Cyberwar has evolved from the theoretical to the ominous. TechRepublic went inside one of the defenders vs. hackers war games that's helping countries prepare to defend themselves.
In the doorway of a low-ceilinged room with harsh strip lighting, Klaid Magi is looking tired. Behind him, the mess suggests this has not been a standard day at the office. The bins are overflowing with empty Coke cans, the desks are covered in snack wrappers, and the room probably smelled a whole lot fresher a few hours earlier.
Magi's team, a small band of about two dozen now-weary security experts, wander between the rows of PCs and whiteboards scrawled with notes, gradually recovering from a day spent as the last defense of a tiny nation against a massive cyberattack.
Magi's usual job is running Estonia's Computer Emergency Response Team, but today he's been in charge of protecting the fictional country of Berylia from unknown aggressors.
The team of defenders, operating from a nondescript tower block in a suburb of the Estonian capital Tallinn, is just one of a number taking part in an international cyberdefence exercise aimed at preparing them to tackle the real thing.
The two-day exercise, organized by a NATO-affiliated cyber defence think tank, aims to test the skills of these teams at defending a range of technology—from PCs and servers to air traffic control systems.
"All the infrastructure we have was somehow under attack," said Magi.
"In real life you never will see a couple of thousand cyberattacks per day, so obviously it was a rough day," he added.
It's the end of the first day of the game (unlike a real cyberwar the game is slightly more civilised and keeps to standard business hours) and the Estonian team, considered to be one of the strongest playing, feels it has weathered the storm so far, managing to protect the systems of the fictional air base they are defending.
"This is our everyday job and nothing impresses us," Magi said.
But there's plenty more to come on day two.
Over on the other side of Tallinn are the bad guys causing all the problems for Magi's team.
It's nothing personal—they're also causing havoc for the other 18 defending teams in the war game known as Locked Shields.
For the two days the game was running, the ballroom of a downtown hotel served as the nerve centre of the exercise, with dinner jackets and party frocks giving way for a few days to cybersecurity experts in bright T-shirts and the occasional military uniform.
It was also the base of the attackers—known as the Red Team—and it looked the part: a cavernous hall dominated by a giant screen.
The room, full of red T-shirted, mostly male hackers, was quiet and businesslike, which is somewhat at odds with the merciless bombardment this team is dishing out.
Mehis Hakkaja was the stern-looking head of the Red Team. "I'm a nice guy," he insisted with a smile, but it was clear he relished the challenge of the exercise.
I mention the visit to the Estonian Blue Team. "They looked tired?" he asked. "They'd better be."
The Locked Shields exercise has been running since 2010, and the scenario is usually based around protecting the country of Berylia, a fictional new member of NATO floating somewhere in the north Atlantic, which has a difficult relationship with the rival state of Crimsonia.
Quite where this meddling rival Crimsonia is located is never actually made entirely clear in the scenario. But nobody involved with the exercise has much doubt that it lies somewhere to the east of Europe.
Locked Shields is run by NATO's Cooperative Cyber Defence Centre of Excellence (CCD COE) and bills itself as the largest and most complex international technical network defence exercise and involves 900 participants from 25 nations. This year there were 18 national teams, plus one team from NATO itself playing the game.
Exercises like this have been growing in scale in recent years, as it has become clear that cyberwarfare has moved from the largely theoretical to the worryingly likely.
Many governments are now spending vast sums on building up their capability to wage war on digital systems, with the US, Russia, and China seen as the most advanced in their capabilities. Incidents such as the 2015 hacking attack on the power grid in western Ukraine, which caused a blackout leaving hundreds of thousands without power, have shown the effectiveness of using digital attacks against critical infrastructure.
This year the defending Blue Teams had to play the role of a rapid response computer security team that has been dropped in to protect Berylia's main military air base from cyberattacks.
The teams have to defend everything you might find in a standard office, including Windows PCs, Macs, Linux, and email and file servers. They must also protect systems that control the power grid and plan military air operations, including military surveillance drones and programmable logic controllers linked to the air base's fuel supply. The aim is to reinforce the idea that every single system inside or outside the network could be a jumping-off point for attackers.
The technical game, fighting off wave after wave of cyberattacks, was the main point of the exercise, and was how the teams scored the majority of their points.
Rain Ottis, head of the game-organising White Team, explained, "It is technical, it is hands-on. Most of the gameplay we have is on real computers, facing realistic threats, dealing with realistic opponents. It is live fire. We actually have a live opponent. They will actually take control of a server, maybe deface it or do whatever the objective says they have to do."
Over the years Locked Shields has expanded to include a communications game, where the teams have to respond to requests for interviews and update the Berylian people on their response to the attack, and a legal game where the teams' lawyers have to work out whether the attacks break the law and what to do about it. On top of this, there's a table-top strategy game, which tries to mimic the role of senior military and civilian decision makers who have to figure out how to respond to the attacks—putting it into the "grander geopolitical context," according to one of the players.
"At the technical level you have to worry about things like malware, or somebody defacing your website, or 'why did my power system just go down?'...questions like this. In the strategic game there are questions about if this happened in real life would it be considered a use of force or an armed attack," said Ottis. "Is it something worth going to war about?"
To add to the complexity, the game's controllers are not managing just one fictional Berylia but as many as 20 separate versions stacked up, because while each team is facing the same set of threats they may encounter different problems and different elements of the scenario at different times. This means the game unfolds separately and at a different pace for each team, depending on the decisions they make. It's no surprise then that one of the teams running the game picked the time-travelling Tardis as their unofficial mascot.
All of this is run from the ballroom control room, to which TechRepublic was given wide-ranging access during the whole exercise.
The teams running the different elements of the game are assigned their own colour T-shirts and banks of PCs. Red is for the attacking team; green is for the infrastructure team that keeps the game running; and white is for the communications and legal teams and others running the scenarios.
There's another team that sits just outside the control room. Phishing attempts and ransomware can only succeed if someone in the organisation is unwise enough to open a document or click on a dodgy link. And who would be dumb enough to click on a random attachment from an odd email address in the middle of a cyberwarfare game?
Fortunately for the attackers, and unfortunately for the defenders, each Blue Team is assigned a set of virtual end users who are trusting (or stupid) enough to click all sorts of virus-ridden attachments and provide the bad guys with one of their ways in. To add to the chaos these clueless virtual users will then complain to the Blue Team that they can't access their email or other services (because they've just brought them down by clicking on ransomware), causing yet more work and hassles for the defending teams to clear up.
There aren't any blue T-shirts in view—the defending teams are mostly based in their home countries. These teams can range in size from 20 to 60 members; most, like Magi's Estonian team, are a mix of civilian and military security experts. Some teams are filled with veterans of previous Locked Shields, while some are complete newbies.
The game starts in a way the teams might not expect—not with a never-seen-before computer virus tearing through their systems but with a document with fake claims that the Berylians are building banned weapons. While the teams try to figure out what is going on, the rest of the bombardment starts.
There's a constant buzz in the control room when the game is on, but it's also controlled; there are certainly no cheers when one of the teams loses a system.
It's easy to get caught up in the game, to feel for the teams as they lose a drone or struggle to keep their power grid from shutting down, all the while trying to decide who is attacking them and what the legal situation is, even if the teams themselves may be hundreds or thousands of miles away.
Over the top of all of the different groups looms a giant drone that rocks gently in the breeze of the occasionally heated conversations from the teams below, the mirrored undersides of its long wings reflecting the bright screens beneath.
This drone isn't the only reminder of the virtual battle that is raging. Around the edges of the room are some of the systems that help make the game more real for the teams, both the attackers and defenders.
In one corner is a whiteboard filled with a set of grey metal boxes about the size of a housebrick—plain save for some green and red flickering lights on the bottom. These are drone brains.
These drone control units think they are actually inside the body of a drone flying around in Berylian airspace. The drones are supposed to trace a route over the center of Berylia, but if Red Team hackers gain control, then the drone will spiral off course over Berylia (bad) or even enter international airspace (very bad). Even worse, the hackers may be able to hijack the surveillance video stream from the drone and replace it with something else, such as cartoons (very bad and embarrassing, too).
Another board displays a set of 20 programmable logic controllers, which represent the system on the air base used for refueling aircraft. If the hackers can break into this, they can open the valve and spill fuel onto the ground, and after that it only takes a spark to create chaos.
Raimo Peterson, CCD COE's technology branch head, pointed out that these are not just for show. "They may look like mock-ups or toys, [but] they are real systems taken from the field.
"If you talk about the power grid system, then yes, it is the same power grid software and the same power grid system that is used in energy transmission," he said, and the same drone system used in military operations around the world. "It's real equipment that we are playing with."
Dominating the rest of the room is a set of screens that display the current status—that is, the current woes of the teams.
One big screen shows a live map of the digital attacks arcing across from Crimsonia and down onto the teams spread across the map of Berylia like an updated version of the old video game Missile Command. It's pretty, but doesn't really tell you much other than all the teams are under attack, all of the time.
What's shown on the other bank of screens changes every so often, the better to display just how the Red Team hackers are ruining the Blue Team's day.
The Red Team, run by Hakkaja, breaks down into three main groups. The biggest of these is known as an advanced persistent threat (APT) group—like sophisticated state-backed hackers. This means sneaking quietly into networks and attacking from within.
While they creep around, alongside them is a team that specializes in attacking things like websites—a much more noisy and obvious approach that this year includes using ransomware against the teams. This means that rather than just defacing or deleting websites this team will encrypt the data and send a ransom note to the Blue Team, which has to decide whether to pay up or not.
A third team takes on firewalls and the special industrial control systems and drone systems that the teams have to defend.
"If you look at the pattern of how most enterprises are compromised, it is this APT-style approach by compromising one computer—even a fairly random computer—within an organization that gives you so much leverage to move around. In many cases, these incidents are not even noticed until months after the compromise has happened, so if you have time to sneak around and lay low, you can exfiltrate a lot of data and create a lot of damage until you are caught," Hakkaja said.
"The difference with the exercise is the Blue Team(s) know we are after them, and everything is scrutinised a lot more than usual and we have a very short time window to achieve our objectives so we have to move very fast to do what we need to do before we are kicked out."
Sometimes the screens show a map of the Blue's air base and its systems: If the Red Team's hackers have managed to knock out the main power supply, the defenders only have minutes before their backup battery is exhausted.
The screen might also show the radar systems that the team has to protect—showing invading fleets of ghost aircraft if they lose control—or the path of the drone the teams have to keep under control.
Jean-Francois Agneessens was working for the White Team this year but was previously head of the NATO team, so he knows what it's like to be on the receiving end of the attacks.
"The two days of live fire is like a compressed year so there are a lot of events that are happening concurrently and your team is limited, so you will need a wide variety of skills," he said.
It's important for the teams to understand they can't protect everything all the time, he added, "which I think makes it so realistic because in real life, this is true—you just cannot protect everything perfectly."
Agneessens said, "It's completely exhausting I can tell you. At the exercise [end] you would really like to celebrate the fact that you are alive after these two days, but people just go to sleep and you need to wait for the next day so you can celebrate."
That the teams are in their own countries defending the virtual infrastructure of another fictional country doesn't make too much difference to the feel of the exercise he said, largely because that's how modern technology works—rarely is a computer system physically located in the same room, or even the same building as the team managing it.
"The attacks we are facing are realistic, they are well organised, so it's not just a simulation of a bunch of script kiddies who are trying to get into your network who you will detect easily," he said.
All of the additional layers beyond the technical game create more context for the technical game and make it more meaningful for the teams.
It's a reminder that they aren't just trying to protect a set of servers or PCs, but they are trying to protect a way of life for a country that relies on online services.
But the expansion of the game also reflects that cyberwarfare isn't just about fixing software code, it's something that can affect every facet of society.
That's something that Estonia already knows well. This year Locked Shields was particularly significant because it coincided exactly with the tenth anniversary of the major cyberattacks on Estonia in April 2007. It was the first time a state came under such a bombardment.
Back then, after the Estonian authorities announced plans to move a Soviet war memorial, the websites of the country's banks, government agencies, and telecoms companies were attacked, and many were forced offline. Estonia regained its independence in 1991 during the collapse of the Soviet Union; Tallinn is only 200 miles from St. Petersburg.
The 2007 incidents were the first serious demonstration of how electronic attacks were capable of causing real problems for an advanced economy. NATO's cyber think tank was established in Tallinn the year after; it had already been planned, but the "Bronze Soldier" attacks as they were known—which were accompanied by two days of riots—certainly accelerated the process.
Russian-backed hackers were widely seen as responsible for the disruption, although Russia denied any responsibility.
Not that the attacks scared Estonia away from using technology, quite the opposite; the country is one of the most connected in Europe and even has Estonian "e-residency," which allows foreigners to set up EU-based businesses online.
Two decades ago the small country—with few natural resources, big scary neighbours, and a population of just over one million—decided to prioritise the use of technology. It introduced online voting in 2005 and has invested in cybersecurity, the Estonian CERT and CCD COE, as well as its Cyber Defence League, which is made up of experts from the country's IT companies, banks, and ISPs.
And it's not just a historical threat for Estonia. Earlier this year 800 troops from the UK arrived in the country as part of a NATO "enhanced forward presence" campaign, which was aimed at deterring any Russian aggression. Tensions in Eastern Europe have been on the rise ever since Russia's illegal annexation of Crimea in 2014.
While staging Locked Shields on the anniversary of the attacks was coincidental according to the organisers (it happens the same week every year) it served for many as a reminder that while this was just a game, reality is not too far away.
One big difference is that the 2007 attacks were mostly denial of service attacks—flooding websites with so much traffic that they could not cope. This is one of the few attacks not allowed in Locked Shields, during which the Red Team uses vastly more sophisticated methods to bombard its targets.
"10 years ago in Estonia, mostly there was only the DDoS attacks—attacks that ground your systems down. But during this exercise, the DDoS is the only attack they are not allowed to do by the rules. They are trying to get inside your system, to compromise your systems, steal your data, change your data. That kind of incident wasn't around in 2007, mostly it was just DDoS attacks," said Magi of the Estonian Blue Team, who was a network system administrator at a telecoms company in the country at the time of the 2007 attacks.
During the second afternoon, the game reaches its climax: The Red Team moves from specific targets to attacking any systems it can reach. The Blue Teams are besieged, throwing everything into their defence, desperately trying to hold the line.
And then suddenly it's all over.
Some beers arrive from somewhere, and a bottle of brandy. The control room is released and suddenly the serious air is gone, and replaced with chatter and jokes and clinking glasses. People gather around the big displays to work out which teams lost what systems. Even members of the Red Team start appearing from their lair, although even now they remain a bit more serious and reserved.
Later, after all the adding up is done, bringing together all the scores from the different game elements, it becomes clear that the Czech Republic won, Magi's Estonian team has grabbed second place, and a team from NATO came in third.
NATO also won the legal game, Germany topped the forensic challenges, while the team from the UK scored highest in the communications game.
But are war games like Locked Shields missing the point?
While leaders have worried about all-out cyberattacks on critical infrastructure like the ones in Locked Shields, it is less obvious attacks that have caused the damage recently, like the hacking attacks on the Democratic National Committee in the run up to the US presidential elections and the hacking and leaking of emails from the Macron campaign just before the French elections. At least right now, spying and leaking seems to be having just as big an impact on politics as an attack on a power grid.
So are these teams planning for an attack that may never come and ignoring the trickier to defend attacks that are actually doing more damage? I asked CCD COE's elegantly bearded director Sven Sakkov if they are training for the right threats.
"Any unit needs training and preferably in the most realistic challenging live fire environment," he said, and pointed to events like the power cuts in western Ukraine as one example of the threats countries face.
"The issues of cybersecurity are front page news, so I suspect that we will see more, not less, in the future and I hope that because of the collective training that has been provided here in Tallinn for the Blue Teams distributed across Europe that some of the calamities hopefully might be avoided," he said.
But despite organising an event to help teams defend against these attacks, he also cautions against seeing every incident as cyberwar.
"If you say there is a cyberwar, then in international law that means there is an armed conflict between two nations with all the legal consequences and what that entails in terms of self-defense or collective self-defence," he noted.
"And if we cry wolf all the time and then actually we are in a situation where cyberattacks would result in people getting killed and things blown up, what will you call it then? Basically we undermine the terminology."
After the game finished, it was all packed away quickly; the ballroom became a ballroom again, and Berylia was packed up for another year.
And the teams returned to their normal lives, perhaps wondering if the next time they are called on to defend a country it will be for real.
Photo credit for hero image at the top: NATO