Hospitals across Europe were crippled when the computer technology in various systems failed. Was it directed by a nation-state, a new type of adversarial attack, or an unintended consequence of our growing dependence on connected technologies? How do various European governments, private sector, and international institutions react in any of these situations? These were some of the policy questions posed in one scenario of a tabletop exercise hosted by the Atlantic Council and Microsoft on May 31, 2016 at the Microsoft Center in Brussels, Belgium. Working in four teams, twenty-five senior experts from government, private sector, and the international community tackled simulated cyber crises impacting European networks. Participants represented organizations including NATO, Council of the European Union, CERT-EU, European Defense Agency, Federal Police of Belgium, Fujitsu, Dell, and Permanent Representations of the United States, Netherlands, and Latvia.

For each of the two scenarios presented, participants proposed and evaluated policies to mitigate the impacts of the cyberattacks on public safety, international security, and the economy. The teams explored appropriate responses from government, international organizations, and the private sector, discussed potential public reactions, and developed plans to prevent future attacks from occurring. In each scenario, participants thoughtfully balanced immediate and long-term impacts and goals. Public safety emerged as a clear priority, along with establishing robust communication channels and thoroughly investigating the origin and intent of the attacks. The teams effectively navigated the intricacies of coordinating efforts among governments and between the private and public sectors, coming up with carefully tailored leadership and delegation strategies for each scenario to ensure the best possible crisis management.

This simulation was unique and experimental in many ways. The scenarios presented to the teams involved a new, often neglected type of cybersecurity threat – one resulting from software vulnerabilities in networked devices and caused by nonstate actors or accidents, as opposed to the state-level cyber conflict scenarios more often examined in similar table top exercises. Furthermore, rather than being divided by sector, each team included representatives from governments, private companies, European organizations, and NATO. As such, the exercise had the effect of producing comprehensive policies that incorporated diverse perspectives, emphasizing interagency cooperation, and building new relationships between people from different sectors.

The importance of simulated table top exercises continues to grow, as global dependence on connected technology is increasing faster than the ability to prevent harm to human life and public safety. Cybersecurity failures could trigger events that destabilize entire economies and societies. The Atlantic Council hopes to hold more exercises in the future to prepare policymakers and practitioners to better mitigate the effects of cyber-crises when they hit, and to prevent many of them from happening in the first place.

Image: Suleyman Anil, head of Cyber Defense at NATO’s Emerging Security Challenges Division, together with Microsoft’s Jan Neutze and Atlantic Council’s Beau Woods brief the participants.