NATO Communications and Information Agency staff practiced defending NATO networks from cyber assaults last month as a part of the Alliance's most important cyber defence exercise.
The staff, which monitors NATO networks 24/7, sprang into action to safeguard the networks from cyber incidents contributing to an elaborate fictional scenario.
NATO's flagship cyber defence exercise Cyber Coalition began 26 November 2018, and concluded 30 November 2018 in Tartu, Estonia. Though it was only an exercise, the scenario participants faced was realistic, and they followed procedures implemented for a real cyber event.
Cyber Coalition is a chance for NATO, its Allies and its partners to test their procedures, communication and collaboration in a safe environment. In its eleventh iteration, the exercise brought about 700 participants from 28 NATO Allies and four partner nations together to tackle an elaborate scenario.
This year's exercise centred on NATO troops that were deployed to defend the fictional country Tytan from its adversary, the country Stellaria. Adversaries were attempting to interfere with the country's upcoming elections and several cyber incidents were incorporated into the exercise. Among them, the networks supporting the mission suffered cyberattacks, and the critical infrastructure in the country experienced severe outages.
"The aim is to give NATO, that's the Allies, the partners and the NATO structures themselves, an opportunity to do all of the good things that you do in exercising. That includes testing and validation and practice and training," said Alan Sewell, NATO Cyber Security Centre exercise coordinator.
The exercise has a deterrence effect, added Jeremy Tod, head of Plans and Business Management for the NATO Cyber Security Centre.
"NATO's systems are protected by professional, dedicated teams," Tod said.
Though the sources of cyber threats to NATO, in general, haven't changed, threats are becoming more targeted during high-profile NATO events, and the attempts NATO is seeing are increasingly sophisticated, Tod said.
"NATO faces a constant battle against an increasing number and complexity of attacks," Sewell said.
The NCI Agency lent its technical expertise to the exercise in several ways, including supporting the cyber range that allowed participants to play without damaging NATO's real operational network. Staff also helped to develop part of the story framing the exercise.
And of course, others in the Agency participated in the exercise. They did not know the scenario ahead of time, and had to adapt and respond to information in real time.
"It usually feels like crisis management," said Emmanuel Bouillon, head of the Cyber Security Incident Management Section at the Agency. "Although we are prepared, the amount of information and events and incidents we have to deal with in this short period of time… is out of the ordinary."
For Bouillon's team, which monitors NATO networks 24/7 in real life, the exercise is basically one month of activity crammed into just a few days. His biggest challenge is managing the team's workload— and its stress level.
The exercise, he said, is a good opportunity for them to practice using their tools and procedures in a near-crisis situation. So his staff used its day-to-day procedures and tools, and operated for the exercise out of its usual workspace in Mons, Belgium. Following routine was also crucial to making the exercise feel like a real event.
The exercise is technically challenging, and Bouillon had to ensure his team did not get stuck in a "technical rabbit hole."
"You could spend the whole exercise trying to solve one single issue, and there are times where we have to prioritize," Bouillon said. "We have to tell one of our technicians to stop, saying 'okay you've gone far enough now. We need to move on.' or 'This is not your priority anymore.'"
The exercise is meant to overwhelm the team with information, but they needed to take a step back and look at the bigger picture to explain it to the stakeholders, Bouillon said.
The organizers developed a very complex narrative to link the different cyber events thrown at the exercise participants. Though the basic scenario has been used in other exercises, the focus on elections was different, and the link between the different incidents was more difficult to pin down than it was in past years.
"Yet the training audiences across NATO and the partners were incredibly resourceful and organized in their approach to understanding how these challenges were interlinked," Sewell said. "They were highly effective at explaining that in ways that were relevant to the simulated peacekeeping mission that was being conducted."
Being a really good technician isn't necessarily enough, Sewell said. It is important that the staff can deliver solutions that solve technical challenges, but also support the commander's intent and the needs of the mission. The technicians need to have a good understanding, then, of what role the system plays in that mission.
During the exercise the Agency also deployed one of two Rapid Reaction Teams. Sewell is the coordinator for those teams, which serve as CERTs (Computer Emergency Response Teams) that can deploy where they are needed.
"They reacted in a really effective manner," Sewell said of the team deployed. "They were activated quickly, they assessed the situation well before they went so they deployed with the right people, the right skillsets, the right equipment."
Their briefings were also accurate and clear, he added.
Though the exercise has concluded, that doesn't mean work has ended for the Agency. Now the staff must identify what it could do better next time, and turn lessons identified into lessons learned.
"The whole point is for us and nations to learn from this. So I think the team is very cognizant of this and despite the fact that in the moment it's sometimes very difficult, sometimes frustrating, we are all aware that we are actually very, very lucky to be offered this space, this opportunity to learn, in a safe environment," Bouillon said.
From this exercise NATO will identify gaps, promote successes and prepare to respond even more effectively during next year's exercise.
"We can't stand still," Sewell said. "We have to make sure that in this growing area of cybersecurity we constantly develop and stay ahead."