Safeguarding Berylia

Cyber threat physical map
This physical map represents critical civilian and military infrastructure in the fictious country of Berylia which must be defended by blue teams during NATO’s Locked Shields annual cyber defence exercise.

NATO’s annual Locked Shields cybersecurity exercise gets underway in Tallinn, Estonia, bringing together participants from across the alliance.

Estonia is a North Atlantic Treaty Organisation (NATO) leader in cybersecurity. In late April/early May 2007 the country suffered a serious cyberattack believed to have been perpetrated by Russia. The attack followed a governmental decision to move a statue commemorating Soviet soldiers killed during the Great Patriotic War. The statue was taken from its city centre location to Tallinn’s military cemetery.

Since 2010, NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), based in Tallinn, has hosted the annual Locked Shields exercise. In the CCDCOE’s own words the exercise “enables cyber security experts to enhance their skills in defending national IT (Information Technology) systems and critical infrastructure under real-time attack.” CCDCOE member nations form the exercise’s blue teams. Each team can have an average of 40 participants, with over 20 teams competing. In 2022, 32 nations participated in Locked Shields which involved over 2,000 people. The red team performs thousands of attacks which must be addressed and reported. Blue teams must also navigate forensic, media and legal challenges accompanying these incidents.

Last year’s scenario saw a fictitious country named Berylia suffering a deteriorating security situation. The deterioration included cyberattacks against its critical national and military IT infrastructures. The attacks caused damage to communications, electricity and water treatment services. These disruptions also triggered civil unrest. Blue teams competed to tackle as many of the challenges across several categories as they could. Finland was the 2022 winner, with a joint Lithuanian-Polish team coming second and an Estonian-Georgian team coming third.

Military Targets

The 2023 Locked Shields exercise takes place between 18th and 21st April under the CCDCEO’s auspices. 38 nations are participating with 3,000 people. Once again, the scenario will be to protect Berylia from large-scale cyberattacks. NATO told Armada via a written statement that this year’s event “involves a unique mix of civilian and military IT systems and aims to boost cooperation between the two.” As before, the goal of the exercise is “to field-test (team) cyber resilience, cooperation and chain-of-command in a stressful environment.”

This year’s scenario includes Berylia’s “air defence system together with an artillery system to defend (the country) against aerial threats” which will be targeted by red team cyberattacks. “According to the scenario, the air defence system is integrated with an artillery system and a geostationary satellite.” Berylian air defences are not the only military cyberattack target: “The scenario involves a tactical communication system that is used by the Berylian military … Blue teams must keep military infrastructure up and running as well (as civilian systems).”

Showing the Commitment

“Cyberspace is contested at all times,” says NATO’s statement. Malicious cyber events are seen every day across NATO and allied nations, it continues, “from low-level attempts to technologically sophisticated incidents. Their aim is to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities.” These attacks can be perpetrated by state and non-state actors alike. NATO is responding to these threats “by strengthening our ability to detect, prevent and respond to malicious cyber activities.”

Along with tactical and operational cyber defence, Locked Shields allows “senior leaders to practice the coordination and decision-making processes necessary to address a major cyber event both domestically and with the help of international partners.” The exercise has a strongly international feel: “Many of the Blue training teams are compiled with experts from different nations.”

NATO says that Locked Shields is “the world’s largest live-fire cyber defence exercise.” It shows the alliance “is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats. This will always be done in accordance with international law, and with appropriate political oversight.”

NATO Locked Shields
NATO’s 2022 Locked Shields exercise involved over 2,000 people from 32 nations. This year’s event comprises 38 nations and over 3,000 participants. Among the cyberattack scenarios included in the exercise are attacks against a fictitious country’s air defences and tactical communications networks.

by Dr. Thomas Withington