In these cyber war games that include the US, the fictional foe launching attacks sounds a lot like Russia
By MICHAEL BIRNBAUM | The Washington Post | Published: May 4, 2018
TALLINN, Estonia — In the space of a few hours, the advantages of the modern, Internet-connected world turned against the military personnel and hackers involved in a cybersecurity exercise in this Baltic city not far from the Russian border.
First, cellphone networks fell silent while an imaginary foe conducted naval exercises just off their country's coast. Chemicals at water-treatment plants gushed into public supplies. Subversive protesters jammed the streets. The power grid flipped on and off. And then a hacked drone fell out of the sky and killed soldiers at a NATO base.
The exercise — which drew more than 1,000 participants from 30 countries, including the United States, and billed itself as the largest-ever such training — offered a glimpse of what military strategists fear could be the next big conflict. And it showed how NATO is scrambling to get ready.
"In military planning, countries are considering cyber in future conflicts, just like guns and tanks," said Merle Maigre, the head of the NATO Cooperative Cyber Defense Center of Excellence, the Estonia-based organization that hosted the exercise.
NATO used to view preventing cyberattacks as its sole responsibility in the virtual world. But in 2014 it agreed that a cyberattack could trigger a military response, and last year the alliance decided to empower its military officers to conduct such attacks of their own.
"We need to be just as effective in the cyber domain as we are in air, on land and at sea, with . . . the ability to respond however and whenever we choose," alliance Secretary General Jens Stoltenberg said at the time.
Russia looms large in this planning. Just last month, the United States and Britain warned that Russia was trying to burrow into millions of routers and firewalls. In February, they blamed the Russian military for the 2017 NotPetya cyberattack, which targeted Ukraine and caused computer damage around the world.
The stakes feel especially high in Estonia, which in 2007 fell victim to one of the first and biggest cyberattacks. Hackers hit the country's Parliament, media, banks and Internet providers. Cyber-experts traced the attacks to Russia, which was angry at the time that a Soviet-era statue of a Red Army soldier had been moved from central Tallinn to a military cemetery.
Since then, this Baltic country of 1.3 million people has built itself into a cybersecurity powerhouse out of proportion to its size. It has a voluntary civilian cyberdefense league — the virtual companion to civilian militias that drill against potential real-world invasions. And the NATO-affiliated center, founded a year after the attack, organizes an annual series of exercises, which have grown in size as more governments see the disruptions that can be caused through a computer.
Dubbed "Locked Shields," the exercise conducted late last month gamed out an attack by the fictional country Crimsonia on its fictional neighbor Berylia. But elements of the scenario were taken from real life.
Berylia is an obvious stand-in for a Baltic country such as Estonia: It is geographically difficult for NATO to defend and shares a border with Russia that has made it a special target for Kremlin interest.
The hit to Berylia's 4G cellular network, which came as Crimsonia held naval exercises just off Berylia's coast, echoed what happened in September, when Latvia's 4G cellular network was hit while Russia conducted naval exercises nearby.
And Berylia's flickering electrical substations were reminiscent of Ukraine's power grid, which has been hit twice by sophisticated online attacks in recent years, as the country's conflict with Russia has turned it into what some security experts call the "Wild West" for cyberwarfare.
"We look at real-life incidents, and then we apply them to our exercises," said U.S. Navy Commander Michael Widmann, who works at the center and helped design the exercise. "We're not trying to make things up."
During the exercise, 22 cyberdefense squads competed against each other as an international team of attackers tried to disrupt peaceful life in Berylia.
"All of us are either dealing with the results or actually creating similar situations in our daily lives," said Mehis Hakkaja, the leader of the attacking team, who also heads an Estonian security firm that helps companies find computer vulnerabilities.
The real-world consequences of a cyberattack could be dire.
"If you mess with water, if you mess with power, if you take over drones, people might get hurt. People might die," said Rain Ottis, the director of a cybersecurity center at the Tallinn University of Technology.
That concern is part of what has held back Western nations from engaging more wholeheartedly — or at least more openly — in cyberwarfare. Military planners have an easier time assessing the civilian cost of a missile strike than the cost of switching off a power plant that might supply electricity to a children's hospital.
Countries also sometimes struggle with how to respond to attacks that aren't clearly attacks. After all, cellular networks can fail without Russia's help.
"Life is a complex thing, and if someone wants to attack you, there are so many ways to launch an attack," said Tanel Sepp, the deputy director of the cybersecurity policy department of the Estonian Defense Ministry. He said that as he sat with colleagues taking part in the exercise, not everyone agreed that they had properly proved they were under assault.
Although what happened in Estonia in 2007 was clear, few officials here imagined they could win formal backing from NATO by invoking the organization's all-for-one, one-for-all defense pledges, and allies took no moves against Russia. Now Estonian officials say the alliance is readier to move quickly if there is a cyberattack, although an attack might need to result in injuries or death to activate a significant military response.
"On the day before 9/11, nobody thought a civilian aircraft could trigger" a NATO military response, said Marina Kaljurand, a former Estonian foreign minister who as ambassador to Russia during the 2007 attack was charged with pushing the Kremlin to stop the assault. "Today, we're in the same situation with cyber."
She said that NATO's decision to make cyber-related offense a bigger part of military preparation sent a message to Russia and other foes that they need to be more cautious about how they operate in the online world.
Some NATO members are making the same shift at home.
"You can't just be about cyber-defense. You sometimes have to do something in response," said Erki Kodar, who is helping to set up a cybersecurity command at the Estonian Defense Ministry. "You're not just being the victim. You can also change the threat landscape."