Nato's Locked Shields exercise involved 2,000 players from 32 countries, including those from the financial services sector. (Photo: Shutterstock)

Nato's Locked Shields exercise involved 2,000 players from 32 countries, including those from the financial services sector. (Photo: Shutterstock)

Nato from 19 to 22 April conducted the large-scale cyber defence exercise Locked Shields, including participation from the financial industry and Luxembourg. The "live-fire" exercise illustrates the key role played by financial institutions in Nato’s cyber defence doctrine.

The Estonia-based Nato Cooperative Cyber Defence Centre of Excellence (CCDCOE), organised a large-scale “live-fire” cyber warfare exercise from 19 to 22 April. Called Locked Shields, the exercise aims to strengthen the skills of Nato and national experts in the defence of allied information systems and critical infrastructure against real-time cyber attacks.

Luxembourg participated in the exercise, represented in a Benelux team, notably by Securitymadein.lu, the national agency in charge of cybersecurity of the country’s economy and municipalities. In the 2021 edition of the exercise, Securitymadein.lu reported having participated in a scenario where “participants had to deal with major disruptions of the financial system”. 

As with the 2021 edition of Locked Shields, the financial industry was again represented this year by the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC, a consortium of financial institutions from nearly 70 countries, forms a global cyber intelligence sharing community focused on financial services. The FS-ISAC includes players representing a total of $100trn in assets.

Ahead of this year's Locked Shields exercise, FS-ISAC announced that it would be leading the financial services sector scenario.

“FS-ISAC has assembled a group of scenario planning experts consisting of five to ten financial institutions, such as Mastercard and Banco Santander,” Ray Irving, FS-ISAC’s managing director, told Delano’s sister publication Paperjam. “Member companies are involved on a voluntary basis. They dedicate their time and resources to ensure that the sector actively participates in exercises such as Locked Shields to build and improve the resilience of the sector and, indeed, the global economy.”

Public-private cooperation

In this way, the FS-ISAC develops Locked Shields scenarios that affect the financial sector, “both in terms of the design of virtualised financial systems and the use of current tactics, techniques and procedures of threat actors.”

“Cross-border, cross-industry and public-private exercises such as Locked Shields help build muscle memory to respond to attacks, which increases cyber resilience at the corporate, sector, national and international levels,” said Irving. "Not only do they reflect the complexity of the real world, but they help build the relationships necessary for a coordinated response in the event of a real, large-scale attack.”

Locked Shields is currently the world’s largest and most complex international “live-fire” cyber defence exercise. It involves nearly 2,000 participants from 32 countries, with more than 5,000 virtualised systems subjected to over 8,000 attacks.

In addition to securing their information systems, participants are also assessed on their ability to report incidents, make strategic decisions and solve forensic, legal and media-related problems. “Given the interdependencies of the global economy, it is essential to collaborate and practice cyber defence and incident response across all critical sectors, as well as between the public and private sectors," said the FS-ISAC Director General.

It is not surprising to find the financial industry included in Nato's cyber defence doctrine. The transatlantic organisation’s defence measures include both military and non-military tools. This notion is also reflected in the CCDCOE’s Strategic Outlook for Cyberspace to 2030. “Traditional military and non-military instruments of state power can be used to deter cyber attacks, including diplomatic/political, military/intelligence, information, economic, financial, security and defence instruments,” the document says.

Ukraine, a CCDCOE participating country

Based on UN General Assembly Resolution 58/199 of 2003, which includes banking and financial services in the list of critical infrastructure, Nato's cyber defence commitment states that “allies will develop the fullest range of capabilities to defend their national infrastructure and networks.”

In its Outlook to 2030, the CCDCOE highlights China’s cyber attack capabilities, including targeting financial systems. “The US has described China as targeting organisations in sectors ranging from healthcare to manufacturing, telecommunications and financial services,” the paper says. It adds that “China will also attack vital financial assets through artificial intelligence-based malware and ransomware.”

Although China is strongly mentioned in the CCDCOE’s strategic vision, the focus is currently on Russia. Following the CCDCOE’s decision on 4 March to welcome Ukraine as a contributing participant, Telegram channels disseminated a mapping of the CCDCOE’s participating personnel environment. A list of staff CVs was also circulated. When contacted, the CCDCOE did not respond. In the middle of the Locked Shields exercise and at the time of writing, the CCDCOE website was offline, displaying only an archive version.

This story was first published in French by . It has been translated and edited for Delano.