Originally on Foreign Policy, December 22nd, 2020.
Wargames can provide essential cybersecurity training for soldiers. But they won’t succeed unless the players confront real, independent hackers.
BY TARAH WHEELER, AMY ERTAN | DECEMBER 22, 2020, 7:53 AM
In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.
In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.
This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.
Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.
The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent tools that can automate overwhelming attacks based on leaked personal data.
Unfortunately, NATO does not include nonstate actors in the annual cybergames. This creates three problems. First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country. Bad actors will use whatever low-cost hacks they can find, make, buy, or steal.
Second—and crucially—defending cyberspace requires people who think differently. Even the U.S. government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realizing that traditional information technology education does not produce innovative offensive security researchers. Limiting contributions to active military and public sector employees will result in a certain amount of groupthink. It is critical for NATO to include nonstate actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).
Third, we in the cybersecurity community have been aware that civilian medical facilities and research stations have not only been fair game but the primary targets of international bad actors for half a decade. After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry and the cybersecurity community predicted repeatedly that vaccine production would be targeted by nation-states, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct. NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news.
In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers. In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway. NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all—until real-world Russia actually began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.
Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons—and managing their air, water, fuel, targeting, and health—were not permissible targets in this engagement. Russia’s behavior highlighted the absurdity of NATO excluding the cyberdomain from conflict simulations. Even after this real-world mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.
Recent attacks on vaccine production facilities show how failing to model cyberthreats appropriately will come back to bite you, and we predict that medical facilities will be a popular target for cyberattackers in the future.
Therefore military and government cyberdefense forces should use hackers’ skills and noninstitutional creativity to help predict attacker tactics.
The organizers of future wargames need to recognize that having independent experts see and participate in wargames means the ability to model opponents other than nation-states, test the scenario and the network under use from a fresh perspective, and ultimately make for a stronger training outcome. Cyberwar is new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, strangely, and innovatively.
It is important to build NATO’s ability to monitor, manage, and conduct cyberwar because these simulations often lead to a de-escalation of conflict after capabilities become known to the players (and their potential opponents). The same quality that makes cyberwarfare so rapid and difficult to detect—its relative cheapness in terms of cost and time—also makes it much easier to simulate than naval warfare, for instance.
The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming wargames. Including them would increase the reality of the game and the skills of the soldiers building and training on these networks. Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.
Diversity of thought leads to better solutions. We in the information security community strongly support the involvement of acknowledged nonmilitary experts in the development and testing of future cyberwar scenarios. We are confident that independent experts, many of whom see sharing their skills as public service, would view participation in these cybergames as a challenge and an honor.