Berylia, a country in the Atlantic Ocean, is having some problems; its highly important drone industry is under cyber attacks during the most important event of the year, the World Drone Expo in Dubai. You are a member of one of the Rapid Reaction Teams put together by the government of Berylia, your homeland. Your mission – defend the systems!
This is the basics of the scenario which was played out during the Centre’s annual technical cyber defence exercise Locked Shields on 21-22 May 2014. This is an event like no other, involving this time close to 300 people, 17 nations (both NATO and non-NATO), governmental institutions and industry, making it the embodiment of the cooperation in cyber defence.
In essence it is a big training event for IT specialists who form the so-called Blue Teams which aim is to keep up the systems that have been specially built for the exercise and to solve many additional tasks, designed to make the experience as life-like as possible. For one the teams were pestered by the exercise journalists who had a lot of inside info and who kept asking difficult questions just when the situation in the systems was demanding for most attention.
There were 12 Blue Teams this year, all located at their home locations, and due to high demand but limited slots some of the teams were made up of specialists from two different nations. This made the exercise more difficult for them since they had to work with people they had maybe not even met before, with whom they had a language barrier and who were located in another country during the exercise. However these teams were not given easier tasks nor were the attacks lighter against their systems. Taking all that into consideration it is good to note that one of those joint teams won the second place in the overall competition, proving that such cooperation can be smooth and efficient.
Using the word ‘competition’ describes the event rather well since unlike typical military exercises, Locked Shields is built up like a competitive game to add pressure and also friendly rivalry into the mix because everybody wants to win and then defend their title. The Blue Teams are scored based on their activities and it is more complex than simply counting the times they managed to defend against the Red Team attacks. In short the elements are: keeping the systems secure (e.g. against data breach, defacements), keeping the services up and running (and users happy), reporting to the exercise control what is happening, sharing information with other Blue Teams, answering media requests, solving forensics assignments and legal questions.
To do the latter, each Blue Team also had their own legal adviser who was given special tasks on behalf of the exercise control or White Team. Although adding a legal component to a technical exercise may seem odd on the first glimpse it is done for two good reasons. Firstly you cannot avoid law in the real world and secondly it is good to put two different disciplines such as law and IT together so that they would try to understand and work with each other. Legal advisers need to understand IT to correctly interpret law when it comes to cyber whilst IT needs to understand law so that the actions taken would stay inside it.
The exercise is getting more and more complex with each year and not only because of the additional tasks. The technical side is also growing with teams having more systems to defend and the Red Team adding objectives into their mission. This naturally puts a bigger burden on the infrastructure which hosts the exercise because the more systems you have to prepare and keep running the more things you have that can break down. Luckily Locked Shields’ Green Team, the ones responsible for the infrastructure, managed to prepare everything on time and no major errors occurred during the exercise which is a success story in its own.
So how did the defending teams do in the end? We would have to say pretty well. Many did admit that the exercise was very difficult but also fun because one could test defensive techniques without worrying too much about the consequences (apart from losing points). One clear trend that the organisers are seeing is that the teams who come to participate are more and more prepared and they take the event very seriously. Our aim is of course to give this experience to as many specialists as possible which is why we encourage the nations to change the team members for each year.
This year Poland became the overall winner, snatching the title away from last year’s winner NCIRC. If they will manage to hold on to the title will be the question for 2015 because planning and preparations for next year’s Locked Shields will start soon.
Locked Shields 2014 was organised by the NATO Cooperative Cyber Defence Centre of Excellence together with Estonian Information System’s Authority, Estonian Defence League’s Cyber Defence Unit, Estonian Defence Forces, Finnish Defence Forces and many others. Defending teams were formed by Estonia, Finland, NATO CIRC, Italy, Spain, Germany & the Netherlands, Turkey, Latvia & Czech Republic, Hungary, France, Poland, Austria & Lithuania.