Last year, Capt. Sean Ruddy and his team of operator-soldiers from the US Cyber Brigade entered a Locked Shields, a NATO-organized cyber-defense war game that pits teams from dozens of countries against "live-fire" attacks. It was their first time. And of the 19 countries represented, the US finished dead last. This week, they got their shot at redemption.

Locked Shields challenges participating countries to show off their defensive prowess, rather than offensive firepower. NATO’s Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia organizes the event, and plays the part of offensive "red teams." The US and others play as "blue teams," charged with not just securing the networks of a fictional country, but responding to attendant media and legal issues as well.

“You are in an unfamiliar environment,” says Rain Ottis, who is the NATO CCDCOE Ambassador and head of the neutral “white team.” “There are lots of incidents at the same time and maintaining control of your team in a perfect storm is a significant challenge.”

That makes it a natural fit for the US Cyber Brigade, which defends infrastructure and "terrain" at US military bases: power plants, water treatment systems, air traffic control, and base fuel supplies. That also should drive home just how important it is to make a good showing the second time out.

'Pure Chaos'

How badly did things go for the US last year? The red team took control of its drone, made it fly in circles until it ran out of fuel, and crashed it into the virtual ocean.

"It was a pure chaos-type environment," Ruddy recalls. "You had a red team advancing through your network on six or seven different fronts. You don’t get any breaks. It was abusive."

So Ruddy and his squad—based at Fort Gordon, GA, but operating at a US base in Wiesbaden, Germany—went into this year's games looking to restore some pride. To do so, they expanded their team, and added two Dutch observers. Even that offered no guarantees; there were more participants than ever, and a few new wrinkles.

Locked Shields hosted 25 countries this week, compared to last year's 19, each defending against a simulated air base attack. Ottis and the organizers worked with global electronics giant Siemens to set up a simulated power grid for the game-playing environment, as well as drone simulators from Threod Systems, an Estonian UAV developer.

There was also new strategic gameplay, centered on how an individual nation should respond to a cyberattack, and how to make decisions from a legal and diplomatic perspective. When is it OK to drop a “cyber-bomb” such as the US-Israeli Stuxnet virus, if your own critical infrastructure has been attacked?

On-site military lawyers debated those questions of international law, says Rainn, while the computer operator-soldiers fended off DDoS attacks, or probes into the airfield operating system.

Practice Makes Perfect

While the exercise was fictional, it reflects a very real threat to NATO members, the US military included. Russia has been linked to cyberattacks on Sweden's military IT last year, the shutdown of air traffic control at five civilian Swedish airports in 2015, and the western Ukrainian power grid in 2016 and 2015.

Ruddy and the NATO organizers of the "Locked Shields" exercise won't comment on Russia specifically, but they say the role-playing may help keep the next attack at bay.

'It was a pure chaos-type environment.

“This is simply NATO members getting together and testing each others' defensive capabilities,” says Ruddy, who has placed US observers with Estonian and Latvian cyber squads as well. “We have chat rooms, and we can say, 'Hey, I’m seeing this on this machine.’ It helps to build capabilities across multiple nations.”

The US will likely have to step up its cyber defense game, as NATO expands it ground troop presence in Eastern Europe. The US deployed 3,000 troops and 80 battle tanks in the Baltic States, Poland, and several other Eastern European nations in January. The UK, France, and others positioned battalion-sized units of about 1,000 troops each in Estonia, Latvia and Lithuania in 2016.

Most Improved

After two days of intense cyberwar, Ruddy says his team survived pretty well. Rather than shutting down computer networks at his fictional base to prevent all intrusions, the US team decided to keep systems operating at the risk of a breach.

It didn't entirely pay off. The red team penetrated through backdoors, and gained control of some systems. But despite the added competition and new challenges, the US blue team managed to improve on last year’s last place finish, moving up to 12th overall. The Czechs won, with the Estonians in second.

“Yes, we kept the drone flying,” Ruddy said Friday from Germany. “We never lost control of it, and the airfield was never set on fire. So, that was good.”