TALLINN, Estonia — Some 150 NATO cybersecurity experts assembled in an unimposing beige building in the heart of Estonia’s snow-covered capital this week to prepare for a cyberwar.
It’s a scenario that has become all too real for NATO member states and their allies since the Russian invasion of Ukraine. The conflict has forced Ukraine to defend against both missile attacks and constant efforts by Russian hackers intent on turning off the lights and making life more difficult for their besieged neighbors.
“There is a level of seriousness added; it’s not anymore so fictitious. It has become quite obvious those things are happening in reality,” Col. Bernd Hansen, branch head for Cyberspace at NATO Allied Command Transformation, said of the impact of the conflict in Ukraine.
NATO’s cyber forces have been watching the war in Ukraine closely, both to find ways to help Ukraine and to figure out how to make it harder for Russia and other adversaries to hack into infrastructure in NATO member states and their allies.
The conflict has added urgency to NATO’s annual Cyber Coalition exercise, in which more than 40 member states, allies and other organizations work together to respond to, and recover from, simulated cyberattacks on critical infrastructures like power grids and ships. The exercise spanned the globe, with nearly 1,000 cyber professionals participating remotely from their home countries.
The world has never experienced an all-out cyberwar in which cyberattacks are used to the same devastating effect as physical strikes — such as shutting off critical services like power and water and preventing their restoration. The situation in Ukraine, however, is teetering on the brink.
And NATO has been intentionally ambiguous about what level of cyberattack it would take for members to respond with either force or devastating cyber strikes of their own.
This year, cybersecurity officials and technical experts came to Tallinn from Europe, the United States and as far away as Japan to respond to cyberattacks against the fictional island of Icebergen, located somewhere between Iceland and Norway. On Nov. 28, hackers launched a digital assault on the fictional island in an attempt to steal intelligence and intellectual property, disrupt government services, and bring down the power grid.
The U.S. led air command and control in the exercise, while Romania led on developing the storyline, the United Kingdom took control on the ground, and Poland was in charge of special operations forces.
The results were a closely guarded secret by NATO officials due to security and intelligence concerns, but U.S. Navy Cmdr. Charles Elliott, the director of the exercise, told reporters that no one failed the exercise. told reporters that no one failed the exercise. He declined to give more specifics about what weaknesses were found.
Almost 150 personnel were on-site for the event, double the amount who made the journey last year. U.S. Cyber Command and U.S. European Command had about 50 people participating in person or remotely.
Elliott said that “it’s certainly possible” that the conflict in Ukraine had something to do with the spike in attendees, but declined to attribute it directly to that. While Ukraine has participated in previous years, it didn’t this year because officials there are too busy defending their networks from a barrage of Russian attacks — including on major power substations.
The war in Ukraine has injected new urgency into questions about how NATO would respond to a cyberattack on a member state large enough to invoke Article 5, which labels an attack against any member state as an attack against all. The government of Albania considered requesting its use earlier this year following a widespread attack on the country’s networks by Iran.
Complicating matters further is how vulnerable critical networks in NATO states are to cyberattacks. Those can run from sophisticated operations to plant malware on software updates to more common ransomware attacks — in which hackers trick a user into clicking on a link and then shut down a network to extract a payment. In a sign of how increasingly intertwined cyberstrikes are becoming with traditional warfare, Russia has coordinated missile strikes in Ukraine with cyberattacks to intensify the misery of civilians on the ground.
The difficulty of keeping hackers out makes it even more important to practice how to respond once they’ve infiltrated networks, officials say.
“Cyber generally still is an area that I judge favors the attacker more than the defender, and I hope we are able to change the dynamic, but we’re not quite there yet,” David Cattler, NATO assistant secretary general for Intelligence and Security, told reporters in a briefing during the exercise.
Officials said they incorporated scenarios and lessons from the cyber attacks on Ukrainian infrastructure this year, including on power grids.
“It has made it much more live, it’s reality,” Maj. Tobias Malm, from Swedish Armed Forces headquarters, said of the war in Ukraine. “It’s the real world, you sit in the middle of it, and it’s a daily struggle to address these issues.”
The exercise was held at NATO’s Cyber Range, a building designed and opened in 2021 to serve as a center to train NATO cybersecurity experts on how to coordinate and respond to attacks like those faced on the ground in Ukraine. The building gives cyber professionals a secure location with self-contained computer networks that can simulate cyber doomsdays. The building has both unclassified and classified spaces, and rarely opens its doors to the press in an effort to keep operations secure. Participants were banned from bringing any personal devices into the simulation area.
“They are constantly building up and tearing down these networks, so essentially this entire building is a blank slate; you can reconfigure it however you like,” Elliott said.
Part of the exercise incorporated experimentation of new technologies, including adapting the use of artificial intelligence technologies to help counter cyber threats.
“NATO’s committed to maintaining its technological edge,” David van Weel, NATO’s assistant secretary general for emerging security challenges, told reporters during a virtual briefing on Friday.
The intensified pressure on cyber professionals within NATO countries and allied nations has made the ability to coordinate and test communication protocols all the more essential. Finland, alongside Sweden, is currently being considered for NATO membership, but has long been a strong cyber partner to NATO, and both were included in the exercise.
Maj. Markus Riihoven, a member of the Finnish Defense Forces, said that the exercise was essential to develop a “network of trust” that can easily be called upon during a real-world cyberattack.
To build trust, participants mingled during frequent coffee breaks and catered lunches in a fairly relaxed environment outside the rooms where the exercise continued. They were kept on track by announcements from leadership about the schedule accompanied by songs including, at the conclusion of the exercise, ABBA’s “Waterloo’’ pumped over the loudspeakers.
Hovering over the camaraderie, however, was an awareness that this trial run could very quickly become a real-world scenario. Not to mention the looming question of whether military defense alone will ever be enough to fend off a large-scale cyberattack.
NATO’s Bernd said they need to move beyond government and the military to fight back against cyberattacks — a reference to the role the private sector might have to play in getting systems back online.
“What this exercise showed,” he said, “is that enlarging the cyber family that is tackling cyberattacks beyond the military framework — that is something that we need to train on how to collaborate.”