If NATO Wants Stronger Cybersecurity, It Needs to Confront Real Hackers

In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.

In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.

This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.

Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.

The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white…