NATO plans to bolster its ability to respond to cyberattacks and cybercrime by developing tools that can deter attacks on critical military and civilian network infrastructure. NATO has identified a number of key area for improvement. These include developing enhanced processes to detect, evaluate and respond to threats at all levels. Moreover, NATO aims to promote a more significant degree of information sharing between member states’ intelligence agencies to combat cyberthreats against military sites and critical civilian targets such as telecom networks and power grids.
The development of NATO defensive and offensive cyber weaponry is tasked to the Western alliance’s dedicated cyber unit, which forms part of NATO’s Supreme Headquarters Allied Powers Europe, or SHAPE. It plans to spend an investment of €71m (£61m) to improve the protection of Nato’s 32 main locations from cyber attacks.
In April 2017, NATO carried out “Locked Shields” exercise which represents the largest international technical cyber defense exercise, according to the NATO Cooperative Cyber Defence Centre of Excellence, which has hosted the annual event since 2010. Locked Shields is a scenario-based exercise aimed at helping to train participating security experts in protecting national IT infrastructure. This year’s exercise scenario directs teams security experts to defend the networks of a fictional country’s military air base when its electric power grid, drones, military command and control systems and operational infrastructure fall under severe cyberattack. The exercise features about 800 participants from 25 different nations worldwide and also involves protecting several specialized IT systems, including a large-scale system that controls the power grid and a system used for military planning.
“Taking into consideration current key trends in cybersecurity, we are introducing even more specialized systems to the exercise,” said Aare Reintam, the technical director at the center. “This enables us to prepare cybersecurity experts to protect even better vital networks and systems that they are not working with on a regular basis.”
The urgency behind NATO’s deepening interest in cyber defense is driven by the increasing sophistication of cyberthreats against member states, according to Brig. Gen. Christos Athanasiadis, assistant chief of staff cyber at SHAPE. NATO reported earlier this year that its infrastructure came under threat from 500 cyberattacks monthly in 2016.The United States and other NATO states have become increasingly vocal about cyber-attacks launched from Russia, China and Iran, but officials say it remains hard to determine if such attacks stem from government bodies or private groups. In recent events, cyber attacks have been part of hybrid warfare.
NATO officially recognized cyberspace an official operational domain of warfare, along with air, sea, and land in July 2016 . Recognizing cyber as an official domain of warfare will allow NATO to improve planning and better manage resources, training and personnel needs for cyber defense operations, said a NATO official. speaking on condition of anonymity. NATO Secretary General Jens Stoltenberg elaborated: “[This] means that we will coordinate and organize our efforts to protect against cyber-attacks in a better and more efficient way. This is about developing our capabilities and ability to partly protect NATO cyber networks but also to help and assist nations in defending their cyber networks.”
A major cyber-attack could trigger a collective response by NATO, NATO Secretary General Jens Stoltenberg said in an interview as reported by Reuters. “A severe cyber-attack may be classified as a case for the alliance. Then NATO can and must react,” the newspaper quoted Stoltenberg as saying. “How, that will depend on the severity of the attack. In 2014 the U.S.-led alliance assessed that cyber-attacks could potentially trigger NATO’S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber-attack with conventional weapons, although the response would be decided by consensus.
In “Cyber, Extended Deterrence, and NATO,” Franklin D. Kramer, Robert J. Butler, and Catherine Lotrionte have analyzed the changing cyber threat landscape of NATO with potential expanded cyber hybrid action in the future. These include the use of ransomware to hold NATO assets at risk, DDoS to interrupt NATO command and control (C2) and interoperability, and physical disabling of electrical power generation and communications rendering militaries ineffective and worse, threatening domestic public safety.
The authors recommend “The extended deterrence doctrine, if applied to cyberspace, could significantly ameliorate NATO’s cyber vulnerabilities and deficiencies at the national level.” In applying that doctrine to cyber defense, nations with greater capabilities would help provide less capable nations with the establishment, transfer, training, and support of key cyber capabilities.
Advancing Cyber threats
“Over the last decade, there has been a continuing advancement of the cyber threat in both depth and breadth with the expansion of exploitation, disruption, and destruction activities. In an Internet-connected, net-centric world, military networks and key supporting critical infrastructures are now at significant risk from cyber intrusion.”
From a warfighting perspective, we have also seen the integration and synchronization of cyberspace capabilities as part of an adversary’s attack strategy leading up to and in conflict. This hybrid warfare approach of blending conventional, special operations and cyber operations capabilities is most evident in conflicts in Crimea, Syria, and Iraq, and foreshadows the type of warfighting challenge that NATO will face.
More direct attacks as part of hybrid warfare are also possible as cyber warfare integration enables adversaries to strike early and steal advantage through a variety of actions. These include the use of ransomware to hold NATO assets at risk, DDoS to interrupt NATO command and control (C2) and interoperability, and physical disabling of electrical power generation and communications rendering militaries ineffective and worse, threatening domestic public safety.
As Admiral Rogers has testified, if we cannot defend the infrastructure that undergirds our DoD bases and forces from foreign-based cyber threats, then our nation’s military capabilities are weakened and all our instruments of national power diminished. That leaves our leaders with a need for additional options to pursue short of open hostilities, and with fewer capabilities in an actual clash of arms. This raises risk for all by inviting instability and miscalculation.
The paper recommends that NATO provide extended deterrence to help less cyber-capable nations defend their military, telecommunications, and electric grid infrastructures and to increase NATO’s cyber capabilities as part of an integrated defense by:
- Creating “cyber framework nations” each of which would lead a cyber framework group and support national capabilities including the establishment, transfer, training, and support of necessary cyber capabilities; the United States would be the first cyber framework nation;
- Establishing operational partnerships, including at the national level, with key private entities, including ISPs and electrical grid operators; and
- Developing doctrine and capabilities to provide for the effective use of cyber in a conflict as part of NATO’s warfighting capabilities.
An Approach for Building New NATO Cyber Capability–the Cyber Framework Nation
The US National Institute of Standards and Technology recently developed a national cybersecurity framework (CSF), which leverages best practices and international standards. There are five different functions of the CSF: identify, protect, detect, respond, and recover. A cyber framework country can help provide highly scalable capabilities in each of these functions. These include:
- First, identifying highest priority national military cyber assets and supporting telecom and power grid networks that would need to be protected or employed in an response to a cyberattack by an adversary.
- Second, extending/enhancing automated intrusion protection and developing resilience efforts, starting with data classification and segmentation, to participating NATO member nations’ militaries, telecommunication companies, and electrical grids. Utilize high-end protection capabilities, such as multi-factor authentication, end-to-end data encryption and diverse, redundant networks, to ensure best information assurance practices in data confidentiality, integrity, and availability.
- Third, increasing detection capabilities by provisioning shared cyber threat intelligence capabilities. A NATO cyber threat intelligence capability would develop and share cyber indications and warnings regarding the movement of high-end state cyber-threat activity towards NATO networks and information assets.
- Fourth, development of NATO cyber defense “playbooks” and training exercises for cyber-attack response, with techniques, tactics, and procedures (TTPs) developed to maximize the value of the defense and resilience capabilities noted above. Include national grid and telecommunications partners in the private sector as part of the playbook TTPs and training exercises.
- Fifth, providing “fly away” cyber-warfare teams to provide NATO member states’ “blue team” assistance to “operate in degraded environments,” recover, and support malware forensics. These would be complementary to NATO Cyber Response Teams.
Cyber Offensive Doctrine and Capabilities
NATO needs to develop doctrine and capabilities to provide for the effective use of cyberspace in a conflict as part of NATO’s warfighting capabilities. Cyber capabilities have the prospect of being an asymmetric capacity and force multiplier that could be of important consequence to the defense of NATO nations. Adding offensive cyber capabilities to NATO’s force structure and response doctrine will increase its deterrent capabilities.
In a similar fashion to air campaign planning, prior analysis of targets, including the probability of collateral consequences could be undertaken, enabling the development of cyber-attack “campaign packages” for commanders.
The paper’s recommendations aim to strengthen NATO’s cyber capabilities and incorporate them into wider Alliance defense strategies, laying out multinational and intergovernmental steps and exploring the role of the private sector.