Estonia is a perfect location for NATO’s cyber education and training. The location of Alliance’s cyber training field in Estonia sends a clear signal that NATO takes seriously its role in defending both against kinetic and cyber attacks alike.
Estonia is a perfect location for NATO’s cyber education and training. The location of Alliance’s cyber training field in Estonia sends a clear signal that NATO takes seriously its role in defending both against kinetic and cyber attacks alike.
In light of next week’s NATO Summit in Cardiff, Wales (4-5 September) security experts have suggested steps for NATO to show that it takes its role in cyber defence seriously. Jarno Limnéll, director of cybersecurity at McAfee, believes NATO should define the types of cyber attacks that would call for a collective response under the collective defence clause of the North Atlantic Treaty, Article 5. Others agree that NATO should define exactly which events constitute cyber attacks under Article 5 and how both the alliance and individual member countries would respond. Two other challenges for NATO to which Limnéll correctly points are: the huge discrepancies among the cyber capabilities of NATO nations and the need to integrate cyber capabilities with other military activities. This article will elaborate on some actions that could catalyse and facilitate the advancement of NATO’s cyber defence posture.
As a political and military alliance, NATO’s mission is to ensure the security of its members by executing its core tasks: collective defence and deterrence, crisis management, and cooperative security through partnerships, as well as arms control, non-proliferation, and enlargement. According to the latest NATO Cyber Defence Policy, approved by NATO defence ministers in June, cyber defence is part of collective defence. The priority areas of the enhanced cyber defence policy are: streamlining NATO’s cyber defence structures, defining capability targets for Allies through NATO’s Defence Planning Process (NDPP), improving information sharing, and setting up procedures for assistance to NATO nations. According to Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges, national cyber capability targets within NDPP are going to be developed by 2016.1 The policy further commits the Alliance to continue identifying dependencies of NATO assets on national networks and developing principles, criteria, and mechanisms (including common minimum security standards) to ensure an appropriate level of security among Allies.
With this enhanced policy, NATO is prioritizing the development of multinational Smart Defence projects involving cyber defence, early-warning systems and contingency operational plans, enhancing information and intelligence sharing, as well as education, training and exercises efforts, and engagement with industries and international partners. NATO is also planning to use commercial cloud storage for less sensitive data, plans that will require close cooperation with industry.2
A welcome step is that NATO will integrate cyber defence elements into military exercises. In June 2014 NATO approved the Estonian proposal to create a NATO Cyber Range in Tallinn that will be used as the Alliance’s main cyber defence training field. A report by the Atlantic Council applauds the creation of NATO Cyber Range as an important signal about the NATO’s seriousness in regards with cyber defence. The training field enables Allies to test and exercise their cyber capabilities within a NATO structure, to feed lessons learned and new concepts into the Alliance; and to ensure that cyber experts across the Alliance share the same levels of expertise. Last year the range hosted NATO’s largest cyber defence exercise Cyber Coalition 2013 and the NATO Cyber Defence Centre of Excellence (CCD COE) exercise Locked Shields.
A way forward
First, as Limnéll advises, NATO needs to work on integrating cyber into military defence and civil emergency planning processes while improving the interoperability of Allies’ cyber capabilities. In NATO’s view, cyber defence encompasses – in addition to the protection of NATO organisations, infrastructures, and operations – the cyber security of its members. This means that Allies are able to invoke Article 5 in case of a cyber attack with effects comparable to those of an armed attack. Concerning cyber defence as collective defence, NATO must clarify what the Article 5 commitment means in practice: what are the strategic implications of cyber attacks? How can the problem of attribution be solved? What are the criteria when a cyber attack qualifies as equivalent to an armed attack? Under what circumstances will Allies help others – for example does damage to or disruption of private critical networks resulting in serious effects obligate a collective response?
Operational planning both for Article 5 and non-Article 5 events must be adjusted to the reality of hybrid warfare that employs a wide range of cyber related tools such as distributed denial of service (DDoS) attacks, information and disinformation operations, and cyber espionage. In order to respond to these new techniques, realistic scenarios and practical ways for assistance to a member state need to be devised. Clear and tested procedures and mechanisms, as well as political consensus to apply them, should be in place to avoid a delayed collective response.
Regarding operational planning, a full spectrum of cyber capabilities must be included in the scenarios. Civil emergency and military operational plans must clarify which capabilities NATO nations are prepared to make available to NATO. On top of that the Alliance must ensure enough capabilities to help members under attack while responding to a simultaneous strike on NATO civilian or military infrastructure. Two rapid response teams of the NATO Computer Incident Response Capability, consisting of a permanent core of six specialised experts, may be inadequate for that. While NATO does not have a mandate to command and control civilian authorities, and owners and operators of critical infrastructure from the private sector, it must have clear procedures on how to comprehensively manage a major cyber attack response involving numerous civilian government and private entities.
It goes without saying that intelligence and information sharing, joint situational awareness, early-warning, analysis of vulnerabilities and malware, as well as forensic capabilities that are able to protect both NATO and NATO nations networks should be fostered. In order to facilitate sensitive information sharing among Allies and with industry, secured anonymised/aggregated (in contrast to certain and detailed) information exchange portals with standardised information-sharing formats could be developed. In addition to sharing technical data among all members, limited trusted information sharing could also be worked out involving some of the members.
The Alliance should also consider how to encourage its members to invest in their cyber capabilities and how to pool resources to assist other members and NATO under cyber attack. It will be difficult to attain agreement of all 28 allies regarding common funding beyond NATO’s own networks and nodes for the development of joint cyber capabilities and the acquisition of common assets (e.g. hardware and software). The larger nations who have invested heavily into cyber capabilities and in absolute terms contribute the most to NATO’s budget, worry about the cost of new capabilities and unequal burden-sharing. Besides, the European members are reluctant to further strain their defence budgets (while only three of NATO’s European members fulfil the requirement to spend on overall defence 2% of gross domestic product: UK, Greece and Estonia).
However, pooling and sharing is feasible among “coalitions of the willing” that jointly fund development of multinational capabilities. Advanced NATO nations could make their capabilities available for NATO’s use in order to back up its capabilities. With the Framework Nation concept, participating countries agree on which will provide which kinds of capabilities. The larger, “framework” nation provides the basic infrastructure, while smaller nations contribute niche capabilities. In that way a smaller group of nations can pool their resources, thereby making the resulting capabilities available to others. A good example is a Smart Defence initiative, the Multinational Cyber Defence Capability Development Project3 (MNCD2), which aims to enhance joint tactical and operational situational awareness of participating nations. The project will provide a Cyber Information and Incident Coordination System for NATO’s Cyber Coalition 2014 exercise. Likewise, Estonia’s offer to use its Defence Forces cyber range for training and exercises for all NATO nations paves the way for the common use of national assets.
Military capabilities depend greatly on information and communication technologies that are largely privately owned. In order to map NATO’s dependencies on national critical infrastructures, partnership with commercial entities should include getting access to private sector competencies who possess a majority of cyber state-of-art and capabilities; and securing supply chain management and procurement processes. Exchanges with the EU -which has significant expertise in public-private partnerships and in critical infrastructure resilience – would be essential.
A cyber force is only as good as its members. It is alarming that, according to Jamie Shea, NATO currently has only about one-third of the cyber capabilities it needs, relying instead to a certain degree on benevolent “white hat” hackers.4 In addition to the lack of highly skilled cyber professionals in military, too many NATO nations still lack cyber security policies and strategies, not to speak about military doctrines, as well as basic threat information. Smaller member states tend to have particular difficulties in staffing their Computer Emergency Response Teams. Currently only 14 NATO nations have established some type of cyber defence capability in their armed forces. In partnership with the EU, NATO should support the policy development of NATO nations; while NATO nations should take greater advantages from education, training, and R&D opportunities provided by the CCD COE. Efficient dialogue with the EU is needed also to avoid duplication of efforts, consolidate crisis management procedures, advance mutual information sharing and incident reporting, and conduct joint training and exercises involving representatives of academia, civilian authorities, and the private sector.
NATO can benefit from EU competencies also in terms of the protection of critical infrastructure. In this respect, NATO needs to think about how to encourage its members to improve the security of national critical infrastructure on which it depends (e.g. setting up common standards to ensure the uniform level of security, disseminating best practices, etc.) and what could be done to help an Ally experiencing a cyber attack causing serious damage to its private critical infrastructure. A comprehensive approach to cyber defence across policy and strategy, military and civil emergency planning and capability development, training and exercises, which feeds back to the decision-making processes, is needed. This approach encompasses all relevant actors from military and civilian sides against the full range of cyber attacks.
In order to enable military operational planning for defensive (and perhaps offensive operations) NATO should consider the development of cyber warfare doctrine and the establishment a joint cyber command under the Supreme Allied Commander Europe. Concerns about the legality of an offensive action in cyberspace aside, while NATO does not have an offensive cyber capability, individual members’ capabilities could be used under Article 5 circumstances.
Finally, NATO’s strategic- and operational-level decision-making structures must be supported with uncomplicated cyber expertise (e.g. using visualisation tools that help to convey technical information to a non-specialist audience) and lessons learned from cyber exercises. To enhance common understanding of decision-makers and treat cyber security as strategic, not a technical issue, NATO’s cyber defence posture should be regularly and frequently discussed at strategic-level decision-making sessions. The first ever meeting of defence ministers on cyber defence took place as late as in June 2013. While there is little information on the agenda of the North Atlantic Council sessions, it has discussed cyber defence at least once, on 9 May 2014.
In Cardiff NATO is planning to announce the establishment of a Trust Fund to finance Ukraine’s efforts to improve its cyber defences. Separately, the Alliance will also release a Readiness Action Plan – consisting of “the pre-positioning of supplies, of equipment, preparation of infrastructure, bases, headquarters” – that aims to increase NATO’s visibility along its Eastern borders. The establishment of the NATO’s Cyber Range in Estonia increases NATO’s visibility without much financial cost and political harm. The CCD COE (which aims to enhance education, awareness, and training and improve the interoperability of NATO) has been located in Tallinn since its accreditation by NATO in 2008. Last year, Estonia hosted the Cyber Coalition for the first time, and it will host the exercise also this year. Conveniently, the NATO Strategic Communications Centre of Excellence is located only 300 km to the south of Tallinn in the Latvian capital of Riga. As Atlantic Council’s security experts have rightly pointed out, setting up NATO’s cyber training centre in Estonia sends a clear signal that NATO takes seriously its role in defending both against kinetic and cyber attacks alike. Estonia is a perfect location for NATO’s cyber education and training.
______
1 Jamie Shea „NATO’s New Cyber Defence Policy“, remarks delivered at the International Conference on Cyber Conflict, Tallinn, Estonia, 3 June 2014.
2 Brooks Tigner, „NATO looks to stand up collective cyber defence“, Jane’s Defence Weekly, 20 September 2013.
3 The MNCD2 participating countries are Canada, Denmark, Norway, Romania, and the Netherlands. The project aims to facilitate sharing sensitive information, improve situational awareness and the ability to detect malicious activity.
4 Brooks Tigner, ”NATO officials warn of personnel gap in their cyber defences“.Jane’s Defence Weekly, 18 November 2013.