Cyber threats for the European Union: Not if, but when

John Cosgrove (left) and Adam Bulava

By John Cosgrove and Adam Bulava

Mission: Enhance E.U. cyber security

Earlier this summer, a group of European ministers, senior officials from the North Atlantic Treaty Organization (NATO) and other influential European leaders assembled in Brussels for a cyber exercise demonstration. The demonstration was requested by the European Security Round Table (ESRT) as part of that organization’s conference called Shared Threats -- Shared Solutions: Toward a European Cyber Policy.

Reflecting shared concerns over ever-evolving cyber threats, the U.S. and European Union (E.U.) are on a joint mission to enhance their international cyber security activity and cooperation. At the heart of this effort is a common understanding among policy makers on both sides of the Atlantic that cyber security threats have no expiration date. That is, it’s not a question of “if an attack will happen,” but rather “when an attack will happen.”

In this article, we’ll offer a look inside how international cyber exercises help illuminate and address international, governmental and private-sector cyber preparedness and response issues. At the conference, cyber security experts were able to deliver a snapshot that captured a look into how exercises like these enhance cooperation and planning both within and outside the E.U.

As the premier member-based security policy organization in the E.U., the ESRT provides the Union, NATO and other organizations with a neutral forum in which to discuss the future of European security and defense policy. The June conference provided an opportunity to explore existing E.U. cyber security policies and initiatives, as well as what is needed for the future. At the outset, ESRT leaders hoped to provide attendees with a cyber exercise demonstration that would drive thinking about critical cyber security issues and spark discussion about how they currently are being addressed within their home countries, as well as in coordination with the E.U. and other outside entities.

The exercise demonstration presented a multi-media walkthrough of three distinct attacks against different European critical infrastructure sectors that had simultaneous impact on several E.U. member states. The demonstration was facilitated by cyber security expert Jon Noetzel of Fairfax, VA.-based SRA International.

Greater than the sum of its parts

Prior to the actual demonstration, Noetzel explained the nature and purpose of the various exercise types. The U.S. predominantly adheres to the Homeland Security Exercise and Evaluation Program (HSEEP) methodology for civilian public-sector exercises. And, while many methodologies exist, they share similarities with core elements of HSEEP, which divides exercises into two broad categories: discussion-based exercise (DBE) or operations-based exercise (OBE).

DBE formats include seminars, workshops and table-top exercises. Typically, international exercises that involve senior government officials use this format and provide the opportunity to address and explore joint policy issues, such as memorandums of agreement, mutual assistance pacts and other inter-governmental coordination issues.

OBE formats, on the other hand, include drills, functional and full-scale exercises, and provide a forum for operational personnel to assess their capabilities against targeted goals. Two notable examples of this format are the U.S. Cyber Storm and E.U. Cyber Europe series, though it is important to note that the E.U. does not share this exact HSEEP terminology.

And straddling these two categories is a format known as games, which can be discussion- or operations-centered.

Given the number of high-level participants in attendance at the ESRT conference, SRA chose to demonstrate a DBE.

At their core, cyber exercises provide participants with the ability to make mistakes in a simulated environment without the real world consequences. Moreover, they bring together diverse sets of stakeholders, all with the objective of validating plans and capabilities, and discovering specific operational and policy gaps through the ability to examine individual process components, as well as holistic performance in the aggregate.

Around the world, cyber exercises have advanced the resolution of key international issues and eliminated many historic barriers between nations that previously prevented joint coordination and cooperation in cyber security areas. Given the potential consequences of a mis-handled response to an international cyber attack, these opportunities deliver very high returns on investment.

During the cyber exercise demonstration, Noetzel noted that the European Network and Information Security Agency (ENISA) has recommended increasing the number of cyber exercises in the E.U. as part of a continual pan-European exercise cycle.

Objective driven

Establishing clear goals, objectives and milestones is the bedrock of a successful exercise. Goals and objectives influence not only who participates, but drive the development of the exercise scenario, as well as a litany of other planning details. The complexity of this issue increases, however, as more countries participate. While exercise planning methodologies vary from country to country, simple international exercises have been successfully planned and executed within a three to six month timeframe, while more complex exercises may require as much as two years of planning.