Against a backdrop of war in Europe, NATO’s annual ‘Locked Shields’ cyber exercise took on extra importance in 2022. Gerrard Cowan takes a look at this crisis simulation and how the cybersecurity industry gets involved
Sophisticated cyber-attacks targeting critical sectors affects all sections of society, as demonstrated by the hybrid war taking place between Ukraine and Russia. As a result, a plethora of cybersecurity companies, non-profit organizations and institutions with a keen interest in cyber are now working closely with military experts in cyberspace exercises. The collaboration offers a range of benefits to both sides.
There are numerous cyber-focused exercises and activities with a strong military element. The largest such example is ‘Locked Shields,’ an annual exercise organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The Tallinn, Estonia-based organization works with the alliance without being a formal part of the NATO command structure.
The 2022 exercise included more than 2000 cyber experts from 32 nations. It was based on a ‘red team vs blue team’ scenario in which a fictional Atlantic island – Berylia – suffers a coordinated wave of cyber-attacks against its military and civilian IT systems.
The exercise, held in April, featured a heavy military component, including representatives from the Estonia Defence Forces and the country’s Ministry of Defence (MoD). However, it also comprised a range of other organizations of varying sizes and focuses within cybersecurity. One such contributor was Hack The Box, a provider of online cybersecurity training solutions.
According to the firm’s CEO Haris Pylarinos, Hack The Box contributes to Locked Shields by creating content, including “some of the challenges presented at the exercise.” It has performed similar work for other military exercises, including Greece’s Panoptis event, to which the company contributed content for the past two years. Pylarinos is also a former winner of Panoptis.
Such exercises are a unique experience for companies like Hack The Box, says Pylarinos, because the scenarios involved focus on “all of the operational aspects that militaries would include.” This is not simply a cyber-attack, he notes, but a cyber-attack that involves physical moving parts, many of which are not restricted to defense systems but cut across critical national infrastructure and the private sector: for example, communication platforms or power grids.
“They have a lot of tabletop exercises and decision-making on how to respond to the crisis,” Pylarinos tells Infosecurity. “It’s not just about the purely technical side and it’s not just hacking something or defending something. It’s about how we operate.”
Such exercises provide organizations like Hack The Box with insights into the needs of military entities and how they view the potential impact of a cyber-attack. The scope of events like Locked Shields also provides significant benefits, he adds.
“These are massive exercises involving maybe hundreds of people,” he says. “The way you organize and operate is much more structured than what you see in a five-person team within an organization.”
Merging Military and Financial Services
Another participant in Locked Shields this year was the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit cybersecurity community for financial services that has members in 75 countries. Cameron Dicker, FS-ISAC’s director of global business resilience, says that exercises are a key tool in the financial sector’s cyber defense toolkit, with FS-ISAC participating in such events and organizing its own.
FS-ISAC has participated in Locked Shields for the past two events and plans to do so again in 2023. It coordinates and oversees the exercise’s financial sector scenarios, in terms of designing the scenarios and collective response. Its membership’s experience is leveraged to design the financial systems used and the cyber-attacks conducted upon those systems, while it also designs a strategic track for senior decision makers, in which they must grapple with societal unrest, interdependencies and misinformation campaigns.
Speaking to Infosecurity, Dicker highlights the tight interconnections between the financial domain, the military sector and other critical security and economic priorities.
“As we have seen this year, a military conflict between two countries can still have a global impact on the cyber-threat landscape, including on the financial sector. This is why such exercises are a key tool in global cyber defense,” he says. While FS-ISAC runs many sector-specific exercises, “the world is complex and messy, with all sorts of interdependencies. The cross-border, cross-sector nature of cyber threats means we need cross-border, cross-sector, public-private defense capabilities, which is what we are building with exercises like Locked Shields.”
Diversity of thought and experience is nearly always beneficial when it comes to cyber resilience, Dicker adds. Cybersecurity teams that have the same background and experience view the cyber-threat landscape in the same way; they are more likely to miss things that would be caught by someone with a different perspective.
“The same situation exists across sectors. Cyber-resilience grows effectively through sharing insights and experience between entities with differing experiences, threat landscapes and strategies. This is especially true of learning from the public sector, which is extremely mature when it comes to intelligence collection and utilization, as well as defense strategies and capabilities.”
Some of the biggest names in tech have been involved with such exercises, including Microsoft, which took part in Locked Shields 2022. A spokesperson for the company says that with the growing importance of cloud environments globally, such exercises “provide NATO nations and our partners with critical experience using the latest tools and capabilities to protect and defend vital cloud-based IT resources from growing nation-state threats.” The company is involved with a range of other programs around the world that involve national defense organizations, the spokesperson adds.
One of the challenges of participating in large-scale exercises like Locked Shields is often an issue of lexicon, says Dicker: participants from different sectors come to the table with their own ways of talking about an impactful cyber event.
“In some cases, we are using the same words to talk about different concepts,” he comments. “However, this is part of the reason we participate in these kinds of events. We do not want to be guessing at terminology in the middle of a crisis response.”
FS-ISAC plans to continue participating in such exercises, Dicker says, while it is also developing a new series of exercises for the financial sector that will test the sector’s crisis response procedures in a more hands-on fashion.
“Both the public and private sectors can learn from each other’s strategies and defense tactics,” he argues. “Understanding how the private sector responds to cyber threats gives the public sector a fuller picture of the impact on society of cyber threats and how they can best deploy their resources to protect citizens.”
IT Across the Domains
Finnish cybersecurity provider Arctic Security has contributed its software solutions and a range of other consultancy and training expertise to Locked Shields. Jarkko Huttunen, the company’s head of solutions, believes the exercise brings a unique scale and intensity.
Additionally, Huttunen said the exercise brings a level of flexibility in terms of private-military and government cooperation, which “makes it appealing for private companies to participate, as opposed to purely military exercises.”
Huttunen emphasizes the degree of overlap across sectors when it comes to cyber, including the military. “IT is IT in both [military and civil] domains, and defending them is something that involves both the military domain and civilian infrastructure.”
For Pylarinos, the collaboration between a range of experts from different domains offers clear benefits.
“The more people you involve, the more insight you gain. That’s something that any organization – either public or private – will benefit from.”
This year’s Locked Shields exercise acknowledges the potentially devastating impact of cyber-attacks of critical infrastructure, and the need for a coordinated response across the public and private sector. Amid an increasingly uncertain geopolitical landscape, such preparations are essential