News Search

Dept. of Defense’s largest multinational cyber exercise yet focuses on collective defense

  • Published
  • By U.S. Cyber Command Public Affairs

U.S. Cyber Command’s CYBER FLAG 21-1 exercise, its largest multinational cyber exercise to date, bolstered the defensive skills of more than 200 cyber operators from 23 countries at Joint Base Suffolk, Virginia, from Nov. 15-20.

CYBER FLAG 21-1 directly supported national objectives of strengthening the international community of defensive cyber operation, and sought to improve the capabilities of the U.S. and its allies to identify, synchronize, and respond to malicious cyberspace activities.

Defensive cyber teams from Canada, Denmark, Estonia, France, Germany, Lithuania, Norway, the Netherlands, Poland, Sweden, the United Kingdom and others participated in CYBER FLAG 21-1. Fourteen countries participated in person and multiple other nations used USCYBERCOM’s real-time virtual training environment.

“Threats in the cyber domain have no geographic boundaries, so the cyber threats that can confront any given country can easily spill into another country,” said Elizabeth Phu, Principal Director Cyber Policy for the Office of the Secretary of Defense.

She added that it is important for the U.S. to continuously train with our partners and allies. Understanding how they respond to threats helps the U.S. better leverage combined and joint responses.   

“We are not going to be able to confront any cyber threat alone,” said Phu.

More resilient, more defended together

CYBER FLAG 21-1 is one of U.S. responses to the exploitation of SolarWinds to strengthen collective defense in cyberspace and affirm the importance of an open, reliable, and secure internet.

“This was really part of the response actions to what we saw in Russian activities with malicious cyber actor’s exploitation of SolarWinds,” said U.S. Navy Rear Admiral Heidi Berg, USCYBERCOM Director of Strategies, Plans, and Polices. “This exercise bringing together our European allies is a key element of how we will look to respond in the future. “

Using a flexible virtual cyber training environment, the National Cyber Range, the exercise tested participants’ skills and ability to detect enemy presence, expel it, and identify solutions to harden their simulated networks.

“This is an important exercise because we bring our cyber operators here to have a scenario where they can train their defensive measures,” said German Vice Adm. Dr. Thomas Daum, Chief of the German Cyber Information Domain Service.

His team of 10 German cyber operators physically participated at Suffolk while using the National Cyber Range, at the same time other countries trained on it from their home location.

“One of the most important things that will come from this exercise is bringing together and strengthening our unity of response,” said Berg. “That’s a powerful message to send to malicious cyber actors.”

During the final day of the exercise, participants and observers participated in a strategic cyberspace wargame, which focused on synchronization of policy, plans, and force development across the spectrum of cyber conflict. 

The wargame highlighted the value of international collaboration during events like Cyber Flag to increase coordination between nations and facilitate a common defense against malicious cyber actors.

Building partnerships in cyberspace

Multinational training exercises like the Cyber Flag series enable cyber defense tacticians to share how they respond to a cyber incident and exchange tactics and techniques.

“This kind of multinational training is important, especially in the cyber defense area, because we all have different tools, we all have different procedures, we all have different understanding about the operational vision of an attacker,” said Daum. “So it’s important to share these views, because everybody will leave this exercise with more experience than they came in, and by securing the national systems, they will have benefited the future.”

The Department of Defense is taking steps to incorporate additional allies into USCYBERCOM’s training exercises. CYBER FLAG 21-1 is an example of this expansion as cyber planners and operators from many nations come together and unite in a shared focus: defending their nation’s networks against common threats.

“I think what this exercise says is, there are partner nations that will come together to try and prevent something like SolarWinds in the future,” U.S. Coast Guard Rear Adm. Christopher Bartz, USCYBERCOM’s Director of Exercises and Training. “It’s a real statement to your adversaries about the unity of effort with the U.S. and its allies.”

This exercise series also provides a reoccurring opportunity for USCYBERCOM to train with domestic and international partners against foreign hostile cyber threats, and deepen key partnerships with U.S. allies and partners.

“These exercises are essential to build out common approach for how we address adversaries in a dynamic, rapidly changing environment,” Berg said. “This is our opportunity to sit together and to walk through how we do response options.”

Ultimately, CYBER FLAG 21-1 is focused on bolstering relationships in cyberspace to improve collective security, defense, and resiliency in a global digital world.

Berg also notes that these sorts of exercises build trust together with key partners, which “proves to be utterly essential in responding and defending against malicious cyber actors operating outside of international norms in cyberspace.”

Tailored Training for Integrated Deterrence

CYBER FLAG 21-1 is one of three distinct cyber field training exercises that USCYBERCOM conducts annually, designed to provide realistic virtual defensive cyberspace training. The multinational exercise enabled collaboration through the National Cyber Range, using tailored and virtualized network terrain modeled to suit each of the participating military elements.

As a training environment, NCR enables DOD to conduct virtual, combined, and joint cyberspace training, exercises, mission rehearsals, experiments and certifications. The environment uniquely enables a high degree of collaboration, development, and assessment of U.S. and allied cyber tactics, techniques, and procedures for defensive cyber missions that transcend boundaries and networks.

“The great thing about the National Cyber Range is it’s accessible if there’s a node that you can get on. We have nodes all over the world, so you can actually do an exercise and distribute it over multiple time zones,” said Bartz, who leads the planning and execution of such training exercises for USCYBERCOM. “NCR can do a lot of things that normal cyber ranges can’t do. It can immediately deploy a network, and then you can reuse the content for multiple instances.”

CYBER FLAG 21-1 was the first time some nations used NCR to train in an environment that provided the operators hands-on experience in dealing with real-world problems—with the space and time to assess their success after the training, without the pressure of a large incident response.

“This is not a static failed system that they need to fix, but a dynamic exercise,” said Daum. “So the opposing force that tries to crash the system gives an opportunity to our defensive operators to prevent an opponent from getting into the system.”

While CYBER FLAG 21-1 is just one exercise, it is part of a larger DOD effort toward integrated deterrence across all domains, include cyberspace. Increased cyber security awareness and training brings increased resilience against cyber-attacks around the world.

“We’re raising all of our countries’ awareness of the cyber threats out there, so we are better prepared,” said Phu. “We are unlikely going to be able to prevent all cyber-attacks, what is important is how we detect the attacks and how we respond to the attacks. Exercises like Cyber Flag give us better tools to do so in the future.”