Tallinn, Estonia – Things are bad on the small island nation of Berylia after a diplomatic row with Crimsonia, its bigger neighbour and rival. There are street protests by the Crimsonian minority in Berylia, which then suffers a wave of cyber-attacks that make it lose control of its drones and its only international airbase.
Crimsonia is blamed for the cyberoffensive even though there’s no hard proof. Crippled by the attacks, Berylia, a new member of the North Atlantic Treaty Organisation (NATO), weighs its options. One of them is to invoke Article 5 and take the military alliance to war against Crimsonia.
Berylia and Crimsonia are fictional and so is this scenario, which is part of Locked Shields, a cyberwar game. But the fact that the situation doesn’t sound that far-fetched is one of the reasons why Locked Shields is so relevant today.
Locked Shields is “the world’s largest and most advanced international technical live-fire cyber defence exercise”, as described by the NATO-affiliated Cooperative Cyber Defence Centre of Excellence (CCDCOE), which has been organising it since 2010 in Tallinn, Estonia.
This year, the event was organised at a five-star hotel in Tallinn’s city centre in late April. An entire floor of the plush hotel was dedicated to the cyber games. Everyone was armed with a laptop, monitors were placed all over the place and a drone hung from the ceiling in the Control Room where people in white, green and yellow T-shirts mingled.
Sharing the duties
The White Team is in charge of the scenario and the Green Team is responsible for the physical and online infrastructure of Locked Shields, which includes more than 3,000 virtualised systems, some highly specialised and all mirroring the top IT trends. They operate via private networks not accessible from the open internet.
The Yellow Team is tasked with situation awareness and the people in red T-shirts have their own adjacent room: they are the in-game malignant hackers who will be attacking Berylia, and who in their day jobs are penetration testers, network and system administrators, cyberthreat analysts and such.
Many of the participants are CCDCOE staff, and the rest are a mix of techies and cyber-security experts from the private and public sectors of 25 countries.
Most are male and aged between their mid-20s and mid-40s, some are older, some are of obvious military background. There are very few women: cyberwar, it seems, is still a men’s game.
One colour is missing here: that of 19 participating Blue Teams, each one playing the role of Berylia’s Rapid Cyber-Response Team.
All but one are national teams from NATO members and allied countries, and the remaining one is from the NATO’s cybersecurity wing, Computer Incident Response Capability (NCIRC).
The Blue Teams usually play from their host countries where they all start with the same scenario and then follow their own paths as they are more or less successful at keeping the cyber-attackers at bay. Locked Shields is a competition: the Blue Teams are scored and at the end ranked. Last year Slovakia won ahead of the NCIRC and Finland.
After two days of preparations, the exercise was launched on April 26. The 19 defending teams spread all over Europe woke up to a fake news story accusing Berylia of having produced a drone for spraying chemical weapons.
This causes protests in Berylia and condemnation by Crimsonia, then the cyber-attacks begin and immediately, several Blue Teams have their firewalls compromised by the Red Team hackers in Tallinn.
As long as they remain inside and invisible, the attackers can steal and modify data, and maybe even control the systems.
In real life, it would not be exactly like this, though.
“During this game, they are giving you the infrastructure to protect web pages or mailing systems that are already vulnerable. In the real world, you are protecting your systems on a daily basis,” says Klaid Magi, leader of the Estonian Blue Team, which is playing from a room in the Estonian Information System Authority, where Magi works as head of the cybersecurity unit.
Once attackers get inside your systems, havoc may follow, as happens for some Blue Teams when fuel pumps in their airbase are hacked and spill their contents, causing a fire. Smoke can be seen and suddenly these teams start receiving emails and Skype calls from the in-game journalists in Tallinn.
In the hotel, the Control Room is frantic with people in white, green and yellow typing, walking around and speaking to each other, mostly in English and Estonian. However, the room next door where the people in red are sitting and where the cyberattacks are coming from is eerily silent and calm.
Playing a game of catch-up
“You need to be very concentrated, it’s really distracting if there’re people talking, it’s like chess,” says a Red Team member who cannot reveal their name. The way cyberattacks work, the aggressor makes the first move, often expecting to be caught and, as in chess, sacrificing a piece to prod their rival’s defences, who then responds before it’s the attacker’s turn again, and so on until the game is over.
“Attackers are usually a step ahead, so often it’s a catch-up game,” explains Mehis Hakkaja, the Red Team leader and CEO of a cybersecurity company in Tallinn.
Attacking is easier than defending because – be it a smart toy, a mobile phone or an airport’s power grid – the hackers may just need access to one entry point while the defenders have to protect all the possibilities.
“The internet is very vulnerable to manipulation if the actors are professional, and especially if they are nation states [which can use their bureaucracy to set well-organised cyberoffensives],” says Kenneth Geers, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and a CCDCOE ambassador.
In 2014, the Russian offensive in eastern Ukraine and the annexation of Crimea included – like this year’s Locked Shields – cyberattacks against power grids and an airport.
The Russian campaign in Georgia in 2008 had already been preceded by cyberattacks against Georgian websites. And the year before the target had been Estonia, which after a diplomatic row with Russia received three waves of cyberattacks that blocked government, banks, media and telecom companies’ websites.
Fingers have been pointed at Russia for the attacks, but there isn’t definite evidence of the Kremlin being behind them. And it’s of course not just Moscow: the most famous cyber-attack of all, the malware Stuxnet, which managed to damage the Iranian nuclear industry, is believed to have originated in the US and Israel.
By the second day of attacks in Locked Shields, some Blue Teams have had their airbase’s power grid hacked, leaving the airport without electricity, which means no planes could land or take off from the island nation, effectively cutting if off from the rest of the world. As the prime minister of Berylia, what would you do in this situation?
The overall aim of the political game is to push the Blue Teams to a point where they are forced to consider invoking Article 5 and taking NATO to war against Crimsonia.
“And surprisingly most nations did. Basically, they all went to war, we didn’t expect it,” says Matthijs Veenendaal, head of this part of the game and Strategy Branch Chief at the CCDCOE.
Veenendaal says last year in a similar situation, no team invoked Article 5.
But he believes that the teams that went to war did so on purpose to push the scenario to its limits and make the most of the learning experience.
In today’s tense geopolitical situation, and seeing how in the past supposed cyberaggressors got away with attacking, why don’t rival countries launch more damaging cyberoffensives against each other?
A Cyber Cold War
First, many cyberattacks never become public and so there might actually be serious cyberaggressions between nations that we don’t know of. Then, “there’s some evidence the major powers are inside each other’s systems quite a lot,” says Fred Kaplan, author of Dark Territory: The Secret History of Cyber-War.
This would allow some countries to know who is attacking whom, but at the same time would prevent them from using this information publicly to avoid revealing their methods of cyberespionage.
On the other hand, the big powers being inside each other’s networks can make possible an immediate counteroffensive. It’s a situation not dissimilar to the use of nuclear weapons, like a sort of Cyber Cold War, in which cyberespionage is tacitly admitted but the major powers avoid harming each other too much by cyber means out of fear of having their own systems destroyed too.
But cyberattacking is not just about computers; it is also about reaching minds and influencing your rival’s society.
“[While] the US and UK understanding of ‘cyber’ is predominantly technical and computer network-based …, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals,” said a report published last April by a British parliamentary committee and referring to the 2016 American elections and Brexit referendum.
“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.”
Then, of course, the US, the UK and other Western powers have a record of trying to interfere in other countries’ elections by different means.
Information warfare and cyberespionage are here to stay, but experts agree that the omnipresence of computer systems in every aspect of our lives means all armed conflicts will have a cyber dimension.
And here the danger may lie in the big differences between decision-makers and hackers.
“The gap between strategy and tactics is huge, and the two groups don’t really know each other that well or even speak the same language,” says Kenneth Geers.
“Cyberspace is much more Sun Tzu than it is Stalingrad: you have to apply a lot of intelligence, and a lot of forethought and imagination into a cyberattack, it’s a very complicated thing.
“And so often the effects [decision makers] are seeking to achieve are inconsistent or incongruous with the [cyber] means available, which are really quite narrow and very specific,” he adds.
The human element
Technologically, things are only going to get more complicated as more devices get connected and can, therefore, be hacked.
Cybercriminals can make money and also create chaos, as shown by the ransomware attacks that affected many countries in recent weeks. But it is state actors going on the cyberoffensive that can really be destructive.
“In terms of what would an all-out cyberwar look like, I sometimes dread to think,” says Ian West, NATO cybersecurity chief, speaking from this agency’s office in Mons, Belgium.
“Because of our dependence on computer systems for so much in our lives, so much in our countries and our organisations, the destruction or perhaps just the changes that could be made to these systems could be absolutely catastrophic and have a subsequent catastrophic effect on nations.”
In the end, the Czechs win this year’s Locked Shields, with Estonia coming in a close second and the NCIRC finishing third.
“But the best thing about Locked Shields isn’t who wins but the community the game is creating year after year,” says Rain Ottis, scenario chief, who has been dubbed “the architect” because he’s been part of the organisation in every edition of the game.
“Because should something really go wrong, it’s always nice to know that I have a friend in that country, in that organisation, [and we know] what we can do to help each other. And this is quite often the critical step in managing major cybercrises because in the end they tend to be human-caused and they have to be solved by humans on the other end.”