Part I: Cyber Range 14
While Estonia may be NATO’s third smallest nation in terms of population, it is at the forefront of developing cyber capabilities. The alliance has matured into a collaborative and cooperative organization focused on securing freedom and advancing its crisis management capabilities. As the threat landscape develops, NATO strives to stay ahead of the curve by leveraging allies’ expertise to become a more effective crisis management force in the fifth domain--cyberspace operations.
Leaders of NATO nations have agreed to a guideline of spending 2% of their national Gross Domestic Product (GDP) on defense. Additionally, common funding streams allow the alliance to execute its annual budget. NATO member nations are not just diverse in culture and language; indeed, they are distinctly diverse in their size. While Estonia may be NATO’s third smallest nation in terms of population, it is at the forefront of developing cyber capabilities. The NATO Cyber Range in Estonia, operated by the Estonian Defence Forces, is a platform for NATO exercises and training in Estonia.
Estonia’s development of cyber competence is not by chance. In 2007, the country experienced a series of denial-of-service attacks that took down crucial services including banks, government email and media outlets’ broadcast capabilities. The attacks left the Estonian population with limited access to ATMs and degraded the ability of government officials to communicate during the crisis. Motivated by the havoc caused by these attacks, Estonia developed into an avid promoter of cooperative cyber defense. Utilizing partnerships between industry, academia and government, the small Baltic nation successfully advanced their ability to secure its critical information systems.
Twelve years after the 2007 cyberattacks, the Estonian Ministry of Defence (MoD) held a ribbon cutting ceremony for the new location of the extended cyber range, CR-14, originally established in 2011. The cyber range is multifaceted in its approach. First, it aims to create a collaborative cyber workspace where industry, academia and government can test and engineer new cyber capabilities. Secondly, it seeks to enhance the real-life effectiveness and utility of NATO cyber assets. Estonian Defence Minister Jüri Luik stated, “CR-14 not only meets the training objectives of NATO—it enables the alliance to respond swiftly to adversarial cyber-attacks.”
CR-14 operates with funding provided both by the Estonian government and through Memorandums of Understanding (MOUs) paid by NATO member and partner nations. To date, more than 10 million euros have been spent developing cyber range capabilities in Estonia. This funding allows the alliance and its partners the ability to host some of the world's most advanced cyber exercises. The Cyber Range facilitates NATO’s flagship annual cyber defense exercise, Cyber Coalition, as well as the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)-organized cyber exercise, Locked Shields.
Part 2: Locked Shields 2019
On the eve of national elections, post-flood natural disaster recovery efforts are also underway on the small fictional island of Berylia. To make matters worse, reports of cyberattacks targeting Berylia’s critical infrastructure roll in as Crimsonia, the adversary, concludes naval drills in international waters off the Berylian coast.
Berylian citizens report severe degradations in water purification, cellular connectivity and power distribution, resulting in eroded faith in the Berylian government’s ability to provide and secure the nation’s critical assets. There is chaos in the streets as public unrest comes to a head. National Cyber Rapid Reaction teams scramble to regain control over the nation’s critical infrastructure systems and unruly population.
While the scenario may feel all too familiar, this is actually the scenario from the world’s largest, most advanced international live-fire cyber defense exercise, Locked Shields 2019. The NATO accredited CCDCOE hosts this annual wargame in Tallinn, Estonia, one of the most technologically advanced and smallest nations in Europe.
More than 30 NATO members and partners comprised of over 1,200 personnel from academia, industry and government participate in the exercise. Over the past nine years, it has matured to incorporate the use of realistic models of water-purification systems, electrical power grids, 4G public safety networks, and naval communication systems.
The planning and engineering of the exercise begins nine months prior to its execution. Industry partners including Siemens AG, National Security Research Institute of the Republic of Korea, VMware and Bittium work around the clock to develop realistic simulations of real-world critical infrastructure systems.
Twenty-three national and joint blue teams act as rapid reaction teams, working remotely from their home countries to defend, detect, eradicate and recover from red team cyberattacks. This year, U.S. European Command (EUCOM) sponsored a joint U.S. blue team, which participated in the exercise from the foothills of Germany's highest mountain peak, Zugspitze. This team was a combination of U.S. Department of Defense military and civilian cybersecurity experts, as well as national partners from Australia, Denmark, Ireland, Lithuania and Poland.
U.S. involvement was at its peak this year. Military and civilian members from the Michigan Air National Guard, the Maryland Air National Guard, Defense Information Systems Agency Europe, U.S. Army Cyber Command, the Minnesota National Guard, U.S. ARMY Intelligence and Security Command , U.S. Army Europe, the U.S. Embassy Tallinn, the Department of Homeland Security, Idaho National Laboratory, the U.S. Air Force and industry partners from VMware played the elaborate cyber game at Locked Shields 2019. U.S. personnel participated on four separate multinational teams, making this exercise a resounding success for USEUCOM’s J6 Joint Cyber Center, directed by U.S. Army Brig. Gen. Maria Biank.
After two intense and uncertain days, Berylian Rapid Reaction Forces (i.e. the various national blue teams) have either deterred red team attacks or had their systems completely compromised. Although this is an exercise, a winner must ultimately be crowned. Special network-based scoring bots grade teams’ performance based on their ability to maintain confidentiality, integrity, and availability of network services in real-time.
This year's trophy went to the French national team. Even though the U.S. blue team did not bring home the gold, the experience served as an invaluable opportunity for U.S. personnel to work side-by-side with international partners. U.S. Army Col. Brian Vile, commander of the 780th Military Intelligence Brigade, noted, "The U.S.'s mission during Locked Shields is to foster collaboration and engagement with our NATO partners in order to further our cyber capabilities." Based on the lessons learned throughout the exercise, it is safe to say that in this sense, the U.S. blue team achieved their mission.