El Mando Conjunto del Ciberespacio ha contenido más de 600 ataques peligrosos para la defensa de España en el último año

If the coronavirus has taught us anything, it is that the most dangerous threat is sometimes invisible, yet its consequences can paralyse an entire country. This is exactly what happens with cyber-attacks. 

"Today, cyberspace is an area in conflict: we are more exposed every day, and we are not aware of it," says Lieutenant Colonel Óscar Corbacho, commander of the Training and Education section of the Joint Cyberspace Command (MCCE).

Security, as we understand it today, has nothing to do with what it was a few years ago. And the Armed Forces are no longer solely responsible for Spain's defence: private companies and any citizen with a smartphone in hand are responsible for their own cybersecurity, and are also the first line of defence.

These attacks come from criminal organisations (whether or not they are associated with a state), are increasingly professionalised and it is very difficult to attribute their authorship. "At the MCCE we detect thousands of attacks directed at defence organisations in Spain every day, of which some 600 have been potentially dangerous in the last year," explains Lieutenant Colonel Corbacho.

But who can suffer a cyberattack? "From a nuclear centrifuge to a ship's GPS or a hospital's computer system on which hundreds of lives may depend". According to NATO, cyberspace is already the 5th domain of military operations, and as such, it is necessary to be prepared to deal with conflicts there.

This requires training. Just as army soldiers train on manoeuvre fields, or sailors on a frigate, so do the Joint Cyberspace Command's troops train in virtual drills. There are two key exercises each year, one nationally and one internationally organised by NATO: Cyber Coalition, which took place in December and involved 30 countries and a total of 1,000 personnel.

Cyber Coalition is NATO's flagship annual collective cyber-defence exercise. It has been conducted since 2008 (Spain has participated since the beginning) and is monitored from the Cyber Security Training Centre in Estonia (Cyber Range 14). 

It is a collective, rather than competitive, exercise, meaning that participants work together towards a particular goal rather than competing against each other. The Cyber Coalition pursues three key objectives:

•     Exercise existing mechanisms for interaction between NATO, allies and partners to improve collaboration within the cyberspace domain.
•     Improve the Alliance's ability to conduct operations in cyberspace for civilian and military entities by exercising situational awareness development,  cyberspace intelligence sharing and cyber incident management.
•     And provide information to identify security gaps, training requirements and validate developing procedures to support the development of cyber warfare.
   

This year, among the 30 countries participating were Finland, Sweden, Switzerland and Ireland. These nations responded to the cyber-attack drill by working side-by-side with NATO partner nations, as well as other participants from industry and academia. In total, some 1,000 people at a time, remotely, from national capitals.

The 2021 scenarios included a cyberattack on a fictional country's gas supply pipeline; a cyberattack that disrupted troop deployment and logistics; and a pandemic-related ransomware attack that stole vaccine data and compromised vaccination programmes.

Less fictitious scenarios than might be imagined. And proof that any of these scenarios could actually happen at any time was the massive cyber-attack that Ukraine recently suffered, disabling its foreign ministry's websites and sending a message aimed at triggering panic among its citizens (already in the midst of escalating tensions over Russia's moves).

So much for theory. But what does a cyberattack look like? "It's exactly the same as if there was a real-life attack, like the one against the SEPE in 2021, which took down the Public Employment Service for weeks," explains Lieutenant Colonel Corbacho. "Suddenly things start happening. Messages arrive, warnings from people that their computer is not working; or they inform us that something is happening in another country that may be related to our networks". This is how the simulation begins.

From that moment on, when "things start happening", the engineers and the rest of the Joint Cyberspace Command team begin their forensic analysis to find out what is going on and put it into context. "It's not the same as a cyber attack directed against a ship disabling the helm, or simply preventing sailors from reading the Marker when they are on board... It's not just about finding out what's going on, the most important thing is to assess what the consequences might be," the officer in charge of the exercise explains by way of example.

With this information, they produce reports that are shared with the Estonian Cyber Range, and in turn with the other participating nations. It also tests the ability to understand other countries when it comes to dealing with such an attack.

Today, sharing real, sensitive information between states is unthinkable. No matter how much of a partner they are. So the only way to learn how to work together to neutralise a massive cyberattack is to practice such cyber manoeuvres.
 

The exercise lasts one week and when it is over, a NATO doctrine is developed with the observations made during the process. In addition, procedures for action at the national and international level are created. 

In the last Cyber Coalition, Spain participated with more than 40 people. A multidisciplinary team with profiles specialising in monitoring, forensic analysis and intelligence. The team included technicians from private companies, public bodies such as the Ministry of the Interior, and members of other state security forces. "We already work regularly with the Police and Civil Guard, and in this type of practice we know each other better. Cyber defence, unlike other areas of conflict, does not depend only on the army".

"If a Spanish bank suffers a cyberattack, it affects the security of the entire country; and although cyberdefence is not by definition the responsibility of the Armed Forces, when it affects the security of the country, we must collaborate". That is why it is important for private enterprise to engage in this type of practice with military personnel. And Spain is among the five countries in the world with the best communication and cooperation in cybersecurity.

In addition, there are economic advantages. "Conducting these NATO cyber manoeuvres (the most important that exist today) is much cheaper than moving a single frigate," continues the lieutenant colonel. The main investment required for the Joint Cyberspace Command is human: "We need many hours of social engineering, and highly skilled people dedicated to it".

"The user is not aware that a piece of software can take more engineering hours to create than a suspension bridge." "Because we sometimes get it for free, for example some phone apps, we think it doesn't cost anything to make them," continues the NATO exercise commanding officer. "In cyber defence, it's the same thing: the hours of engineering that go into preparing for it are not visible, but they are the key to making defence systems work".

Currently, the MCCE has 230 military and 50 civilian personnel. But these personnel should double in the next five years to be able to cope with the cyber-defence challenges ahead.

"We lack highly qualified personnel. Spain's army has a serious problem," they say. To the question of why it is so difficult to achieve this, there are two answers: the rotation inherent to the Armed Forces, where in order to move up the ranks you have to change postings; and the counter-offer from private companies, which "steal" the most qualified military personnel with tempting economic offers.

It is not just the army that is involved in the battle for engineers specialising in cybersecurity: both public bodies and private companies are demanding more and more people, and they are becoming increasingly specialised: from computer engineers to intelligence analysts. The sector is currently experiencing zero unemployment.

The Joint Cyberspace Command is one of the three CERTs (Computer Emergency Response Teams) currently in place in Spain. It was created in 2013 and, being part of the Army, it is responsible for ensuring the security of all IT equipment and infrastructures that depend on Defence.

The other two Computer Emergency Response Teams are the CCN, which depends on the CNI and monitors the equipment of the Public Administration; and INCIBE, aimed at SMEs and individuals, whose headquarters are in León and which attends to citizens through the 017 telephone number.

As far as Defence is concerned, the Spanish Army's success rate in neutralising these cyber threats is 100%. But this does not mean that they can relax in the face of upcoming milestones -such as the implementation of 5G or the proliferation of the internet of things-, as forecasts indicate that the number of cyber attacks will grow exponentially as our use of the internet increases.    

Cyberspace has become a cross-cutting area, and collaboration between civilian, academic, military and private enterprise is the key to effective cybersecurity.