“Let the games begin!” was heard at 2017 Council of the European Union meeting held in Tallinn, Estonia in early September. Various defense ministers and their national security teams participated in the 2017 CYBRID cyberwar exercise as part of the intergovernmental cooperation on cybersecurity.
The scenario, according to Reuters, included a cyberattack on the EU’s naval mission in the Mediterranean and a campaign engaged on social networks to discredit the EU and provoke protests in member nations.
Over the course of the next 90 minutes, fake news reports were shown as the scenario progressed, and defense ministers were challenged to provide their response as each layer of the exercises’ onion was peeled back and removed. The insertion of an adversary’s manipulation of social networks was a twist that had not been seen before, but which forced participants to consider how their responses would play on main street, knowing their reasoning would be misrepresented by an able adversary.
The war-gaming was hosted by Estonia, which during its six-month presidency of the European Union, is emphasizing cybersecurity—and rightly so, given 10 years ago it was subjected to the most intensive cyberattack experienced by any nation during peacetime in history.
As May 8 turned into May 9, 2007, Estonia found its ability to connect to the rest of the world was blocked by a concerted and highly effective distributed denial of service (DDoS) attack. The symbolism of May 9 speaks volumes when analyzing attribution of the attack to Russia, as it is the day Russia celebrates Victory in Europe for World War II. Russia has denied any involvement.
How did Estonia find itself in the crosshairs of the Russians? The country audaciously (sarcasm intended here) opted to remove a Soviet World War II memorial from downtown Tallinn and relocate it to a suburban military cemetery. Estonia was punished beginning the day the decision was made (April 2007) with one-off hacking, defacement of public websites and other activities. Then on that one day, Estonia found itself shuttered by the DDoS.
With a few grains of plausible deniability, the Russian Federation’s use of cybercriminals to do their heavy lifting was becoming standard operating procedure.
Then in August 2008, Georgia, which was in the thick of a low-intensity hot war with Russia, experienced the might of the “Russian nationalist vigilantes,” who began putting their skills to use in penetrating Georgian government networks and creating an internet black out for Georgia. “As ground attacks by Russian forces increased, so did the cyberattacks, according a study published by the US Army’s School of Advanced Military Studies, “Impact of Alleged Russian Cyber Attacks.”
This analysis goes on to highlight the experiences of Lithuania and Kyrgyzstan, also countries that were a part of the former Soviet Union. Being a former member of the Soviet Union appears to be a ticket for a visit by the Russian bear, as Ukraine will attest.
Was the CYBRID exercise of Sept. 7 successful? According to the post-exercise analysis published by the Estonian International Centre for Defence and Security, the exercise was most successful. Items called out for approbation included:
- The exercise heightened awareness by key decision makers that utilization of commercial infrastructure may be the only option when military infrastructure is destroyed.
- Investment in hardening EU-wide infrastructure is no longer in the “nice to have” category of budgetary expenditures, it is a must-have.
- NATO must be supported as NATO prepares to fight in cyberspace at the same level as other air, land and sea.
- More exercises by leadership is not only necessary, but desired.
The ministerial meetings and cyberwar exercise were followed on Sept. 14-15 by the EU Cybersecurity Conference, which included a panel discussion on the “new normal in state-sponsored attacks: disruption of the trust-based digital ecosystems; digital surveillance/compromising privacy.” Participants were drawn from academia, industry and government. The hosts, Estonian, Information System Authority, has made the proceedings available via video on demand (Sept. 14 and Sept. 15). The bottom line: There remains considerable heavy lifting to be accomplished by the EU if they wish to collectively secure their internet.
The discussion continues.
To close out the month, the Tallinn Digital Summit is scheduled for Sept. 29, where Jarno Limnéll, professor of cybersecurity at Aalto University Finland, is scheduled to be the keynote speaker. He has been preaching that “cybersecurity enables innovation, growth, and prosperity and is a part of the digital EU infrastructure.” It will be most interesting, to see how or if the threat of cyberwar and cybermeddling in elections is surfaced and discussed in the same manner as cybercrime, where the EU’s working adage is, “cybercrime knows no borders, therefore we must act across borders to tackle it.”