The NCI Agency lent its technical expertise to the exercise in several ways, including supporting the cyber range that allowed participants to play without damaging NATO's real operational network. Staff also helped to develop part of the story framing the exercise.
And of course, others in the Agency participated in the exercise. They did not know the scenario ahead of time, and had to adapt and respond to information in real time.
"It usually feels like crisis management," said Emmanuel Bouillon, head of the Cyber Security Incident Management Section at the Agency. "Although we are prepared, the amount of information and events and incidents we have to deal with in this short period of time… is out of the ordinary."
For Bouillon's team, which monitors NATO networks 24/7 in real life, the exercise is basically one month of activity crammed into just a few days. His biggest challenge is managing the team's workload— and its stress level.
The exercise, he said, is a good opportunity for them to practice using their tools and procedures in a near-crisis situation. So his staff used its day-to-day procedures and tools, and operated for the exercise out of its usual workspace in Mons, Belgium. Following routine was also crucial to making the exercise feel like a real event.
The exercise is technically challenging, and Bouillon had to ensure his team did not get stuck in a "technical rabbit hole."
"You could spend the whole exercise trying to solve one single issue, and there are times where we have to prioritize," Bouillon said. "We have to tell one of our technicians to stop, saying 'okay you've gone far enough now. We need to move on.' or 'This is not your priority anymore.'"
The exercise is meant to overwhelm the team with information, but they needed to take a step back and look at the bigger picture to explain it to the stakeholders, Bouillon said.
The organizers developed a very complex narrative to link the different cyber events thrown at the exercise participants. Though the basic scenario has been used in other exercises, the focus on elections was different, and the link between the different incidents was more difficult to pin down than it was in past years.
"Yet the training audiences across NATO and the partners were incredibly resourceful and organized in their approach to understanding how these challenges were interlinked," Sewell said. "They were highly effective at explaining that in ways that were relevant to the simulated peacekeeping mission that was being conducted."
Being a really good technician isn't necessarily enough, Sewell said. It is important that the staff can deliver solutions that solve technical challenges, but also support the commander's intent and the needs of the mission. The technicians need to have a good understanding, then, of what role the system plays in that mission.
During the exercise the Agency also deployed one of two Rapid Reaction Teams. Sewell is the coordinator for those teams, which serve as CERTs (Computer Emergency Response Teams) that can deploy where they are needed.
"They reacted in a really effective manner," Sewell said of the team deployed. "They were activated quickly, they assessed the situation well before they went so they deployed with the right people, the right skillsets, the right equipment."
Their briefings were also accurate and clear, he added.
Though the exercise has concluded, that doesn't mean work has ended for the Agency. Now the staff must identify what it could do better next time, and turn lessons identified into lessons learned.
"The whole point is for us and nations to learn from this. So I think the team is very cognizant of this and despite the fact that in the moment it's sometimes very difficult, sometimes frustrating, we are all aware that we are actually very, very lucky to be offered this space, this opportunity to learn, in a safe environment," Bouillon said.
From this exercise NATO will identify gaps, promote successes and prepare to respond even more effectively during next year's exercise.
"We can't stand still," Sewell said. "We have to make sure that in this growing area of cybersecurity we constantly develop and stay ahead."