As ever more Western countries suffer cyberattacks and election meddling suspected of coming from Russia, they are finally talking openly about their own offensive cyber strategies as well.
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), based in Tallinn, Estonia, has been organizing “the world’s most complex” international cyber defense exercise — known as Locked Shields — since 2010. Sitting outside NATO’s military chain of command, the CCDCOE drew 900 participants from 25 nations to the event this year. But alongside Locked Shields, a smaller and less talked-about exercise is taking place. There, a small number of handpicked hackers practice with regular military units how to conduct cyber operations against enemies in case of war.
There are two teams that take part in most cyber exercises: In this case, there’s the blue — on defense — and red — on offense. Usually, the main focus is on training the blue team to defend when cyberattacks occur. But in this particular exercise, known as “Crossed Swords,” it’s the red team that’s in the spotlight. And it’s the red team that emerges from Crossed Swords that will go up against the blue team during the next Locked Shields, said Aare Reintam, the technical exercise director at CCDCOE.
The first Crossed Swords took place in the beginning of 2016. It’s now grown into a separate annual exercise, becoming more sophisticated and realistic each year. During last year’s exercise, the participants practiced hacking a moving train, attempting to stop it so a special forces team could retrieve the vital data servers inside. (They did manage to stop the train, by hacking into the electric system and cutting off the train’s power.) Unlike many exercises that take place only on paper, the simulation included real systems, used in a controlled environment.
“In order to know how to defend yourself better, you need to know how the attacks are carried out,” said Reintam. And with the exercises they offer the possibility to understand most current cyberthreats inside and out, he added.
Such was the case in the latest Crossed Swords exercise, carried out this January in Tallinn. The CCDCOE was established there in 2008, following a set of cyberattacks against the country. In the scenario, the fictional country of Berylia had suffered a ransomware attack against its air defense systems, with hackers demanding payment before the system can be unlocked. Berylia’s intelligence services then learned that a hostile country was planning a physical attack as well. The red team, or “penetration testers” in the official jargon, were tasked with retrieving vital data from the adversary’s server park to restore Berylia’s defense systems.
The hackers participating in the exercise were there by invitation only — the number of invitees is being kept secret because of the sensitive nature of exercise. The goal of the counteroffensive: Map the enemy’s network, find a weak spot, and then infiltrate in order to learn how to undo the damage to the air defense system. Once inside the network, it was vital to stay as invisible as possible, in order to gain more time and be able to go as deep as possible.
The participants were divided into three teams. The first, a “client site” team, worked to “spear-phish” their targets — attempting to trick their opponents into handing over vital information, implanting malware into the system in the process. The second team probed the opponent’s networks, looking for weaknesses and security holes in the network the adversary was using. And the third, a web team, tried to exploit different services the system hosts to gain access.
When the red team learned the whereabouts of the server, the exercise transitioned from behind computer screens into the real world. The information was given to a special forces team that had to enter the server room — a hotel suite rented in the center of Tallinn. They entered the room, laid down a white bedsheet, placed all the devices on it, took photos of the devices, copied them, and put everything back in exactly the same position as they had been, Reintam said.
“Combining cyber with [this] foot-on-the ground approach is a vital and unique part of the exercise,” Reintam told BuzzFeed News. “Cyber is not something isolated, it is connected with every other domain. That’s why we combine this exercise with teams from other military forces who usually have less awareness about IT.”
During the defense-oriented Locked Shields exercise this year, a red team formed during the previous Crossed Swords hacked into the defenders’ radar system and were able to add a squadron of enemy fighter planes on the screens. “For us it was a situation awareness project to show how it is possible to manipulate regular operations,” Reintam said. Just as worrying: The red team also managed to hack into power grid control systems that mirror their real-life counterparts.
Crossed Swords’ rise comes as more countries are moving from focusing solely on defense to add offense to their arsenal in the cyber domain. A group of NATO allies are considering a more muscular response to state-sponsored computer hackers that could involve using cyberattacks to bring down enemy networks, Reuters reported last week. According to Reuters these countries include the United States, Britain, Germany, Norway, Spain, Denmark, and the Netherlands.
Until now most NATO countries, as with the alliance as a whole, have avoided talking about their offensive cyber capabilities. But Russia has been known to have these capabilities for years now — there have been several cases where experts believe Moscow has gone on the attack, including multiple cyberattacks on the Ukrainian power grid over the last year that left hundreds of thousands of people without electricity.
And this September, Latvia’s Foreign Minister Edgars Rinkevics said the country was investigating whether it was Russia that took down part of Latvia’s cellular network and emergency phone hotline as part of its Zapad military drill. Such examples lead NATO countries to be more open about developing their attack capabilities — and discussing it in the open.
Estonia, a country that 10 years ago was hit with what are considered the first wide-scale cyberattacks in history, says it will set up a cyber command next year that will eventually employ 300 people.
Once launched, the new command will work alongside both the cyber branch of Estonia’s Defence League, composed entirely of volunteers, and conscripts and reservists in the Estonian military who specialize in cyber to take on a full range of cyber operations. Erki Kodar, the undersecretary for legal and administrative affairs at the country’s Ministry of Defense, doesn’t hide that the cyber command’s tasks will include carrying out attacks if and when they’re needed.
“Everybody understands that fighter jets or tanks can be used in offense or in defense, depending on the battlefield situation,” Kodar said. “Why should we treat the cyber domain any differently?”
Talking about offensive cyber capabilities should no longer be taboo, he argued. “Previously, the idea has been that we can only defend ourselves, but not carry out attacks. That is not true. As with every other weapon system we should also be ready to use cyber to influence the adversary’s physical objects, its actions and way of thinking.”
Estonia is joining other NATO countries moving in the same direction like the Netherlands, which wrote the development of cyber offense capability into its national cybersecurity strategy in 2013. Under the strategy, the country announced its military was moving to improve “both the capability to protect its networks and systems from attacks and the capability to take offensive measures.”
The Dutch will adopt a new strategy at the beginning of 2018, a spokesperson from the Ministry of Justice and Security said. Its contents are still classified, but the most recent government coalition agreement, signed on Oct. 10, gives a hint of its direction by promising “a significant expansion of cyber capabilities and technology for all elements of the Defence organisation.”
In a similar document released last year, the UK announced that it wants to become “world leader in offensive cyber capability.” “We will ensure that we have at our disposal appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes,” the government’s national cybersecurity strategy for 2016–2021 states. It is a large step from the previous strategy for last five years — which didn’t mention offensive capabilities at all.
On Nov. 8, NATO Secretary General Jens Stoltenberg announced that the alliance will create a new cyber operations center as part of a redesign of NATO’s command structure. Just as NATO doesn’t own any tanks or ships, the same goes with cyberweapons — NATO will not create its own cyberweapons, but it will be able to use individual allies’.
General Mark A. Milley, the US Army chief of staff, said at the CyCon U.S. conference last month that the cyber branch of the US Army, created just three years ago, already has almost 20,000 soldiers. Milley said he can guarantee that the wide variety of cyber technologies, such as artificial intelligence and robotics, will change the fundamental character of warfare.
“I would argue that it’s not so much the technologies in and of themselves, it’s how you apply them," he said. "How you bring it all together into a way of offense and defense, into a way of war, a way of tactics. We, the United States, are not going to get it right. What is important is that you get it less wrong than your enemy.”
“It was clear for everyone already after the cyber operations against Estonia in 2007 and especially Georgia in 2008 how cyber will enhance the effect of military operations,” Kodar said.
"More and more countries are starting to consider offensive cyber capabilities as part of their military arsenal. Not just in Europe but around the globe,” Tony Cole, vice president and CTO of global government at the cybersecurity company FireEye, told BuzzFeed News.
Cole says we are now only seeing the beginning and it is going to escalate in the coming years. "I wouldn't say it’s an arms race yet, but it’s quickly moving into that direction. Quite frankly I don’t see how it could be avoided this day and age, we have already seen so many nation-state attacks.”
Cole argues that until recent years, a lot of nations did not want to play in the cyber sphere. "Simply put, it was considered something that Russia and China were doing. Democratic nations would not want to get involved,” he said.
He warned that NATO in its current structure would have difficulty in implementing cyber capabilities on "as needed basis”. "They need to enable the commanders with a well-structured policy, so that the commanders know what they can and what they cannot do in order to move quickly when needed," he said. "Having to wait for approval and 29 nations to agree on something before you do it is not going to work in this space."
The next Crossed Swords will take place in early 2018. Part of it will be carried out on an open ground reserved for that purpose in one member nation of NATO CCDCOE. It has been been set up with all relevant IT and electronic systems from cell towers to drones in the air especially for the exercise, but Reintam wouldn’t disclose more specific details — it would give too many hints to the participators. “To cater for the training audience’s high expectations the level we have taken it into is unprecedented” is all he said.