Shielded from harm20 December 2018
With the cyber-domain playing host to increased hostilities, being ready for large and small-scale attacks has rarely been more crucial. Andrew Tunnicliffe speaks with CCDCOE’s Kadri Kütt about how NATO’s Locked Shield exercise is ensuring IT infrastructure is always ready.
Cyberattacks and the methods by which the public and private sectors deter and counter them have occupied the headlines with increasing frequency in today’s tech-laden world. Often we hear of the failures of those entrusted with our personal data, the consequences of seemingly poor cybersecurity management, and the damage to the reputation or, worse still, IT infrastructure of public bodies and private organisations alike when a cyberattack was at least partially successful.
However, it’s fair to say having robust cybersecurity measures in place is a game of cat and mouse. This is something not likely to change, at least for the foreseeable future. The ability to avert and respond to cyberattacks has become a critical government and business concern, with the global cybersecurity market estimated to be worth $96 billion in 2018, an increase of 8% year on year, according to Gartner.
More often than not, cyberactivity is the domain of criminal gangs interested in making money from their actions. However, today more than ever, state-backed players and even governments themselves have been much more active in this field, with differing objectives. Critical infrastructure – financial institutions, power networks, healthcare providers and so on – have all fallen victim. Russia, Iran and North Korea, among others, have been accused of unashamedly increasing their activity with growing sophistication – although all have denied, and continue to deny, the accusations.
Despite that denial, the increased threat led to an unprecedented step taken by the US and UK earlier this year. In April, they issued a joint warning about the activities of Russia and the impact they could have on governments, businesses and even personal home networks. The UK’s National Cyber Security Centre’s chief executive, Ciaran Martin, suggested Russia was trying to access personal routers in homes and small businesses saying this was “a very significant moment as we hold Russia to account and we improve our cyber-defences at the same time”.
The statement, which was followed by the Australian Government stating that it had noted a rise in the number of these kinds of attacks, offered technical advice on how individuals could improve their cybersecurity. A UK brief read, “Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.”
This evolving threat from ‘enemy’ states and criminal organisations alike continues to occupy the thoughts of those wanting to protect IT networks and, ultimately, those that rely on them. Just days after the joint US–UK statement, NATO held its annual Locked Shields exercise, now in its eighth year. The five-day live-fire drill, led by NATO’s Communications and Information (NCI) agency and NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), simulated an attack on the critical infrastructure of a fictional country, Berylia.
“Berylia experienced a deteriorating security situation, where a number of hostile events coincided with coordinated cyberattacks against a major civilian internet service provider and a military airbase,” explained CCDCOE’s Kadri Kütt. Involving as many as 4,000 virtualised systems and more than 2,500 attacks, the real-time defence exercise was designed to enable national cyber-defenders to practice the protection of national IT systems and critical infrastructure under the intense pressure of a severe cyberattack. Involving more than 1,000 cybersecurity experts from 30 countries, the drill was a red versus blue scenario.
Some 22 blue teams from CCDCOE member states and experts from NATO and the EU made up rapid reaction teams deployed to assist in containing and countering a large-scale cyberincident and all its multiple implications. Red teams carried out the attacks intended to cause severe disruptions to the operation of the electric power grids, 4G public safety networks, military drone operations and other critical infrastructure components.
“This year the exercise involved critical infrastructure that our entire modern lifestyle depends upon: power supply, clean water and emergency communications,” says Kütt. “The exercise trains the teams in how to protect unfamiliar environments and to make the right decisions with incomplete information, as computer emergency specialists often have to do in real-life situations.” The exercise addressed areas noted for their particular difficulty, she said, including:
- protecting unfamiliar specialised systems
- writing good situation reports under serious time pressure
- detecting and mitigating attacks in large and complex IT environments
- well-coordinated teamwork.
“In addition to maintaining complex IT systems, blue teams must be effective in reporting incidents, executing strategic decisions and solving forensic, legal and media challenges,” Kütt continues. “To stay abreast of market developments, Locked Shields focuses on realistic and cutting-edge technologies, scenarios, networks and attack methods.” As well as teams from across member states, NATO and the EU, the private sector played a key role. Among others, Threod Systems provided their drones expertise, Ericsson assisted with 4G public safety networks for law enforcement and emergency, and Siemens assisted with software solutions. “The role of private sector partners is crucial. We cooperate with industry partners that bring specialised capabilities and technologies used all over the world,” says Kütt.
What was revealed
“Considering the interdependencies in the cyber-realm, nations have to take measures to protect their vital services, critical information infrastructure and military systems too. In the real world we cannot separate cyber-domain in military from cyber-domain in the civilian sphere,” she says. “In 2018 the exercise highlighted the growing need to enhance dialogue between technical experts and decision-makers. CCDCOE integrated the technical and strategic game, enabling participating nations to practice the entire chain of command in the event of a severe cyber-incident involving civilian and military players.” Kütt says the exercise “highlighted the growing need to enhance dialogue between technical experts and decision-makers”.
Locked Shields 2018, the largest and most complex international livefire cyber-defence exercise in the world, was won by the NATO team with France and the Czech Republic taking second and third place, respectively. Although the exercise was a success, however, Kütt warns the job is never done. “The systems running our critical infrastructure and military technologies are in constant development, we have to test and drill our resilience and defence on a regular basis. Our cyberdefenders will never be ready – they have to keep learning and practicing cooperation with like-minded nations on a regular basis.” The cat and mouse continue to do battle.
Follow the leader
With and extensive background in government and defence, Kevin J Scheid formally took up the post of general manager of the NATO Communications and Information (NCI) Agency on 1 July 2017, replacing MGEN (ret) Koen Gijsbers. On the announcement of his appointment Scheid said, “It’s truly an honour to be selected by the 28 NATO Nations to serve as the next general manager of the NCI Agency. I look forward to joining and leading the talented and committed team of civilian and military professionals of the agency.”
Speaking to the NCI’s media outlet at the time he took the helm, Scheid was very clear on the direction he wanted to take the agency, as he also was on what needs to be done to head in that direction. He said he didn’t believe you could “delegate strategy” or change management, adding that within the first 90 days in his post he intended to work with the Agency Supervisory Board (ASB), directors and the agency at large to devise a strategy, with goals and objectives, that could be realised over the following three years.
Defence & Security Systems International caught up with Scheid a few months into his tenure, in December 2017. It had been a very interesting period across Europe and around the world; not least because of the large-scale WannaCry ransomware attack that hit government departments and functions such as the UK’s National Health Service, as well as industry. “Cyberattacks are indeed becoming more common and more sophisticated,” he told us, “and NATO, like many other international organisations, has been targeted increasingly over the past decade.”
He went on to warn that the methods used and the intended targets in cyberattacks was always changing, and as a result so too were the outcomes. “The nature of cyberattacks is rapidly evolving. They are increasingly used not only for covert information gathering, but for sabotage and manipulation. This makes them a tool in the arsenal of hybrid warfare.”
With his extensive background in budget management, Scheid is well placed to deliver on his mission of enhancing the capabilities of the agency, stating it as his “top priority” in April 2018. However, he’s doing so slowly and carefully, ever mindful of potential risks and rewards. Speaking in early 2018, he said that, technologically, the agency was behind industry by about five years, but this was to its advantage. It meant the NCI could reap the benefit of “other people’s mistakes”.
“The way we procure systems and the way we develop new capabilities, we’re slow and methodical. I see it as a good business practice for NATO, because we don’t have a lot of money to waste on experiments. We want the biggest bang for the euro, and to let others work the bugs out is a smart strategy.”
With continuing pressure on budgets and a NATO that is being asked to do more, not least by the US, it’s clear funding will continue to be an issue for the alliance, the agency and their leaders. But be in no doubt, Scheid is acutely aware of the risk of inaction and underinvestment, as he highlighted in his interview with us. “In 2017, it became clear that cyberattacks cannot just have an economic impact on our citizens – by stealing their money – but we saw operations cancelled and C-sections postponed,” says Scheid. “I think it is hard to envisage a more profound impact than that,” he said.