The Opportunities and Challenges of Military Cyber Exercises

It is May 2019 and a conference room of the Nordic Hotel in Tallinn is once again transformed into a situation room. There is a large scoreboard and map on the wall, and several tables, each with multiple screens set up. The conference room is filled with people wearing different color shirts and lanyards that indicate their team and role.  A government delegation is being given a tour from an exercise organizer wearing green. This is the scene of the largest international technical cyber exercise in the world, Locked Shields, run by the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence (CCDCOE)  

CCDCOE started organizing Locked Shields in 2012–preceded by the Baltic Cyber Shield, a one-off exercise in 2010. In 2021, Locked Shields had over two thousand participants. Thirty countries have participated so far, including a NATO alliance team and non-NATO member states Australia and Japan. Over the past decade, military exercises have increasingly focused on cyber-related scenarios, which present unique opportunities and challenges for military planners. The main opportunities of military cyber exercises lie in the collection and analysis of data and the signaling of operational capability. The challenges to military cyber exercises stem from difficulties defining an appropriate ruleset and the resources required to create a realistic training environment with realistic timeframes and dynamics. 

Military cyber exercises come in various shapes and forms: from specific, nationally oriented exercises such as Operation Eligible Receiver, organized by the U.S. Department of Defense in 1997, to more general, internationally oriented exercises like Cyber Coalition, organized annually by NATO. Some exercises are more offense-oriented, such as Crossed Swords, while other games lay the emphasis on defense, like Locked Shields.  

Military cyber exercises are generally run in a virtual environment. The benefit of which is the organizer’s ability to collect data as the activities of different teams can be more easily recorded. Whilst traffic logs and other data are not always easy to digest, it often creates the opportunity for more granular analyses of moves ex post facto. 

Signaling cyber capability is notoriously difficult. However, military cyber exercises can be used as a means of signaling capability and willingness to conduct or respond to cyber operations. “You cannot parade computer code on the streets of Moscow”, but you can create a scenario in which you successfully mitigate simulated malicious code in Moscow’s transportation infrastructure.  

But military cyber exercises also come with their own challenges. It is difficult to create a realistic exercise without a realistic battleground. Setting up an environment for military cyber exercises is not cheap; an extreme case is the U.S. Department of Defense’s plans for a new global cyber training environment, which is expected to cost roughly $1 billion.  

Second, military cyber exercises hardly ever stretch longer than a few days. This may set misleading expectations about the nature of cyber operations. We know that unique decision-making dynamics in cyber operations stem from their timeframe. Preparation of more advanced cyber operations takes time, a reality which may have affected the ability of Russian hackers to attack Ukrainian systems. Also, it often takes considerable time to move from initial access to fulfilling strategic objectives in a cyber operation. The installation of a backdoor in one phase may lead to the dropping of malware only many months later. 

The short duration of military cyber exercises can also negatively impact officials’ conception of the strategic potential of this space. Military cyber exercises generally revolve around a set of highly disruptive or destructive cyberattacks for a relatively short period–a typical scenario is an attack on critical infrastructure by an adversarial state. However, much of what we have been observing in cyberspace are multi-year campaigns comprised of linked cyber operations, with the objective of achieving strategic outcomes without the need of armed attack. Incorporating this understanding of the multifaceted and simultaneous nature of cyber activity is challenging under such time restrictions. 

Also, in the case of Locked Shields, it is hard to promote NATO’s principles of collective defense. Inter-team cooperation and collaboration between the countries’ blue teams in tackling cyber incidents has been a goal since Locked Shields’ beginnings. In early versions of the exercise, teams could score extra points for cooperation with other teams. However, it proved difficult to measure cooperation in a meaningful way during Locked Shields and reconcile it with the competition element of the exercise.  

Finally, one inevitable aspect of military exercises is that they come to an end. And while it is hard to predict the cyber future, one thing we can be certain about is that cyber operations are not ending any time soon. At the conclusion of the three days, Locked Shields crowns a winning defending blue team based on their performance under attack and a score they receive. Victory in cyberspace will never be this clear. 

Max Smeets is a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich, Director of the European Cyber Conflict Research Initiative, and author of 'No Shortcuts: Why States Struggle to Develop a Military Cyber-Force’, published with Oxford University Press and Hurst in May 2022. 

Brita Achberger is a Research Assistant at the Center for Security Studies (CSS) at ETH Zurich.