Cybersecurity experts representing 30 NATO members are fighting a digital war this week to defend a fictional island country in the northern Atlantic Ocean. Though “Berylia” is fake, experts involved hope the lessons learned from the staged attack will better prepare them for the possibility of a Russian attack as war ravages Ukraine.
The war games, dubbed the “Locked Shields’’ exercises by The North Atlantic Treaty Organization’s Cooperative Cyber Defense Centre of Excellence’s, (or NATO CCDCOE, for short) are heralded by the organization as the “World’s Largest International Live-Fire Cyber Exercise.” Though participants engaged in the war games will role play an attack on Berylia, they’ll actually be sitting in front of desks in Estonia, itself the site of a major 2007 cyberattack. CCDCOE conducts Locked Shields annually, though the stakes of the exercise are markedly higher in 2022 with a real-world war underway within driving distance. The cybersecurity experts are looking to find cracks in their defenses and patch them, something particularly attractive as fears of a cyberattack against Ukraine and bordering NATO countries loom large.
“This year’s exercise is significant for the countries participating because their cyber defense units have been on high alert since the outbreak of the war in Ukraine,” a CCDCOE spokesperson told Gizmodo in an email. “CCDCOE has demonstrated a degree of co-operation with Ukraine in the past and will continue to do so in the future.”
In the war games, participants representing NATO nations are expected to face multiple “hostile events” that target both military and civilian IT systems, the spokesperson said. Those attacks have left Berylia’s communications, as well as its government and military networks, water purification systems, and electric power grid at near-zero capacity. With chaos ensuing, the nation’s public grows uneasy and mass protests break out.
Though cyber war gaming isn’t anything particularly new in the defense industry, the practice has grown in popularity among private firms in recent years. This test will draw participants from multiple sectors—military, civilian, and commercial—to work together to tackle threats. Organizers say they plan to pull from the “current geopolitical situation,” to develop realistic scenarios cyber defense authorities would have to quickly respond to.
Berylia’s cyber defenders will face some new obstacle this time around. According to the CCDCOE spokesperson, this year’s exercises will include a simulation of a reserve management and financial messaging systems of a central bank. Participants will also have t0 respond to incidents involving a 5G Standalone mobile communication platform treated as critical infrastructure, a first for the games.
In an interview with The Wall Street Journal, NATO Cyber Security Centre Chief Ian West said the exercises were designed, in part, to help countries communicate with one another when attacks target a shared piece of technology.
“We all use commercial off-the-shelf systems,” West told the Journal. “We’re all using the same technology and, as we know, many of these technologies come to market and unfortunately they are vulnerable.”
NATO’s Locked Shields: The Olympics of cyberwarfare
These war games aren’t judged on the binary scale of “did your country’s infrastructure survive a devastating cyberattack.” There are grades of winners and losers. Sweden emerged the victor of last year’s Locked Shields exercises, with Finland and the Czech Republic taking silver and bronze, respectively. Participants in that event were tasked with defending against over 4,000 attacks and maintaining 150 complex IT systems per team, according to the event’s organizers. The hypothetical attackers, on the other hand, were grouped together in “Red Teams” and were tasked with compromising various systems including power grids, satellite mission controls, air defenses, water purification plants, military grade radio, and mobile communications.
“We’re looking at replicating the real world issues,” Tallinn University of Technology Senior Researcher Adrian Venables said following the 2021 event. “It’s very much still technical but also [included] aspects of information, the social media side, and how people are manipulated in terms of their perceptions and how they are influenced.”
The results of those war games, according to participants, spotlighted the need for increased communication between the civilian and military sides of the IT industry during attacks. The distinctions can get muddied amid the fog of digital war. Those issues of cross sector communication appear as equally important worries in this year’s games.
“Understanding the interdependencies of national IT systems is at the heart of protecting a nation under a massive cyber attack,” CCDCOE Head of Cyber Exercises Carry Kangur said.
The Ukrainian Elephant in the Room
2022’s games will take place under the large, looming shadow of a besieged Ukraine just around 100 miles to the south. Since the start of the Russian invasion, Cybersecurity experts and Ukrainian officials have worried Russia would supplement its now two-month-long ground war with a powerful cyberattack targeting critical infrastructure.
Russia did just that in 2015, when attackers reportedly compromised Ukrainian power distributors, leading to outages for more than 230,000 people. In some cases, residents were left scrambling in the dark for more than six hours. That incident led many to fear Russia would use similar tactics in its eventual military invasion. Prior to that, Russia had used cyberattacks of varying efficacy alongside its 2008 military operations in Georgia and 2014 invasion of Crimea.
So far, in 2022 that hasn’t happened, at least not on the almost apocalyptic scale some had imagined.
“We imagined this orchestrated unleashing of violence in cyberspace, this ballet of attacks striking Ukraine in waves, and instead of that we have a brawl,” Colombia Cybersecurity researcher and former White House staffer Jason Healey told The Washington Post. “And not even a very consequential brawl, just yet.”
There are some smaller exceptions. A recent CloudFlare report shared with Gizmodo found evidence of limited attacks on Ukrainian broadcast media and publishing websites in the first quarter of 2021. Other recent reports found evidence of large distributed denial of service attacks targeting Ukrainian banks, and malware affecting government computers, but those incidents fell far short of the types of seismic, internet-shattering attacks experts had braced themselves for.
That mostly unfettered access to the internet has allowed Ukrainians to remain in contact and organize, both militarily and amongst civilians. Crucially, the internet has also served as a beacon for Ukrainians to stream first hand accounts of their experiences to the world in real time and conduct their own information war on social media. That’s helped muster sympathetic support from a wide swatch of counties around and has led to the idolization of Ukraine’s president Volodymyr Zelenskyy, himself an effective online communicator.
Exactly why a catastrophe-level cyber attack hasn’t happened yet remains shrouded in mystery. Some experts speaking with the Post said Ukraine had learned from previous power grid and infrastructure attacks in 2015 and 2016 and used those experiences to bolster defenses this time around, in a sense the same trajectory NATO members hope Locked Shields will take. Others, like Center for Strategic and International Studies Systems Engineer Malekos Smith, told Nature they believe Russia may have intended to preserve Ukraine’s infrastructure ahead of what they thought would be rapid victory. Others have suggested Russia held back in an effort to avoid attacking the Ukrainian system also used by other countries. Those unintended targets could risk bringing other countries into the war.
Update 4/19, 9:35 a.m. ET: Added comment from CCDCOE spokesperson.