When European defense ministers played a tabletop cyber defense exercise, things got hard very quickly.
One of the things the West is least prepared to handle about a cyberattack is how quickly the response to it turns political. Defense officials responding to an attack quickly encounter bureaucratic roadblocks and geopolitical concerns they may be unprepared to navigate.
That was one of the main takeaways from a first-of-its-kind tabletop cyber exercise Estonia hosted earlier this month. CYBRID 2017 put European Union defense ministers in the hot seat as a fictional scenario “moved from a minor cyber incident up to a real blockade of communications systems that stopped a naval operation on the Mediterranean,” Estonian Defense Minister Jüri Luik said.
“At first, you were not able to recognize whether it was a cyberattack against just the personal computers of the people working there, or was it, for instance…a ransomware attack. And then it became more and more confusing,” Luik told reporters in Washington this week. “There were more hacks, systems were down, computers stopped working, communications stopped working.”
“In the end, we ran into a situation where the whole military communications system was down, and the EU headquarters was not able to contact the ships on the Mediterranean, and there was no clear information about what had even happened to these ships. And from point to point to point, the ministers had to make a decision” about how to respond, he said.
The world hasn’t seen a “9/11-level” cyber incident yet, said Luik, whose country was on the receiving end of one of the most serious to date: a Russian attack in 2007 that shut down the country’s banks, media outlets and government websites. The events played out in CYBRID 2017 didn’t rise to that level either — but one of the things the exercise exposed was just how difficult it is to evaluate how bad things are.
“The biggest issue is that we have no baselines for such attacks,” Luik said. “Our capability to judge what has happened is very complicated, because we even don’t know what these terms mean — is it high-risk, is it low-risk? How do you assess the risk?”
That complicates a nation’s response. Something that can appear small — a seemingly random computer malfunction in an EU military office — can quickly “transpire into a strategic political issue,” said Kristjan Prikk, Estonia’s undersecretary for defense policy. And when that happens, defense ministers have to “be willing to look into that, not on a technical level, but to understand what’s at stake and…tackle those at a strategic political level.”
The exercise revealed various roadblocks to effective response, including the reluctance to share information across political boundaries. Luik said there’s a natural hesitation to disclose vulnerabilities and talk openly about an attack, even among allies.
“The exercise showed us how demanding it is to communicate in order to pass the right information to the public in case of severe cyberattacks — especially on critical infrastructure,” German Defense Minister Ursula von der Leyen said after the exercise. It highlighted “how important the coordination of reactions on cyberattacks is. Coordination not only among EU member states but also amongst EU Institutions and also NATO.”
Once the decision has been made to involve other parties — whether that’s calling in treaty commitments for collective crisis management and security, or just informing critical infrastructure providers to be on alert, there’s still the question of how, exactly, to go about doing so.
So during CYBRID, Luik said, “the ministers had to answer the question — starting from, there is a drone above the EU international installation. Who has the right to shoot it down? Is it the host country or is it the international body? And ending with, the situation is so complicated we have to ask NATO for assistance: How would we do it?”
Even removing geopolitical concerns, it’s no less complicated domestically.
“Let’s say you get attacked — a government facility gets attacked,” Luik said. “The immediate assumption would be that we should inform all the power stations, factories, etc., that this kind of attack took place. But ... everything is classified. How do you share that information? And with whom? Whom do you call? The owners? The heads of the cyber defense units of those organizations?”