European and U.S. cyberwarriors wargamed unique responses to nation-state attacks in a recent training exercise held by a NATO-affiliated cybersecurity hub, allowing operators inside simulated civilian networks that illustrate the tactical complexity and legal gray areas that dog cyberwarfare operations in real life.
Dubbed Crossed Swords, the exercise was conducted on computer networks that mimicked civilian infrastructure providers, like phone and power companies, in order to simulate an attack hardened military systems.
“What we wanted to do is match the real-world environment in which cyber-operations take place and show the interdependencies between military and civilian networks,” said Aare Reintam, project manager of technical exercises at the center, “The legal issue were maybe two percent” of what went into the exercise.
The exercise, staged by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia earlier this month, comes as European countries like Sweden and Italy gear up to combat possible Russian cyber meddling in forthcoming national elections this year. The simulation also comes as there is growing concern about recent intrusions by state-sponsored Russian hackers into power companies and other critical infrastructure providers on both sides of the Atlantic Ocean.
The players were cybersecurity officials from 15 of the center’s 20 NATO and EU member nations, with help coming from the Latvian mobile telecom provider LMT, an unnamed major company that builds and maintains electric grid infrastructure and other private sector providers of critical infrastructure and services.
“Industry partners contribute [to] the organization and setup of the exercise, both with their technology, systems and expertise,” said center spokeswoman Kadri Kütt.
That’s important, say experts, because those companies’ networks are very different environments from the ones that military cyber-operators are familiar with and generally get to exercise on.
In real life, the hardened military networks that cyberwarriors practice defending in conventional exercises are riddled with connections to more vulnerable civilian infrastructure. As a result, the involvement of civilian infrastructure providers in the planning and design allows the exercise to achieve a greater degree of fidelity, explained John Yarger, technical manager of modeling/simulation and exercise in the CERT Division at the Software Engineering Institute, part of Carnegie Mellon University.
Yarger, a retired U.S. Marine Corps communications officer, leads a team that builds simulations and does other cyber-wargaming work with the Pentagon and U.S. Cyber Command. He says exercises like Crossed Swords rely on a relationship of trust.
“They’re going to know their own equipment better than anyone,” Yarger said of the civilian critical infrastructure and service providers, “But all of that [information about their networks] is sensitive because it’s a blueprint for attacking their infrastructure.”
Exercises like Crossed Swords, he said, give military cyberdefenders “the chance to practice … in a high-fidelity simulation, the [tactics, techniques and procedures or] TTP they would use” in a real life operation involving civilian infrastructure.
The exercise took place on a cyber range owned and managed by the Estonian Defense Forces. The center’s experts built a large sophisticated virtual environment recreating the computer network of a major military base in a fictional country — and the very different networks of its civilian telecommunications and electric-power infrastructure providers.
The ‘black box’ problem
The exercise was an opportunity for military cyber specialists to familiarize themselves with computer networks built to resemble those of civilian critical infrastructure providers — in this case mobile telephone and electric power providers.
Experts say that gaining access to or control over the networks of those companies would give hackers an excellent back door to penetrate hardened military IT systems and leave cyberdefenders operating on unfamiliar territory.
“It is understandable that military experts aren’t familiar with those civilian networks they are not working on a daily basis. But they are dependent on them,” said Reintam, “It’s a black box problem.”
The exercise is designed to open the black box by testing the military response to a threat that also implicates those civilian networks, said Reintam. “We aim to educate [our participants in] how the networks of vital service providers operate.”
When military networks were hacked via civilian service providers in the wargame, participants pursued online attackers through those civilian networks; and later sent their troops into a neighboring country to physically recover a data center server that was hosting hacker attacks — raising a host of potential legal red flags.
“Because we’re democracies and the military doesn’t control critical infrastructure, they are dependent on those civilian organizations,” agreed Yarger.
He called partnering with a civilian infrastructure provider “a wise move,” because it helped operators “get some experience of command and control challenges when interacting with organizations that have a less hierarchical structure than the military are used to.”
Reintam said that the exercise focused on network elements that are common across the whole sector. “We use the main industry-wide protocols and the underlying infrastructure to develop knowledge that would be useful in dealing with any telecom and energy provider,” he said.
Step by step
The exercise simulates a cyberattack by a fictional nation-state which targets a major military base via its power and telecoms providers. “The players have to analyze what is happening on their networks,” explained Reintam. “In this scenario, we found a ‘logic bomb,’ timed to go off in less than 48 hours, that would bring down the national defence system of the fictional nation.”
That was a strategic objective for the adversary, said Reintam. Accomplishing it via civilian infrastructure afforded the attackers the element of surprise — as well as a way around the military’s own cyberdefenses.
Once the attack on the base network is discovered, the exercise participants go into incident response mode, seeking to identify the extent of the attack, and trying to trace its origins.
“There are multiple lines of inquiry that have to be followed. Has it spread to other networks? Can it be traced back to its authors? Is it possible to defuse within the boundaries of friendly networks, or must action be taken in adversary networks?”
Participants start tracing the attackers’ intrusion back. “Step by step, through each network,” tracking their opponents, seeking to identify the infrastructure used to launch the attacks — and the control system hidden behind it. “We are looking for the crown jewels and when we find them, we have to determine whether we can address them through cyber or whether we might require a kinetic intervention.”
The exercise involved the use of drones to identify and locate targets like mobile devices. ”Operations in cyberspace, no matter how vast it is, can reach only as far as it has some form of connectivity,” said Bernhards Blumbergs, a cybersecurity expert from Latvia’s Computer Emergency Readiness Team, CERT.LV — one of the civilian organizations involved in Crossed Swords.
“We wanted to show the interdependencies between the different military domains as well as those between military and civilian networks,” said Reintam.
Keeping it legal
In the Crossed Swords scenario, the enemy infrastructure was based in a data center located across an international border.
“If it’s not possible to achieve mission goals through virtual means, we might require personnel to go and actually [bring] the servers physically for forensic analysis,” said Reintam.
There are, of course, legal advisors involved in the simulation. Any response “has to remain within international law,” said Reintam, adding the focus of the exercise was on testing and practising the technical skills and tools network defenders would need in a real attack. “They have to understand how the cyber response will operate in relation to other domains.”
The exercise is designed to train the Red Team, the experts performing the role of attackers in such live-fire cyber exercises. The attackers were divided into three groups — targeting client-side devices, web-facing applications and networks, respectively.
“They need to know what are the right tools, the right techniques” to attack the simulated target networks, explained Reintam. Red Teamers use actual malware developed and customized for the exercise, he said.
The Red Team will use the lessons they learned from Crossed Swords to develop attacks for the center’s much larger companion exercise dubbed Locked Shields in April, explained center spokeswoman Kütt, calling it “the world’s largest and most complex international live-fire cyberdefense exercise.”
Like NATO itself, she said, the center “very focused on defense. The main aim of both these exercises is to train national cyberdefenders. That involves training Red Teams so they can effectively challenge the defending Blue Teams.”
To make that challenge effective, added Reintam, tight discipline is an absolute must. “There is no room for loose cannons on a Red Team,” he warned. “A single mistake can jeopardize the whole operation.”
Update: A previous version of this article stated that Crossed Swords was a NATO-led exercise. The NATO Cooperative Cyber Defence Centre of Excellence is affiliated with NATO, but not part of the NATO command structure. We regret the error.