Over the last ten days, more than a thousand senior government, military, academy and industry leaders gathered in Tallinn, Estonia, to discuss cyber power and cyber resilience.
Last week NATO CCD COE organized its annual CyCon conference, and this week NATO Communications and Information Agency and AFCEA Europe in cooperation with the Estonian Ministry of Defence held its annual industry conference. The events featured Commander of the United States Cyber Command and Director of the National Security Agency Admiral Michael Rogers, Estonian president Toomas Henrik Ilves, Estonian Minister of Defence Hannes Hanso, Czech Minister of Defence Martin Stropnicky, as well as many senior officials and officers from NATO. Also renowned cyber conflict theorists and experts like Thomas Rid, Martin Libicki, Jason Healey, Melissa Hathaway spoke in Tallinn.
At CyCon many agreed that after the Warsaw Summit the future of the NATO’s cyber defence deserves a rigorous debate. Several speakers were frank about the need to recognize cyberspace as a warfighting domain and believed that NATO will do so at the Summit. There was also a consensus that this implies conceptual, doctrinal, functional, and organizational transformations. Ambassador Sorin Ducaru, NATO’s Assistant Secretary General, underlined that NATO does deterrence and defence, and it is not going to engage in a “warfare business”. Destructive cyberattacks can trigger an Article 5 response (including kinetic response), however, NATO’s mandate in cyberspace is defensive – its priority is to protect its own networks and assist allies under cyberattack. Because NATO will not develop offensive capabilities of its own, it does not need to establish a cyber command (whether as a standalone entity or as part of a joint forces), at least not immediately, argued several speakers. However, allied countries have set up cyber commands at national level and have created cyber reserve forces.
Estonia, for example, established a Cyber Unit of the Estonian Defence League, a voluntary paramilitary organization that includes IT specialists, lawyers, economists and other professionals, six years ago. The unit is trained to enhance support capabilities in the event of a crisis. In addition, Estonia is integrating cyber defence into a compulsory military service (non-NATO nation Finland has also done so), and in the next few months, it plans to establish a cyber command.
If NATO rules out “active hunting” outside its own networks, ensuring mission assurance is questionable. For example, the US Cyber Command employs offensive cyber means against the ISIS. The Alliance could potentially profit from the use of offensive capabilities of the member states in support of its missions and operations. That presupposes a political decision and it is not clear how the command structure would look like.
At CyCon, Thomas Rid, the author of “Cyberwar will not take place” and “Rise of the Machines”, upheld that in cyberspace partial deterrence can be possible. Jason Healey states that past cyber conflicts demonstrate that deterrence does function in cyberspace. Further, it is a common knowledge that no system or network is totally secure from hacking which makes deterrence by denial questionable. Deterrence depends on perception of capabilities, but offensive cyber capabilities are not displayed. For deterrence to work, allies must show that they are ready to use any means, including offensive cyber capabilities and conventional weapons.
In terms of military capabilities, NATO must ensure interoperability of deployment forces (NRF, VJTH, NFIU) from day zero (“plug and play”). Allied countries are integrating cyber aspects into defence planning. Cyber operations will have to be integrated with other military operations. Major General James Hockenhull, Director of the Cyber, Intelligence and Information Integration, UK Ministry of Defence, said that UK has merged cyber, intelligence, electronic warfare into a joint group. Likewise, Russia and China regard cyberattacks as part of a broader information war. Russia’s military actions in Eastern Ukraine showed that cyber has become converged with electronic warfare, intelligence, surveillance and reconnaissance, noted Keir Giles from Chatham House at CyCon.
It is clear that NATO needs to develop solutions to improve interoperability and situational awareness. Cyber is a politically sensitive issue and it is difficult to reach consensus among 28 nations. The development of common capabilities depends on political support and resources, but it is not clear how far the allied countries are willing to go. On a positive note, everyone at CyCon seemed to have a clear view of where NATO needs to go, but the question is how.
According to Frank Boland, NATO Defence Policy and Planning Directorate, the Alliance should engage in new non-military areas. Indeed, NATO has identified seven areas of resilience as core elements of collective defence: telecommunication networks, transportation systems, energy supplies and continuity of government, among others. Even though cyber resilience is national responsibility, the Alliance should provide the means to facilitate national efforts. To improve cyber resilience, nations must invest more in national capacities and develop right types of capabilities through NATO Defence Planning Process. NATO can assist allies and partners by creating cyber threat assessment and support teams. In addition, the United States should become one of the framework nations assisting less mature allies and partners in fostering their cyber resilience. In the deployed environment, operational partnerships should be established. As military operations depend on telecommunications, transportation systems and electric grids, fostering partnership with industry is critical. Militaries should also drill regularly how to function “off the grid”.
Finally, awareness, education and training of senior decision makers and workforce at all levels are essential. Since cyber threats evolve quickly, intelligence and information sharing, as well as training, needs to be done regularly and continuously (versus ad hoc). Kevin Mandia, President and Board Director of FireEye, stated at CyCon that the only way to prepare for cyberattacks is by simulations that make it possible to evaluate how well the organization will respond. NATO and EU member states have launched national cyber ranges or labs – virtual environments where attacks can be simulated in realistic settings – and NATO is preparing to approve at the Warsaw Summit a capability package for NATO cyber range. Cyber ranges enable gathering best practices, testing new technology, and feeding lessons learned into capability planning. They boost innovation and serve as cooperation platforms with industry, partners and international organizations.
As Admiral Michael Rogers noted in Tallinn, artificial intelligence, machine learning and big data will be game changers in future military affairs. NATO needs not only to move faster in order to cope with the present challenges, but also to start thinking about tomorrow’s threats.