NATO has been accusing Russia, Iran and North Korea, among others, for carrying out cyber attacks targeting US and Europe with increasing activity with growing sophistication – although all have and continue to deny the accusations. In April 2018, US and UK issued a joint warning about the activities of Russia and the impact they could have on governments, businesses and even personal home networks. The UK’s National Cyber Security Centre’s chief executive, Ciaran Martin, suggested Russia was trying to access personal routers in homes and small businesses saying this was “a very significant moment as we hold Russia to account and we improve our cyber defences at the same time.”
Hackers “aligned with Russian security interests” have been engaged in a sustained campaign to compromise news websites in Poland and Lithuania to plant false stories aimed at discrediting Nato, according to a new report in August 2020. Part of the campaign – labelled “Ghostwriter” – involved gaining access to news sites publishing systems, deleting stories and replacing them with false news that sought to delegitimise the transatlantic alliance. Emails purporting to be from a local news service with links to the doctored articles were then sent out to other media and public institutions in an attempt to disseminate the fakes and give them further credibility. John Hultquist, senior director of intelligence analysis at Mandiant, said: “The method of hacking media sites to push fabricated narratives is a powerful one,” and added that he expected it to recur in Europe and the US “as a means to alter perception there”.
A new joint effort by NATO members, the European Union, Australia, New Zealand and Japan will call out and confront the threat posed by Chinese state-sponsored cyberattacks. The nations will share intelligence on cyberthreats and collaborate on network defenses and security, said a senior Biden administration official.
The North Atlantic Treaty Organization is an alliance of European and North American countries formed after World War II as a bulwark against Russian aggression, as per The Associated Press. Its original members were Belgium, Canada, Denmark, France, Iceland, Italy, Luxembourg, the Netherlands, Norway, Portugal, the United Kingdom, and the United States. It originally had 12 members, but now has 30 – made up of European countries and the US and Canada, according to the BBC.
The military alliance, which is known for its anti-Russain stance, now focusing on China too. The new Brussels communique states plainly that the NATO nations “will engage China with a view to defending the security interests of the alliance. At Biden’s urging, NATO leaders agreed to work together against the “systemic challenges” posed by China’s aggressive policies as the alliance fleshed out its nascent approach to Beijing. China’s increasingly assertive actions in building a nuclear arsenal as well as space and cyber warfare capabilities threaten the international order, they said in a statement.
”The group will publicly blame China’s Ministry of State Security for a massive cyberattack on Microsoft Exchange email servers earlier in 2021. The brazen Microsoft Exchange server attack became public in March and is believed to have hit at least 30,000 American organizations and hundreds of thousands more worldwide. In July 2021, the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency released a new advisory listing 50 tactics, techniques and procedures that Chinese state-sponsored hackers employ.
For now, the multinational cybersecurity effort is focused on cooperative security and threat alerts, and not on retaliation. The White House has raised the Microsoft attacks with senior members of the Chinese government, “making clear that the [People’s Republic of China] actions threaten security, confidence, and stability in cyberspace,” said the senior official.
Cyber Warfare part of Hybrid warfare
In recent events, cyber attacks have been part of hybrid warfare. These include the use of ransomware to hold NATO assets at risk, DDoS to interrupt NATO command and control (C2) and interoperability, and physical disabling of electrical power generation and communications rendering militaries ineffective and worse, threatening domestic public safety.
At the beginning of 2017, NATO Secretary General Jens Stoltenberg said the alliance was experiencing an increasing number of state-sponsored cyberattacks – a monthly average of 500, “an increase of 60% compared to 2015,” he said. “Over the last decade, there has been a continuing advancement of the cyber threat in both depth and breadth with the expansion of exploitation, disruption, and destruction activities. In an Internet-connected, net-centric world, military networks and key supporting critical infrastructures are now at significant risk from cyber intrusion.”
From a warfighting perspective, we have also seen the integration and synchronization of cyberspace capabilities as part of an adversary’s attack strategy leading up to and in conflict. This hybrid warfare approach of blending conventional, special operations and cyber operations capabilities is most evident in conflicts in Crimea, Syria, and Iraq, and foreshadows the type of warfighting challenge that NATO will face.
More direct attacks as part of hybrid warfare are also possible as cyber warfare integration enables adversaries to strike early and steal advantage through a variety of actions. These include the use of ransomware to hold NATO assets at risk, DDoS to interrupt NATO command and control (C2) and interoperability, and physical disabling of electrical power generation and communications rendering militaries ineffective and worse, threatening domestic public safety.
As Admiral Rogers has testified, if we cannot defend the infrastructure that undergirds our DoD bases and forces from foreign-based cyber threats, then our nation’s military capabilities are weakened and all our instruments of national power diminished. That leaves our leaders with a need for additional options to pursue short of open hostilities, and with fewer capabilities in an actual clash of arms. This raises risk for all by inviting instability and miscalculation.
NATO Security measures
NATO is doubling down on cyberspace defense with increased partnerships and new technology thrusts. Information exchanges on threats and solutions, coupled with research into exotic capabilities such as artificial intelligence, are part of alliance efforts to secure its own networks and aid allies in the cybersecurity fight.
NATO has emplaced a means of information sharing by which the alliance can build an “ecosystem” that shares cyber incident information on a technical level. Lifländer emphasizes that NATO is providing the platform that boosts sharing among participants. This will benefit both NATO and its member nations, he adds. Another key cybersecurity thrust, Lifländer continues, is to understand new and emerging technologies better. The alliance wants to harness the capabilities of artificial intelligence (AI) for network defense, for example. This effort aims at helping both NATO and allies’ networks. Several proofs of concept already have been conducted to improve and expand AI capabilities and algorithms.
A sense of urgency is needed for future cybersecurity development, Lifländer says. “We cannot afford to stand still,” he declares, analogizing that even standing still would require hard running. Moving ahead requires a better understanding of how technology operates, improving the alliance’s government structures, looking at how cyber defense is resourced and technology is acquired, along with the way talent is recruited and developed. Cyber goes beyond being a tactical challenge, he emphasizes. “It is an operational challenge, a strategic challenge.”
He continues that NATO must establish and emplace strategies that go beyond basic security measures. Lifländer advocates strategies that signal to cyber marauders that there are thresholds they should not attempt to cross and systems they should not attempt to breach and that impose costs on them should they act in a way that is deemed unacceptable. These measures will be necessary to maintain a degree of stability in cyberspace.
NATO Cyber policy
NATO in July 2016, officially recognized cyberspace an official operational domain of warfare, along with air, sea, and land . Recognizing cyber as an official domain of warfare will allow NATO to improve planning and better manage resources, training and personnel needs for cyber defense operations, said a NATO official. speaking on condition of anonymity. NATO Secretary General Jens Stoltenberg elaborated: “[This] means that we will coordinate and organize our efforts to protect against cyber-attacks in a better and more efficient way. This is about developing our capabilities and ability to partly protect NATO cyber networks but also to help and assist nations in defending their cyber networks.”
In 2014 the U.S.-led alliance assessed that cyber-attacks could potentially trigger NATO’S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber-attack with conventional weapons, although the response would be decided by consensus. A major cyber-attack could trigger a collective response by NATO, NATO Secretary General Jens Stoltenberg said in an interview as reported by Reuters. “A severe cyber-attack may be classified as a case for the alliance. Then NATO can and must react,” the newspaper quoted Stoltenberg as saying. “How, that will depend on the severity of the attack. But NATO’s response could include diplomatic or economic sanctions, a digital counter attack, or even conventional force, depending on the nature and consequences of the attack. NATO will always follow the principle of restraint and act in accordance with international law.
The urgency behind NATO’s deepening interest in cyber defense is driven by the increasing sophistication of cyberthreats against member states, according to Brig. Gen. Christos Athanasiadis, assistant chief of staff cyber at SHAPE. NATO reported earlier this year that its infrastructure came under threat from 500 cyberattacks monthly in 2016.
NATO cyberspace Operations
The alliance also is adding two new joint force commands, one for the Atlantic and the other to support military mobility in Europe. The command for the Atlantic, which the United States will head, will help protect the ever-important undersea lines of communication between North America and Europe. NATO’s defense ministers approved the command expansion February 14. Stoltenberg stressed that these steps were necessary to ensure that the alliance is fit for the challenges it faces.
“The threat emanating from Russia, out-of-area operations and concerns about the alliance’s southern flank mean NATO must respond,” Stoltenberg said. “We will have an increased focus on maritime, logistics and movement, situational awareness and cyber defense so that our forces can be in the right place, at the right time, with the right equipment. These decisions will make NATO stronger and more agile to protect our almost 1 billion citizens.”
According to a NATO International Military Staff working document of 15 March 2018, the Alliances cyberspace operations fall into four categories:
- Communication and Information Systems (CIS) Infrastructure Operations (passive measures of prevention, protection, and recovery)
- Defensive Cyberspace Operations (active measures of detection and reaction)
- Intelligence, Surveillance, Reconnaissance (non-intrusive and intrusive intelligence collection; operational preparation of the
- Offensive Cyberspace Operations (denial and manipulation operations, operational preparation of the environment).
Defensive cyberspace operations can be executed in the networks of adversaries (“red networks”) and of third parties (“grey networks.”). Offensive cyberspace operations create “firstorder effects in cyberspace to initiate carefully controlled cascading effects into the physical domains to affect weapon systems, C2 [Command and Control] processes, logistics nodes, highvalue targets, etc. In contrast, although ISR cyberspace operations also normally require intrusions into grey and red networks, the purpose is not to achieve cyber effects, but is instead intelligence collection.
Cyber Command Center
The term “cyber command” generally denotes a standalone command structure, branch or service of the armed forces that directs and controls the above four categories of cyberspace operations described above.
A new NATO military command center to deter computer hackers should be fully staffed in 2023 and able to mount its own cyber attacks. When fully operational, the cyber center aims to coordinate NATO’s cyber deterrent through a 70-strong team of experts fed with military intelligence and real-time information about hackers ranging from Islamist militants to organized crime groups operating on behalf of hostile governments. The center could potentially use cyber weapons that can knock out enemy missiles or air defenses, or destroy foes’ computer networks if commanders judge such a cyber attack is less harmful to human life than a traditional offensive with live weaponry.
A forthcoming Cyber Operations Center will incorporate cyber warfare into NATO’s defense operations. In addition, NATO’s Cooperative Cyber Defence Centre of Excellence is boosting the organization’s cybersecurity-related research, exercises and instruction to meet the seemingly unending threats.
The new cyber center will be an operational complement to NATO’s Tallinn, Estonia-based Cooperative Cyber Defence Centre of Excellence (CCDCOE), which has been a hub for NATO’s cyber defense—in addition to the alliance’s network operations center and computer emergency response teams (CERTs). The CCDCOE combines cyber technology, strategy, operations and law expertise to provide “a 360-degree look at cyber defense,” according to the agency. “Our ultimate aim is to be completely aware of our cyberspace, to understand minute-by-minute the state of our networks so that commanders can rely on them,” said Ian West, chief of cyber security at the NATO communication agency.
NATO has two cyber rapid-reaction teams on standby round the clock, ready to respond within 48 hours. Their weapons are fast computers with vulnerability-analysis code, forensic software and special database-management tools.
Cyber Offensive Doctrine and Capabilities
Amid stunning digital attacks that have not only rocked countries around the globe but also targeted alliance forces, NATO is sharpening its resolve to serve as a cyber protector. NATO plans to bolster its ability to respond to cyberattacks and cybercrime by developing tools that can deter attacks on critical military and civilian network infrastructure. NATO has identified a number of key area for improvement. These include developing enhanced processes to detect, evaluate and respond to threats at all levels. Moreover, NATO aims to promote a more significant degree of information sharing between member states’ intelligence agencies to combat cyberthreats against military sites and critical civilian targets such as telecom networks and power grids.
NATO needs to develop doctrine and capabilities to provide for the effective use of cyberspace in a conflict as part of NATO’s warfighting capabilities. Cyber capabilities have the prospect of being an asymmetric capacity and force multiplier that could be of important consequence to the defense of NATO nations. Adding offensive cyber capabilities to NATO’s force structure and response doctrine will increase its deterrent capabilities.
In a similar fashion to air campaign planning, prior analysis of targets, including the probability of collateral consequences could be undertaken, enabling the development of cyber-attack “campaign packages” for commanders.
The development of NATO defensive and offensive cyber weaponry is tasked to the Western alliance’s dedicated cyber unit, which forms part of NATO’s Supreme Headquarters Allied Powers Europe, or SHAPE. It plans to spend an investment of €71m (£61m) to improve the protection of Nato’s 32 main locations from cyber attacks.
NATO leaders pledged to invest more in cyber defense. Since then, almost every Ally has upgraded its cyber defenses, and we see countries like France, Britain and the United States investing heavily in their cyber defenses. NATO is helping all Allies to work together, to pool their knowledge and help each other.
NATO shares information about technological threats in real-time—as we did with the EU, nations and private companies during the WannaCry attack. We are integrating national cyber capabilities into NATO planning and operations. We have Cyber Rapid Reaction teams on standby to assist Allies 24 hours a day, while exercises, research, and training are led by the NATO Center of Excellence for Cyber .
The paper recommends that NATO provide extended deterrence to help less cyber-capable nations defend their military, telecommunications, and electric grid infrastructures and to increase NATO’s cyber capabilities as part of an integrated defense by:
- Creating “cyber framework nations” each of which would lead a cyber framework group and support national capabilities including the establishment, transfer, training, and support of necessary cyber capabilities; the United States would be the first cyber framework nation;
- Establishing operational partnerships, including at the national level, with key private entities, including ISPs and electrical grid operators; and
- Developing doctrine and capabilities to provide for the effective use of cyber in a conflict as part of NATO’s warfighting capabilities.
In Locked Shields 2018, the world’s largest and most complex international live-fire cyber-defence exercise, completed in April in Tallinn under the auspices of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), featuring 22 Blue Teams, including teams from NATO and the EU. This year’s exercise highlighted the growing need to enhance dialogue between technical experts and decision-makers. CCDCOE integrated the technical and strategic game, enabling participating nations to practice the entire chain of command in the event of a severe cyber-incident involving both civilian and military players. Considering the current cyber-threats that are of most concern, the exercise addressed the critical information infrastructure protection. The NATO team won the overall competition with the French and Czech teams taking second and third place respectively.
NATO’s biggest cyber warfare exercise, an electronic defensive drill named Cyber Coalition 2018, took place in Tartu, Estonia. The the three-day exercise simulates a support operation for a fictional east Africa country that comes under electronic attack from a hostile state just as it is holding elections. The scenario describes malware infecting a water treatment plant to contaminate drinking supplies and an attack on the railway network, diverting trains carrying NATO troops meant to be guarding polling stations.
It also tested how offensive cyber weapons — made available by some NATO members — might be used as part of the alliance’s response. The U.S., Britain, Denmark, Estonia and the Netherlands have all pledged to offer their cyber weapons for NATO operations if requested, figuring that aggressors could be deterred if they knew they would counterattacked. But Lewis said deploying cyber weapons carries the same risks of real-world arms. Consideration must be given to the risk of “collateral damage,” he said, and the commanders in the exercise stopped short of actually deploying them.
An Approach for Building New NATO Cyber Capability–the Cyber Framework Nation
The US National Institute of Standards and Technology recently developed a national cybersecurity framework (CSF), which leverages best practices and international standards. There are five different functions of the CSF: identify, protect, detect, respond, and recover. A cyber framework country can help provide highly scalable capabilities in each of these functions. These include:
- First, identifying highest priority national military cyber assets and supporting telecom and power grid networks that would need to be protected or employed in an response to a cyberattack by an adversary.
- Second, extending/enhancing automated intrusion protection and developing resilience efforts, starting with data classification and segmentation, to participating NATO member nations’ militaries, telecommunication companies, and electrical grids. Utilize high-end protection capabilities, such as multi-factor authentication, end-to-end data encryption and diverse, redundant networks, to ensure best information assurance practices in data confidentiality, integrity, and availability.
- Third, increasing detection capabilities by provisioning shared cyber threat intelligence capabilities. A NATO cyber threat intelligence capability would develop and share cyber indications and warnings regarding the movement of high-end state cyber-threat activity towards NATO networks and information assets.
- Fourth, development of NATO cyber defense “playbooks” and training exercises for cyber-attack response, with techniques, tactics, and procedures (TTPs) developed to maximize the value of the defense and resilience capabilities noted above. Include national grid and telecommunications partners in the private sector as part of the playbook TTPs and training exercises.
- Fifth, providing “fly away” cyber-warfare teams to provide NATO member states’ “blue team” assistance to “operate in degraded environments,” recover, and support malware forensics. These would be complementary to NATO Cyber Response Teams.
The paper’s recommendations aim to strengthen NATO’s cyber capabilities and incorporate them into wider Alliance defense strategies, laying out multinational and intergovernmental steps and exploring the role of the private sector.