Andravia and Harbadus – two nations so often at odds with one another – were once again embroiled in conflict over the past seven days, which thoroughly tested NATO’s cybersecurity experts’ ability to coordinate defenses across battlefield domains.
Around 1,500 practitioners took part in the annual battle that engulfed the island of Occasus-Icebergen, all working together to remediate cyberattacks on critical systems, the effects of which influenced how land, sea, and air forces were able to respond.
It does not take a geography buff to know that none of these places really exist, but the digital dust-up was certainly real.
The fictitious two-nation island has played host to a NATO training exercise for years that tests military cybersecurity personnel’s ability to work together as hostile forces launch hybrid attacks on a nation they’re tasked with defending.
NATO invited The Register to its headquarters in Tallinn, Estonia, to observe the final hours of this year’s Cyber Coalition exercise, and understand how the organization and its member nations decide on the storylines that underpin each of the mission’s scenarios.
Cyber Coalition started in 2008 and has run every year since. It lasts a week and is mentally exhausting for all involved, we’re told. Its purpose is to assemble NATO countries’ cyber defenders and test their mettle against real-world adversaries’ modern tradecraft.
Military personnel from 29 NATO members and seven partner countries participated this year, each working with limited information – a different snapshot of the conflict situation – and tasked with communicating what they know to their international colleagues to remediate each issue.
Seven missions, or storylines, ran concurrently. These are all related to real-world cyberattacks that have spillover effects on countries’ traditional, kinetic warfighting capabilities.
Some were handling a cyberattack on a critical national infrastructure (CNI) system, others were trying to find an adversary in a nation’s backups, while more still were working with an attack on a satellite communications provider.
All these storylines are tailored to the current training demands of nations responsible for defending these kinds of attacks on real militaries’ systems. They test defenders’ abilities to deter their adversaries’ latest tradecraft, and as exercise leader Commander Brian Caplan said, they’re always influenced by real-world attacks from the past year.
How to craft a NATO-grade storyline
Cyber Coalition is meticulously crafted each year through a series of storyline conferences attended by participating member countries that are designed to strengthen defenders’ cooperation skills.
Caplan told The Register that almost always the storylines are based on those from previous years, just with some tweaks to ensure they test the most relevant skills in operation today, and to ensure the difficulty is set to the right standard.
The draft storylines are then taken to a series of scripting conferences where the details are fleshed out by participating nations. Representatives will pick one story to develop and pitch the details to NATO, which will then refine it before becoming a confirmed scenario.
Caplan said: “There is an initial planning conference, where we introduce the storylines, the shell. So then they go back, they talk to their national reps and local trainers, and see where they want to play, because it’s all a voluntary basis for them to grab one of the storylines.
“They come back, and by the time we get to the national scripting conference, they have done about 80 percent of figuring out where they want to go, what they want to do, and they present it to us. We either give them a ‘yes, you’re on the right track,’ or, ‘have you thought about here?'”
“Then we’ll have a final conference, before execution, in between, and really, at that time, the nation should have 98 percent of a script, how they want to play the scenario. And it’s really just fine-tuning and getting ready so when they come to execution, it’s game time, and they run off and do great things.”
Cyber Coalition takes the exercises developed by NATO’s Joint Warfare Center (JWC), which make up around around 80-85 percent of their content, and tweaks them to suit the needs of participating nations. This comprises the storyline shell Caplan referred to.
The only caveat to this is that Cyber Coalition storylines never involve situations that would trigger an Article 5 NATO response.
Some of them, like the attack on a CNI entity, are mainstays of the exercise program and recur each year, while others bring new scenarios to defenders, such as the satellite communication attack story. But regardless of the situation, each is built around modern threats to ensure defenders’ skills are up to date.
“Absolutely every storyline, no matter if it was played last year or new, we look at what’s happening in… the real world,” Caplan said. “And we’ll always tweak them to some degree to make it more realistic for the nations, because no one wants to play on something that doesn’t make any sense or that’s way outdated.
“So, we do a really good job of making sure that we’re researching, we’re seeing what’s currently been affected by nations. We tend to grab things that have affected multiple nations, at least what’s on, you know, the internet, the public platforms, and then we kind of use that as our base.”
One example of how real attacks influence training exercises was the addition of the attack on a satellite communications provider this year. NATO officials said Russia’s 2022 attack on Viasat, timed with the onset of its invasion of Ukraine, heavily inspired this year’s space-domain storyline.
NATO recognized space as a military domain in 2019, although this year’s Cyber Coalition is the first to feature a storyline covering it.
Ezio Cerrato, Cyber Coalition’s exercise director and storyline lead, said space-layer attacks are increasing in the real world and they lead to immediate cross-domain consequences, since so much everyday technology touches space in some way.
Asked about the tweaks NATO makes to the stories that participating nations submit, the commander said in recent years the players were given more choice over the type of CNI entity that’s attacked. In previous years, NATO had taken a more hard-line approach on what type of organization should be the focus.
In other cases, it’s a matter of properly setting the difficulty level, and pacing the story in a way that both challenges the players while allowing enough leeway for real learning to take place.
Caplan said: “Most of the twists are just making [the story] either more complex or we did too much… We either made it too difficult in the beginning, like too many injects, and so we had to space it out a little bit this year, or we were too slow, and then we had to add more engines. So, some of it’s just like the flow of the exercise or the storyline, to make sure it can complement as many nations as possible that we can do.”
Friends, not foes
The curious among The Reg readership will likely be wondering about the success of the exercise. Did NATO manage to quell the conflict? Who won?
We vultures are curious too, yet when we asked about the outcome of the exercise, and whether the teams succeeded in all seven storylines, NATO officials were reluctant to offer any concrete indications.
Reporters in attendance were also not allowed to know what the storylines specifically entailed, other than top-line descriptions, such as attacks on CNI.
One exception was the revelation that a storyline, which featured an attack on a fuel management system, involved malware. Participants were tasked with investigating the incident, understanding how the malware worked, how it was distributed, and mitigating the operational effects of deployment.
To illustrate the difficulties in acquiring this basic information, we were only able to piece together that there were fictitious countries involved by gleaning clues from around the simulation center, different interviews, and conferring among ourselves about what they might mean. NATO only confirmed the names of the countries after some polite nudging, but not where they were supposedly located, or the made-up geopolitics of Occasus-Icebergen, or which country was the aggressor.
However, success isn’t really the aim of the Cyber Coalition game. It differs from red-blue team exercises, like NATO Locked Shields, in that it is not graded. Participants are brought together to tackle modern threats and work on their collaboration, without having to face any real consequences. Participants are encouraged to take risks and learn from them in this lower-stakes environment.
Caplan told us most nations involved are competitive, but being aggressively successful in Cyber Coalition does not always translate to overall victory in the exercise.
In Locked Shields, nations are pitted against one another yet Cyber Coalition stories only advance when all participants complete their goals. Each country sees only part of the situation – reflecting how NATO members respond to real attacks – and must work with others, who themselves understand only a snippet of the attack, before they can proceed in the exercise.
The commander said: “What is good is that nations might get to a certain point quicker, but then they have to wait until other nations catch up, because they need information from the other nation. So sometimes it doesn’t benefit you to be that fast.
“In previous exercises we didn’t have those points where they had to wait, and so some nations were really finishing within the first few days for that storyline. And then they had other storylines that they could focus on, but that one storyline was over, you know, for them. So, we try to find that balance for them.”
The shared responsibility for success is designed to build trust between participating countries, which, we’re told, are not always willing to share many details about how they operate.
However, what communication barriers were in place are broken down as the exercise progresses, NATO said, and participants take frequent breaks from the simulation room to mingle in common areas too.
And if the small talk over a coffee didn’t do the trick, the Thanksgiving spread arranged by the US team for around 70 of their Cyber Coalition teammates sure did.
With the exercise beginning on Friday, November 28, and running through the weekend, the 16th Air Force worked through the holidays but found time to celebrate in the evening, treating their transatlantic counterparts to Yankisms of turkey, sweet potatoes, deviled eggs, and more.
Cyber Coalition and the tasty team feed played out at CR14, the only facility certified by NATO to host these training exercises, located a short walk from Estonia’s Ministry of Defence.
Around 200 military staff members serving as exercise controllers for their respective nations occupied the simulation room, while around 1,300 cyber practitioners participated remotely.
The US, for example, sent some of its own experts to Romania and Georgia, while hosting their allies’ practitioners at its San Antonio-Lackland base for the duration of the exercise.
The simulation room itself is not as high-tech as you might imagine. The walls were painted plain white, the wooden floorboards weathered, and every window in CR14’s facility was covered by a grey-beige satin sheet.
Teams were separated by fabric partitions similar to those found in low-budget US offices – or at least how they’re depicted in TV shows – with only a laminated piece of paper adorning the country’s flag stapled to them to differentiate the battle stations. ®