12 June 2019

NATO meets the cyber-threat- 19 minutes to react

Ştefan Oprea

Image source: Mediafax

Thirty years ago, on 2nd of November 2018, the internet faced the first major security attack. The MORRIS virus, even if it did not had a dangerous content and was not launched with destructive intentions, it has produced significant damages, like blocking 10% of internet servers’ activity existent at that time in the US and disrupting others activities. Even if, after this incident, it was created, for the first time, a counter-response to this type of action (Computer Emergency Response Team/Coordination Center- CERT/CC), the world was not the same anymore.   

The major cyber-attacks from April 2007, from Estonia, and after in October 2010, when it was discovered the STUXNET malware, pushed the policy makers throughout the world to realize that the cyber-threat became an unsafe, dangerous field, which could only be controlled by the government. A cyber vandalism, specific to the 90’s,  was transformed into a decade of cyber infraction in the 2000’s, gains characteristics specific to cyber-terrorism and, in the last period, to cyber-warfare. The use of cyber tools to influence the electoral process and undermine trust in the democratic process are already considered as attacks against democracy.

As threat’s landscape is evolving extremely quickly after each cyber-attack, any company or organization’s survival can be questioned. As for the performances of the most important national and global actors in cyber-criminality, the last Global Threat Report, made by the American company CrowdStrike, is presenting the “critical window” (the available time to start the countermeasures) between the moment an intrude compromises the first target, to what it takes to enter other systems in the network. From this point of view, based on 30.000 attempts to enter the cyber-systems, which took place in 2018, it came out that the Russian national actors are the quickest enemies ever, with a breakout time of 18.49 minutes. Next are the North-Koreans with 2:20 hours, the Iranians with 5:10 and a majority with an average of 9.42 hours.  

Russian’ well-known groups’ agility is showing that Russia’s threat remains unchanged, as they are really aggressive and tolerant to risks, because they have broken so many international norms and have suffered such less consequences that they do not believe they will have serious consequences through their action.

NATO in this fluid and extremely vulnerable environment

As the cyber-attacks are becoming more and more frequent and are including the civil, but the military fields also, NATO is joining the national governments in their effort to cultivate, develop and consolidate a stable and safe cyber-space, the cyber-defence being enlisted across Alliance’s basic mission, which is collective defence.  

At the NATO summit from Prague, from 2002, the chiefs of states and governments have admitted the necessity to consolidate the defence capabilities against cyber-attacks. Six years later, in Bucharest, during the 2008 summit, it was adopted, for the first time, a policy regarding cyber defence and structures and authorities’ development in order to accomplish it.

The NATO summit from the Wales, 2014, is another benchmark moment in achieving this desideratum. On this occasion, the Alliance has oriented art. 5’s disposition towards a new cyber defence policy, wherein cyber space was seen as the new defence border. After the agreement, a digital attack over a member state is covered by article five of this treaty. Also, it is mentioned, in the specified disposition, that a “decision as to when a cyber-attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis”.

The reality imposes that “we must be ready, to be able to execute operations in cyber space. Besides protection and prevention, allies have decided that cyber defence is part of NATO's core task of collective defence, stating that a cyber attack could conduct to calling on the collective defence clause (article 5) of the NATO founder treaty”.

Through a press release signed by Alliance’s chiefs of state and government, during the Warsaw summit, from 2016, they have officially recognized cyber space as operational field. This determined NATO, for the first time since its creation, to add the fourth operational field to the three, already known: air, terrestrial and naval. From that moment, the cyber space, although it cannot be geographically defined, will be recognized and planned in a similar way to physics domains.

From this point of view, the creation of our own security cultures and the intensification of the intelligence security measures will help us be ready for a major cyber-attack or resistant enough to survive to a first strike of this type.

Even if, conceptually, the achievements are remarkable, the Alliance does not have, yet, basic rules to make this happen. Unlike the war condition, when mistakes can be brought in front of relevant authorities, at the moment there is no legal institution to decide who is the author of a cyber-attack and, additionally, agreements and international legislation do not have sufficient and clear provisions in the cyber space. The lack of decisional tools on readiness in such a situation is a challenge for the North-Atlantic Alliance. As a solution, the integration of national cyber capabilities in Alliance’s operations, if possible and agreed, it could contribute to cyber-war principles’ formalization.

At the recent NATO summit, from Brussels, 2018, although there were remarked the strategic, operational and technical progresses in approaching the malware cyber-activities, the allied leaders have warned on the cyber-threats against the Alliance becoming more and more frequent, complex, destructive and coercive. Continuous challenges are asking for NATO to permanently evaluate the nature of the cyber-threats, as well as their own accommodation and response methods.

Although cyber-security elements existed since forever, the execution, by the Alliance, of operations in cyber-field is unexampled. NATO has clearly stated that it will not execute any cyber-offensive operations under NATO’s aegis. But there is a warning- when necessary: the common effort will incorporate the sovereign cyber-capabilities of the allies willing to offer them.

As for the NATO commitment to defend Alliance’s intelligence systems against cyber-attacks, it was adopted a policy on cyber-defence and the continuation of developing authorities and structures able to make it happen. The policy on cyber-defence is underlining the necessity for NATO and the nations to protect the key intelligence systems, accordingly with their responsibilities: sharing the best methods and offer the allied nations, when demanded, the necessary capabilities to help them combat a cyber-attack.

Even if the Alliance does not have basic rules to do it, a new NATO Command Center, able to deter the cyber-attack, will be operational by 2023.

With all this legislative shortcomings, NATO Communications and Information Agency-NCIA, which has the headquarter in Brussels, has, at the moment, around 1500 civils and 1000 militaries (“cyber warriors”) with a 1-million-euro budget for 2019. This facility offers assistance in antiair defence field, training, operational analysis, intelligence information and services for hardware security.

The Cyberspace Operations Center-CYOC, founded recently across Supreme Headquarters Allied Powers Europe-SHAPE, in Mons, is hosting until 2023, a team composed of 70 experts who are tracking, in real time, the civil and military information in cyber-field. The purpose of these structures is to track, minute by minute, the condition of the NATO communications systems, so that commanders can rely on them to ensure the maneuver freedom in all fields affected by hostile cyber-actions. Since the initial development phase, the center has accomplished its main role, which is to manage the efforts of the so many well established and existent elements inside the command structure, to execute cyber-defence operations.

It is also serving as a component of the operations theatre from NATO’s cyber-space and it is responsible to ensure the information over a cyber-situation, the centralized planning of the cyber-aspects of Alliance’s mission and operations and the coordination of operational concerns in cyber-space.

The operational activity is coordinated at NATO’s General District from Brussels, where many commissions and councils are offering governance solutions, doctrines and policies for the many operative efforts, including for those in the cyber space. Among them there is also the Military Committee, the Committee for Cyber Defence and the Administration Council for Cyber Defence. These entities are establishing the parameters and are identifying the roles and responsibilities for all cyber activities.

The responsibility to defend NATO in the cyber space “as effective as in the air, terrestrial and maritime environment” is on the Supreme Allied Commander Europe (SACEUR).

The biggest challenge for this vision is that, although it is a military action, results cannot be easily achieved only through military methods. All Alliance’s operations and missions have a certain dependency level on the civil government or the private industry, whether in the context of national infrastructure, or in regard of the communication, logistics, equipment or critical national infrastructures.

Because the traditional military and civil objectives were already subjected to cyber-attack, it will surely happen as it did during crisis and conflicts. From this point of view, cyber-defence was not exclusively on militaries responsibility, but it was assigned to public actors, from hacktivists to state intelligence services. Hence, what can be a military challenge is, actually, related to the civil government, the private industry and even individuals.

Once with this organizational accommodation, allies have agreed, at the Brussels Summit, how to integrate the sovereign cyber-contributions, voluntarily provided by the allies in Alliance’s operations and missions. This is totally coherent with NATO’s defence mandate, because it is aligning the way NATO is defending itself in the cyber-space, alike the other fields also.

Threats’ approaches in the cyber-space are, also, complicated due to the significant activity which takes place under the armed conflict, following institutions’ ease to get strategic advantages. From this perspective, the determination of an effective and proportional answer to such a cyber-activity is worsened by the diversity of the strategies adopted by the allies individually.

Complexity comes also from the fact that these challenges, with lots of interesting parts, lots of actors involved in “grey-zone” actions, are intensified by more and more rapid rhythms of the technological changes and the excessive increase of systems’ users. Given the circumstance, the vulnerabilities’ average is exponentially increasing and in order to face this type of threat it is demanded intelligence, investments, human talents and technical capabilities.

In these circumstances, although NATO is, often, seen through its collective defence commitment based on the article 5 of the NATO Treaty, it has a significant history of the commitments under the armed conflict line. The NATO Strategic Concept is establishing three basic tasks, essential for the Alliance: collective defence, crisis management and security through cooperation.  As it has been conducting and continues to do it today, NATO must continue to explore the best methods to get involved in the cyber space, because even an under the “line” cyber-attack can be destructive, perturbating and destabilizing.

Nations and NATO-EU partnership’s role in approaching cyber-attacks response

Cyber activities, developed close call or even under the armed conflict line, will remain a continuous challenge.

The adaptation, across the cyber-defence commitment, of the national governments, is based on the article 3 from the Washington Treaty, which foresees that “…the Parties, separately and jointly, by means of continuous and effective self-help and mutual aid, will maintain and develop their individual and collective capacity to resist armed attack”. The impossibility to totally separate the military, civil and industrial concerns in this space has determined the allied nations to adopt a common approach of the commitment on cyber-defence, encouraging the intra-governmental collaboration across them.

Furthermore, comparing to articles 5 and 3, allies have also article 4, which allows allies to consult, whenever a member state considers that “the territorial integrity, political independence or security” gets threatened.

In these circumstances, at the last summit in Brussels, allies have expressed their willingness on “using this capabilities assortment, including the cyber ones, to deter, defence and combat the entire cyber-threats spectrum, including those developed across a hybrid campaign”. Also commonly, they have decided to “continue to collaborate in order to elaborate measures to allow them impose costs for those producing damages”.

From this point of view, during the last NATO reunion at chiefs of defence level, Germany has joined the United States, Great Britain, Denmark, Netherlands and Estonia to offer the Alliance the offensive cyber capabilities. Alike other military resources, the member states are keeping their national control over cyber capabilities and are providing them to NATO when asked for missions and operations.

Complementary to this situation. EU already has penalty regimes to breaches of the nuclear and chemical weapons agreements. According to a proposal presented last year by the Great Britain, Netherlands, Estonia, Finland, Lithuania and Romania, leaders will discuss on the establishment of a cyber penalty regime and the enlargement of measures’ application field against people and organizations behind these attacks. Under the Common Pledge auspices on NATO-EU cooperation, as well as of a technical arrangement signed between NATO and EU’s intervention teams, both organizations have intensified their collaboration, especially in fields like intelligence exchange, education, research and training through exercises.

These collaborations are helping NATO create trustable relations with the industry and allow the parts have a better response and prevention methods against cyber-attacks. Finally, in their attempts to keep up with the changes this field passes through, the collaboration with the industry would become the beneficiary of the intelligence exchange, but also technologies acquirement.

Translated by Andreea Soare