NATO’s premier and largest defensive cyber exercise aims to improve the capabilities of member-states while bringing forward new tactics and lessons for U.S. cyber forces.
The most recent iteration of Cyber Coalition took place Nov. 27–Dec. 1 and included 28 nations. The initiative gathers allied countries together regardless of their cyber expertise to address a common scenario to bolster NATO and each other collectively, according to Candace Sanchez, a senior exercise planner at 16th Air Force.
“The fact that it’s what I would say a quote/unquote ungraded event, makes it a much more welcoming exercise and event for nations who may not be as mature in the cybersecurity realm to come and participate and sharpen their skills,” she said in an interview. For those that are more advanced, it’s also an opportunity to learn tactics, techniques and procedures (TTPs) from other nations to better their defenses, she noted.
The 16th Air Force — the Air Force’s information warfare organization that includes its cyber component, AFCYBER — has led the exercise the last five years, due primarily to the fact it’s the main coordinating authority for cyber operations in the European theater for U.S. European Command on behalf of U.S. Cyber Command, under a setup called Joint Force Headquarters-Cyber Air Force. Each service cyber component beneath Cybercom has a Joint Force Headquarters-Cyber component that is responsible for conducting cyber ops on behalf of assigned combatant commands.
Sanchez said the exercise is focused on a common adversary that introduces threats to specific coalition networks that can impact a fictional mission. Those could include things like supply chain interdiction attacks, exploitation of common networks or electrical grid vulnerabilities that can be threaded into the larger scenario.
Participants in a range environment then seek to identify those vulnerabilities and remediate them — reporting up the chain and helping each other along the way.
“If one nation identifies a vulnerability and another one might be struggling or just hasn’t caught up, they can get some of those nuggets from that nation to help them in their investigation,” Sanchez said. “It’s heartwarming to see that the other nations are open with how well or not how well their teams are doing, as we are ready to share our successes and our challenges with our partners and allies so that we can learn and grow.”
These types of exercises are meant to not only improve skills and capabilities, but enhance collective defense and information sharing for the alliance. In some cases, U.S. forces can take lessons from other nations’ cyber techniques.
“We’ve used the last four years to expand our footprint in the exercise and take advantage of the opportunities to engage with our allies and partners,” Sanchez said. “Specifically on how do we share information in the cyberspace domain, specifically defensive cyber operational information, in a timely manner against the common adversary so that if we face threats, that we use a common platform to share that information, so that we can go after the threats, remediate any vulnerabilities that are identified and share that information across the board.”
Shaping American exercises, forces and concepts
Cyber Coalition can be thought of as one event in a continuum of exercises to improve U.S. military skills and information sharing.
While it doesn’t go as far as some other exercises in terms of integrating cyber to the timing and tempo of operations — given that it’s solely focused on defensive cyber — lessons learned are captured and can be pulled into other exercises the Defense Department may be conducting. This could include events such as Eucom’s Austere Challenge that Cybercom also participates in.
“Collectively, we bring this all together and we work with each other as cyber components to U.S. Cybercom in other exercises. Because even though this scenario for Cyber Coalition is very specific to NATO and to the Eucom theater, the lessons that we learned from it can be applied globally, no matter what exercise that we might participate in,” Sanchez said. “It’s a safe environment to learn new techniques, understand current processes for people who may not be familiar. It’s an opportunity to assess each other’s capabilities, garner that trust that we need to have before we move into a crisis where we’re going to depend on each other to operationalize those relationships.”
In practice, from an operational and strategic perspective, Sanchez said this means having Joint Force Headquarters-Department of Defense Information Networks — a subordinate headquarters under Cybercom responsible for protecting and defending the Pentagon’s network globally — work on the information-sharing framework. If AFCYBER finds something, they can work on routing that up the U.S. channels to others and eventually to a partner or ally, Sanchez said, explaining information sharing is also a large part of what JFHQ-DODIN’s role is.
JFHQ-DODIN participated from a staff level at the Cyber Coalition event.
From a more tactical standpoint, the Air Force had a cyber protection team (CPT) — defensive teams under Cybercom that hunt for and eradicate threats from the network — and a cybersecurity service provider (CSSP) from AFCYBER — local defenders and maintainers of a network at any given organization or installation — sit side-by-side. While this isn’t something that happens operationally, it was an opportunity for the CSSP to learn from the cyber protection team, which has more strength and insight given the nature of what it does day-to-day.
“That was a big win for us. And we plan on continuing to do that in future iterations of Cyber Coalition and possibly … other exercises as well,” Sanchez said.
While these two teams were the only U.S. tactical forces that actually participated in the exercise beyond a staff perspective, Sanchez said next time around, she hopes to have more tactical participation.
“I hope for the next iteration that continues and that we further our footprint in the exercise and maybe introduce some more tactical teams into the event, because it was really fruitful for our cyber defenders, our CPT, CSSP,” she said. “Even though they were here in San Antonio supporting the exercise, virtually they were able to engage with their counterparts from other allied nations and understand how they approach the cyberspace domain and cyberspace security. They were able to glean some new TTPs from those nations. That was really exciting to see for this exercise.”