A Cold War is raging in cyberspace. Here's how countries are preparing their defenses

Much like conventional militaries, countries also need to perform occasional drills of their cybersecurity defenses. Instead of soldiers and tanks, these involve virtual machines – and months of pestering executives for their login credentials.
Written by Michiel van Blommestein, Contributor

Countries in Central and Eastern Europe run regular drills of their cyber defenses, which have been extensively tested in recent cyberattacks.

Image: MR.Cole_Photographer/Getty

Cyberattacks are something every country has to deal with, but countries in Central and Eastern Europe are particularly wary of the occasional attack on their critical infrastructures and governments.

"Last year, we had over 4,300 incidents recorded," Rytis Rainys, the director of the National Cyber Security Center of Lithuania, a country with a population of less than three million, tells ZDNet. "That comes down to over 100 each day. We are constantly dealing with this, and that makes having your national cyber defense in top-notch condition extremely important."

SEE: Network security policy (TechRepublic Premium)

Most attacks in the region don't make the headlines; others do. The attacks on Ukraine's power grid in 2015 are still rooted in the collective memory of security professionals, while the global 2017 ransomware attack was first noticed in Ukraine. 

A decade earlier, some of Estonia's key institutions of government and finance were under attack, an event that prompted the country to bolster its cyber defenses and seek international partnerships. More recently, Polish government officials had their private mailboxes hacked and messages leaked. Many had used their accounts for government communications – something that most security experts agree is not a good idea.

Levelling the playing field

The reason IT infrastructure in Central and Eastern Europe seems to come under attack more frequently has to do with its proximity to – and relationship with – Russia, says Andrzej Kozlowski, a cybersecurity expert at Krakow-based think tank, Kosciuszko Institute. "The main difference between non-state and state actors conducting cyberattacks is that the latter does not need to balance costs with benefits," he tells ZDNet.

Not only do states have many more resources at hand, but they also don't need short-term financial gratification. "During the pandemic, we have seen attacks on medical facilities, which are aimed to just create an extra burden," says Kozlowski.

The Russian Federation in particular is a bit different in its methods than others. "These are not hackers employed by the state. Instead, we see a direct connection between actual cyber criminals and the secret service. When cyber criminals do something, nobody in Russia stops them and no one is ever extradited. This is unique. If you compare it to North Korea, for example, those are the security services doing the actual hacking."

The main benefit of that approach, according to Kozlowski, is that it offers plausible deniability that provides a shield from any consequences: "From the perspective of the Russian Federation, cyberspace is a great place to realize their goals. In a conventional military sense, Russia is no match for NATO. But in cyberspace, they can operate on a level playing field."

Beyond the firewall

So how do countries protect themselves? Lithuania regularly organizes cyber-defense exercises, both domestically and internationally, with the most recent being the Exercise Alarmex held in May of this year.

These involve a 'Blue Team' and a 'Red Team' going head to head, with the latter attacking a mock IT infrastructure similar to the one used in real life. "We use virtual machines to create that network of the different organizations, and then we create scenarios which involve the Red Team trying to break into the network of the Blue Team, who try to defend themselves," says Rainys.

Awareness plays a key role in this approach, which is why Lithuania's National Cyber Security Center takes around half a year to prepare.

Participating organizations do not know the scenarios beforehand, says Rainys. They test out social engineering, with the Red Team receiving information on important players within the opposing organizations. "The Red Team would pose as internal IT personnel and call the executive directly to ask them for the password, or use other phishing methods," he says.

SEE: This new ransomware group claims to have breached over 30 organisations so far

While in the past organizations were not always willing to participate, these days this isn't such an issue. "Four years ago, when we started this, we had to really try to convince them, but companies and institutions see the need now," says Rainys.

"We have a matrix of around 100 organizations deemed nationally critical, and they are eager to participate as it's a great security test which is basically free of charge for them."

Coordination is key, not just between different security teams, but between different organizational branches as well. "I participated in one such exercise myself," Kozlowski says.

"You also have different branches that hold their own responsibilities, such as the communication department that has to inform investors without causing panic."

Creating frameworks

While the European Union gets criticism for being cumbersome, in the sense of cybersecurity it's been solid, says Kozlowski. "One of the main strengths we have in Europe is that we can create laws that are subsequently implemented over the entire European Union. So you have things like the GDPR and the NIST Directive 1, while they are working on a second document."

The result is that all members of the European Union will implement minimal cybersecurity standards, says Kozolowski, meaning even the weakest points within the bloc will be comparatively resilient and overseen by ENISA, an EU agency for cybersecurity.

European countries also collaborate militarily within the Permanent Structured Cooperation (PESCO) framework, within which sits the Lithuanian-led Cyber Rapid Response Teams (CRRTs), which conducts regular cyber-readiness drills.

But there are also more international exercises – called Cyber Europe – organized by ENISA itself and NATO's Cyber Coalition. Their purpose is to improve our ability to collaborate between incident management teams in different nations, Rainys says. "During attacks, loads of IP addresses are being used, so you need to coordinate to be able to block them."

While no single country, or even a bloc of collaborating countries, is ever truly ready for cyberattacks, they do need to build up and constantly tune their cybersecurity systems.

And it's not just resilience against attacks themselves. "The European Commission under Ursula von der Leyen has put a priority on digitization, and among other things have added cyber diplomacy to the toolbox to react to certain attacks," says Kozlowski.

"The main aim of exercises is to show policy makers how to react."

Editorial standards