Held in Tallinn on 7 September, the exercise brought together EU Defence Ministers, the High Representative of the Union for Foreign Affairs and Security Policy and Head of the EDA Federica Mogherini, senior representatives of the European Commission as well as the heads of cyber-related EU agencies. CYBRID’s main objectives was to raise cyber awareness at the highest political level and to practice strategic decision-making procedures to be followed in case of a cyber-attack against EU military structures. In  the spirit of the new EU/NATO Joint Declaration, the exercise was also attended by NATO Secretary General Jens Stoltenberg.

Cyber + hybrid = CYBRID 

The exercise name in itself is a reminder of the fact that cyber and hybrid warfare have become a new threat cocktail that can no longer be ignored by defence planners. Blending traditional military with non-military tools, hybrid strategies seek to incrementally undermine a system, destabilize a region or state and fuel conflict. Another key feature of hybrid warfare is that attacks are very difficult to attribute with certainty to a certain state or group, in effect allowing attackers to remain incognito.. At the same time, hybrid aggressions come in such small doses that it is  difficult to categorise them as clear-cut armed attacks under international law. This, in turn, makes it harder for any victim country to use its legitimate right to self-defence.

Awareness at the top level

Cyber is nowadays widely acknowledged as a major threat to Europe’s security and, subsequently, has its place in the EU’s Common Security and Defence Policy (CSDP). Yet, crucial aspects such as CSDP missions and operations’ resilience to such threats have to date been given only limited attention. How far a third country’s dubious cyber activities can be considered an indicator for active hybrid warfare also requires further reflection and debate. What is beyond doubt, however, is that aggressive cyber campaigns orchestrated by adversaries in combination with other hybrid actions (such as propaganda, fake news, use of proxies, etc.) can easily provoke massive disruption in whatever country, organisation or infrastructure targeted by such attacks, including CSDP missions and operations. Such  crisis inevitably involves the full chain of command, up to the top military and political level. Hence the need to raise ‘Cybrid’ awareness at the highest level throughout Europe and to improve cyber defence incident coordination. 

Cyber must be given as much attention as land, air, sea and space. The buy-in of Member States is key for the EU to have the necessary skills, technology and capabilities.

Political guidelines in case of cyber-attack

Against this backdrop, the goal of EU CYBRID 2017 was to practice strategic contingency procedures in a situation in which a cyberattack campaign was underway against the European Union’s military structures. In other words: to test existing EU policy guidelines to be followed in case of such an event. Ministers’ discussions in particular focused on:

  • situational awareness and the importance of reaching a common understanding and political assessment of a given crisis, as well as of the impact a cyber-attack and/or other subversive activities can have on EU military structures; 

  • crisis response tools available at EU-level to give strategic-political guidance on the response to a major offensive cyber-campaign against CSDP structures in a hybrid warfare context; 

  • strategic communication and the need to properly coordinate the information flow between EU Member States at the highest political-strategic level; 

  • cybersecurity incident coordination mechanisms at political level;

  • the application of the ‘Cyber Diplomacy Tool Box’ (based on first lessons learned from the crisis scenario studied at the Tallinn exercise) for responding to similar crises in future.  

More technical aspects related to these topics have been and will be addressed in future follow-up exercises to be held at expert level. A first such exercise, EU PACE 2017, took place from 28 September to 4 October 2017.

Orchestrated cyber-attack

The practical exercise scenario discussed by ministers in Tallinn was based on an hypothetical orchestrated cyberattack campaign against a fictive EU-led military operation in the maritime domain, which targeted both the mission’s operational headquarters and its subordinated maritime assets.

Ministers, who were provided with incident information in real time, had only a limited amount of time to decide  how to react. Other successive activities like third party orchestrated propaganda against the operation, the use of social media to organise a protest against the operation, the launch of fake news about the operation etc. left no doubt that the cyber-attack campaign was part of a wider hybrid strategy. 

Multiple cyber-attack scenarios using a wide range of cyber tools were run through, combined with other incident scenarios. The exercise obviously referred to fictitious countries, organisations and operations but under conditions deemed as realistic as possible. 

Previous article

The Coordinated Annual Review on Defence (CARD)