Amid rising threats, NATO holds its largest-ever cyberdefense exercise

TALLINN, Estonia — NATO this week challenged around 1,300 participants in a cyberdefense exercise to guard against major attacks on critical infrastructure including power plants, fuel depots, commercial satellites and military networks.

The annual Cyber Coalition exercise is intended to cover more than just the basics of network defense. Participants deal with the complicated and multi-faceted threats that have been seen in recent conflicts around the world, including attempts to stir social unrest and degrade military capabilities.

This year’s drill saw 29 allies, alongside seven partner nations, coordinate their responses to seven major storylines — all of which are designed to stay below NATO’s Article 5 threshold for collective defense — at Estonia’s national cyber range, CR14, established and supported by the country’s Ministry of Defence. It was NATO's largest-ever cyberdefense exercise.

Cyber Coalition is structured as a cooperative drill rather than a competition, said U.S. Navy Commander Brian Caplan, the exercise director. “Other cyber exercises are often about who wins a trophy,” he said. “Ours is different, it’s about synergy — nations helping nations, and the stronger helping the weaker, so everyone is better prepared.”

Only around 200 of the exercise’s total participants are on site, with the more than 1,000 others working from their desks at military headquarters and other locations around the world. 

It comes as the North Atlantic Council, NATO's political executive, has warned about hybrid threats from Russia impacting both its allies and partners.

Caplan said the intention was to reflect the true complications of modern cyber incidents, where even issues that don’t seem like they could have any military relevance can quickly escalate into strategic problems that could impact war fighting capabilities.

“In cyberspace, there are no boundaries. Something that happens in one nation can have a second- or third-order effect in another. That’s why information-sharing, trust and collaboration are essential,” he said.

There remains a technical element. Participants might initially detect some unusual malware as their entry-point to a scenario, but diagnosing the true cause requires sharing intelligence with allies to establish if an incident was an accident, a criminal attack or part of a hostile state’s deniable campaign.

“The storylines are designed so no nation can ‘win the war’ unless they communicate with others. Only by sharing information and working together can they understand the attack and respond effectively,” Caplan said.

Those others can include NATO allies, privately-owned infrastructure providers and others — although NATO hopes to provide the framework for intelligence sharing.

For the first time, this year’s exercise also included a space-based scenario, reflecting the Viasat attack during the early days of Russia’s invasion of Ukraine. “A cyber incident in space doesn’t stay in space — it hits air, sea and civilian systems immediately,” said Ezio Cerrato, the deputy exercise director.

“In the military we like to imagine we’re going to be in charge of everything, that if there was a conflict people would expect us to step up and lead,” explained a British officer at the exercise, speaking anonymously as he hadn’t received formal permission to comment to the media.

“But in this kind of defensive, hybrid scenario — with tensions, misinformation, disinformation — it really stretches you. A lot of the first effects hit energy systems or media, things that don’t look ‘military’ at all, and yet they may be part of reducing a nation’s support for people under threat of invasion.”

Participants in the multi-day event need to not only produce technical intelligence from their own virtualized systems, as hosted by CR14, but also engage with injects from the exercise administrators and make sense of potentially relevant open-source material being shared by a range of media sources, some of them potentially operated by the adversary.

Alongside the technical specialists reverse-engineering malware, military planners responsible for logistics and legal advisers need to have responses to the scenarios they’re confronted with — hopefully conforming with established NATO procedures for collaborating and complying with international law.

The experience for national teams dialling in from their home countries often begins by detecting subtle anomalies, such as delays in satellite data transmission rates, unusual fuel-distribution logs or power-grid warnings going off at unexpected times.

As the scenarios develop, the participants have to decide when the right time is to escalate their response — notifying civilian authorities or NATO — and deal with the legal challenges around sharing military intelligence with law enforcement authorities. 

“You can’t just watch your computers anymore,” said the British officer. “You also have to look at what's happening in the real world, what is being reported by yourselves, what is being reported by people who don't maybe know what they're talking about on social media.”

Caplain said no two years of the exercise have been the same: “Technology changes, policy changes, threats change. This exercise allows NATO and its partners to adapt together — before a real crisis forces them to.”