The importance of cyber tabletop exercises

As digital becomes the new normal, Europe will reap great benefits but will also have to confront enormous risks. For several years now, cyber has featured at the top of the threat assessments for ministers, diplomats and security officials. But what exactly does that mean in practice?

For criminal groups, this can translate into using cyberattacks for economic gain through theft of cash, data and intellectual property. Adversaries link espionage with data breach to cause strategic harm. For nation-states, political interference is another way of subversion through digital means with the goal to undermine citizen confidence in their political system through hack-and-leak and misinformation.

Moreover, ransomware has become a popular weapon in the hands of malicious actors. In mid-September, a woman died in Germany after a ransomware attack crippled a nearby hospital, and forced her to obtain services from a more distant facility.

Most worryingly, states or state-backed actors are preparing destructive cyber-attacks. As part of this, they insert sophisticated malware as ‘time bombs’ in target countries’ critical cyber networks, such as the energy sector, telcos and transportation.

For example, on at least two occasions, in December 2015 and 2016, hackers attacked Ukraine’s electricity distribution system, putting thousands of citizens in the dark for extended periods of time. Also, in 2016, the Mimikatz malware – which was later linked to a Russian military intelligence service – was spotted in the SCADA system of an Estonian holding group of the oil shale industry, power generation and public utility companies.

How can we prepare decision-makers to better anticipate and understand the effects of cyber-attacks? Holding exercises to respond to cyber-attacks is one of the best ways to raise awareness at the political level. The so-called ‘tabletop’ format allows for European ministers to best prepare at the highest level.

In September 2017, Estonia organised the first-ever cyber exercise for all EU defence ministers, with the NATO Secretary-General also attending. Then-German Defence Minister Ursula von der Leyen called it an “extremely exciting” war game that showed the need for EU governments to be more aware of the impact of cyber-attacks on critical infrastructure in the EU.

In July 2018, EU home affairs ministers met in Helsinki and participated in a scenario-based discussion exercise. Finland focused the simulation on countering hybrid threats, including hostile measures from cyber-attacks to disinformation campaigns. The aim was to  “find a way to build resilience and raise awareness in the EU”, said Finland’s Interior Minister Maria Ohisalo.

During the Nordic-Baltic foreign ministers meeting in Tallinn in September 2020, a 90-minute tabletop exercise was likewise organised. It tested the foreign ministers’ ability to respond to an escalating cyber-attack. Using tablet computers, ministers answered multiple-choice questions as they reacted to the situation, including some on whether they would make public statements or keep the situation secret and what could be possible diplomatic countermeasures to attacks. Ministers learned through a first-hand experience that a timely exchange of technical information is key to responding to any cyber-attack. “The shared view of the Nordic countries and Baltic States – especially when it comes to complicated issues – is crucial,” Estonia’s Foreign Minister Urmas Reinsalu said. All together, the experience taught Nordic-Baltic foreign ministers to value close coordination in cyber crisis.

More generally, regularly exercising response to cyber-attacks at a ministerial level can lead to more accountability in cyberspace.  Accountability mainly concerns state behaviour in cyberspace and state compliance with cyber norms, trust-building measures and existing international law. When it comes to legal questions of ‘dos and don’ts’ surrounding state behaviour in cyberspace, the answer must be sought from existing international law.

But accepting that existing international law applies to cyberspace, and having a clear legal framework, is not enough. Accountability requires more than this – it is closely linked with transparency and attribution. Not so long ago, cyber incidents were not publicly discussed by governments. While governments were aware of such threats, and worked every day to prevent them, publishing details about attacks was not within the scope of what they were expected to share.

Since 2018, public disclosures by a number of Western powers of details of cyber-attacks indicate a new multinational policy of state transparency. Greater public knowledge of cyber-attacks makes cyber conflict comprehensible and leads to greater public acceptance of cyber countermeasures.

Attribution plays an important role in holding states accountable for their actions. Ultimately, what matters, is that states engaging in unlawful actions, using cyber means, will not escape without consequences. With attribution, policymakers show that they know what is going on in these networks and can investigate incidents. It also clearly states what is unacceptable behaviour, and can help create state practice. Attribution is the basis, under international law, for countermeasures and self-defence. 

We need to ensure that state actors know that what they are doing in the cyberspace is taken seriously and, in case their actions and intentions could be considered harmful to other states, that there is a clear response. Public attribution and messaging are tools for deterring and responding to such behaviour, but also for raising wider awareness within society. Public attribution allows states to send clear messages and shape expectations that malicious cyber operations will not be tolerated, and warn the general public of the seriousness of cyberspace intrusions.

The next step after the public attribution would be to come up with a response. The EU Diplomatic Toolbox adopted in 2017 is an example of collectively pre-agreed possible response measures. It offers a framework for joint EU diplomatic responses to malicious cyber activities, including common diplomatic steps such as adopting condemning statements, declaring diplomats persona non grata or imposing sanctions on an adversary.

Most real-world crises in the future will have cyber components that require a political and diplomatic response in addition to a technical response. What the government and enterprises can do today, is to prepare to respond – and to prepare through engaging in realistic cyber exercises.