exercise seriously and maybe I’m wrong, but I like to think we can do better.
If T-Rex were going to be held next weekend, one thing I would change myself is to have more substantive communications with our team of NCS operators. For example, once the exercise began I discovered one of our NCS operators had not received my earlier emails and as a result was not adequately prepared once the exercise began.
One piece of advice I would give to others is to take the exercise more seriously and be better prepared. Also, if you’re going to incorporate local 2 meter nets, I’d recommend delegating more activities to more operators. I know for myself, trying to conduct local nets and at the same time monitor national/regional HF voice and digital nets got pretty overwhelming at times. Also, it was suggested by one of our members to have alternate net controls working together as a team scheduled so that when one operator had to be away from their station, another could fill in.
Three things stood out for me that I would like to see differently for future T-REX or other training exercises:
- A more robust nationwide grid of HF operators. Propagation being what it is, it was nearly impossible for me here in the mid-west to communicate with National or Regional AmRRon voice nets and only slightly better for the digital nets.
- Confusion regarding net schedules and Persistent Presence Net. For whatever reason, some of the SOI published operational HF and digital nets seemed to be non-existent, on different frequencies, and at different times. I found myself abandoning the SOI band plan and searching out alternative frequencies to attempt making contact.
- Better trained NCSs. This one not only applies to our local group but for national AmRRon operators as well. I found it quite frustrating on some of the digital nets, for example, where the NCS seemed disorganized and not providing clear instructions, and in some cases not able to provide fills of incomplete Flamp transmissions.
NET Traffic
I expected to begin receiving PIRs (priority intelligence requirements) from stations using JS8Call. I was unable to receive any of those and as best I could tell did not successfully submit my PIR.
I understand there were 22 pieces of official AmRRon traffic, designated by ‘TA-xxx’ followed by three numbers. I was only able to copy and receive 7 of those:
- TA-4, TA-5, TA-8, TA-11, TA-12, TA-16, and TA-20
Although each was relayed to our local 2 meter net, I was not able to relay any on the HF voice/digital nets.
I understand there were an additional 6 pieces of official PrepperNet traffic, designated by ‘TP-xxx’ followed by numbers. I received NONE of those.
Nor did I receive either of the two official pictures/images that were supposed to accompany two of the messages.
I did successfully receive the AmRRon IES and AIB.
Our NCS team is planning a face-to-face meeting soon to discuss our after action reports and how we can improve our local group’s response to an emergency. I also want to discuss how we can get more involvement in our local area and upgrade some of our operators radio/technical skills.