Inside the world’s largest ‘live-fire’ cyber-defense exercise

The island country of Berylia is under threat. Over the next 48 hours, it will be subject to an endless number of cyberattacks without interruption, which it must contain in the best way possible. Although the country is prepared, the scenario is far from ideal, as it is engaged in an open dispute over territorial waters with Crimsonia, which has even dared to invade part of its borders. The hostile activities are now directed at Berylia’s essential services connected to the Internet.

It is around 11 a.m. on April 25 at the Retamares Base in Pozuelo de Alarcón (Madrid), and journalists are preparing to witness how this country is preparing to protect its systems in “an exercise that is unparalleled in terms of size and characteristics,” in the words of Enrique Pérez de Tena, who, as head of the international relations, communications, and media for the Spanish Joint Cyberspace Command (MCCE), is accompanying us on this visit.

Berylia and Crimsonia are fictional countries and what Pérez de Tena is referring to is Locked Shields 2024, a test that the NATO Cooperative Cyber ​​Defence Centre of Excellence has carried out every year since 2010 — and which the CCDCOE calls ”the most advanced live-fire cyber defense practice in the world.”

“When people experience it, they don’t want anything else. They have the opportunity to carry out activities that they don’t have access to in their daily lives,” says Pérez de Tena as we walk through the venue. “It’s like when a fighter plane launches missiles.”

In this edition of Locked Shields, Pérez de Tena explains, three divisions have been organized for the occasion, the objective of each being to defend the 18 regions of Berylia that are being attacked from another group of teams organized in Tallinn, Estonia, the central venue of the event.

As part of the exercise, each town on the island of Berylia has its own action team, and all have the same critical infrastructures to defend, ranging from nuclear power plants and banking systems to satellites and electricity distribution plants. In short, they contain “everything that could be attractive to cybercriminals,” Pérez de Tena says.

The test is known in cybersecurity circles as Red Team vs. Blue Team, and this year nearly 4,000 people are taking part. The team here in Spain is “played” by around 200 experts made up of 40% military personnel from the MCCE, Land, Sea and Air, who are supported by soldiers from Portugal, Brazil and Chile; and 60% civilians, from the MCCE itself and from private companies that put their talent at the disposal of these events.

At the end of the two days, the CCDCOE makes a classification of the more than 40 countries that have participated, among which include non-NATO countries, such as Japan. This year, Spain has settled in the middle of the pack, while Latvia and tandems from Finland-Poland and Estonia-France have stood out. Regardless of standing, both the CCDCOE and the MCCE emphasize the “collaborative” and “learning” nature of the exercise over competition.

What’s more, as Pérez de Tena explains, “it also helps us to put faces to the situation. To know that someone is a great expert in a certain tool or system. In this way, if I have a problem, I know I can count on them.”

Juan Márquez

Cooperation, tension, and learning

During our tour of the exercise, we take in the hustle and bustle, as well as the tense calm that occasionally takes over the Retamares hub. But we assume that our media visit coincides with a period in which less serious incidents are taking place, at least not ones that would cause panic among the professionals.

First, we approach the communications and legal groups. Calmly, Pérez de Tena introduces us to a team, the one he himself directs: experts in crisis management.

“Imagine that what we have in front of us are members of the Presidency of the Government or other ministries,” he says, to frame the situation. “How should they deal with, for example, a press conference? … We even manage a web page with simulated social networks in which content is posted; some false and some real. Our job is to compare everything and communicate.”

In the same room, a group of professionals from the legal team debate heatedly.

“There are even tax professors,” Pérez de Tena says. “In war, decisions have to be made with many connotations.”

These participants give the green light to certain actions according to the various conventions, he adds. “Is this in accordance with the Geneva Convention? Go ahead with it,” he says by way of example.

Before moving on to the stage where technicians are defending Berylia, we head to a large tent shroud in silence. This is the center that coordinates communications and legal with the hackers. Here, they receive input on everything that is being concocted.

After that short detour, we arrive at the nerve center of the exercise, and meet some cybersecurity “cracks” that we are not allowed to name and finally come upon the teams tasked with protecting Berylia’s various regions. 

“The attackers have an advantage because they have had time to prepare,” says Pérez de Tena. “For us it is as if it were doing our daily work.” In addition, he says, “there is no set time for incidents to be launched. People have to realize that cyberspace has no borders. It is a playing field for anyone who has a device.”

Is this exercise itself also a target for cybercriminals? “Of course,” Pérez de Tena replies. “But we have the best [defenders] here, right now. … If someone manages to get in, we’ll all go home and change professions,” he jokes.

A scenario that could very well be real

All this fiction could very well unfold in real life, as the fact is, we find ourselves in a permanent state of cyberwar. 

“The color of our cap is grey because we are constantly in that zone that exists between war and peace ,” says Pérez de Tena, adding that in Spain we can be relatively calm. “We are doing well, we are highly regarded internationally, and luckily we are not currently the target of the main incidents. But the tables can turn at any time.”

As for the impact of AI, Pérez de Tena does not believe it will be more relevant in this battle than “any other technological development that has occurred.” Hybrid warfare has always existed and its main problem today is attribution.

“Faced with the difficulty of obtaining expert evidence to bring a person, organization, or state before the International Court, countries are making political attributions. For example, a foreign minister says: I know [this attack] was you, and if you continue like this, I will [retaliate],” Pérez de Tena says.

Still, Pérez de Tena reiterates that cooperation is key and that “we learn from our mistakes.”

“We are not aware of how cheap it is to protect ourselves and how expensive it can be if we do not. But 100% cybersecurity does not exist,” he says, adding that, in warfare, MCCE is not a substitute for an airplane, frigate, or tank. “We are just another tool. One that will also allow them to do their job.”