I heard more about NATO's plans over the summer, when they were kind enough to invite me on a tour of their headquarters (outside Brussels), cyber-defence facilities (in Mons), and the Cooperative Cyber Defence Centre of Excellence in Tallinn (although unfortunately I couldn't make it to the latter). These plans will be finalised at the Wales Summit of NATO leaders this Thursday/Friday in Newport and Cardiff (whose poor residents have to put up with a 10 mile security fence).
Background and current strategyNATO's mandate is cyber defence - it will not be carrying out "active defence" (e.g. striking back against hostile systems), nor coordinating member states' cybersecurity (which apparently remains a very sensitive national prerogative).
The first, basic, NATO cyber strategy came in 2008, following attacks on Estonian and Georgian systems by "patriotic hackers" that were strongly suspected to be coordinated by the Russian government. A more developed strategy was agreed in 2011, with an action plan mainly focused on securing NATO's own networks and systems, which link the member states' deployed facilities.
These systems have recently been upgraded in a 58m€ project to provide centralised protection to classified NATO networks across 51 sites, with three to complete. This gives commanders situational awareness and analytical tools, and constantly updates network sensors.
NATO has established a Cyber Defence Management Board to coordinate policy and military activity. It has defined minimum requirements for cyber protection for national networks that NATO depends on, and national cyber capability targets (e.g. national strategy, CERT, supply chain regulations) for 2019. This has been a major driver of investment and uniformity. The Cyber Defence Committee has the lead political role in policy governance, acting as a link between the North Atlantic Council and all other NATO committees.
NATO has a good EU partnership at staff level, and holds reciprocal briefings with the Organisation for Security and Cooperation in Europe, and Council of Europe. There is an "intense tempo" of cooperation with five Western European non-NATO partners (Sweden, Ireland, Austria, Switzerland and Finland), as well as Australia and New Zealand. Following vetting for information sharing mirrored by the intelligence domain, this allows these countries to participate in cyber coalition exercises. NATO can blend cyber intelligence with classical intelligence to do much better attribution of attacks.
The new strategyNATO's 2014 enhanced policy brings new elements:
- A link between cyber and collective defence. Art. V applies on a political case-by-case basis; there are no general criteria for its application.
- A focused exploration of the threat landscape.
- A framework for assistance to allies in cyber crises and in peacetime — the key element is information sharing, alongside rapid reaction teams, NATO as a clearing house for bilateral assistance and the civil emergency planning process, then more generally situational awareness, early warning, exchange of expertise, interoperability, and impact analysis (made possible by increased national investment reducing concerns over free riding).
- An explicit statement that international law is applicable in the cyber domain.
- An increased emphasis on training, education and exercises, with “coherent” use of NATO schools.
- NATO-industry Cyber Partnerships — to be implemented post-Wales, but there are already links with industry, mainly on procurement. NATO wants a different level of information sharing, with a structured platform (building on national sharing) and bigger regular meetings. This will be voluntary, but as inclusive as possible.
The Alliance already has three “smart defence” collaborative development projects between members:
- Canada, Netherlands, Germany, Romania and Finland are developing smart sensors, analytical tools, and an information sharing platform.
- A Malware Information Sharing Platform, developed at Mons, and offered to all member states. 50% of members are already participating, and this will become NATO-wide.
- Portugal has launched a training and education initiative, and wants to use the NATO school to become a major hub. This will be an element in a federated network, and make training more uniform, cheaper and more effective.
AnalysisThese all seem sensible measures. I was surprised at how determined many of the NATO members seem to be to preserve their own sovereignty even within the Alliance (although they do need to protect themselves against Russian spies). It is astonishing that (according to the New York Times) the US, UK and Germany will not share information about their offensive cyber capabilities even with their closest allies — leaving NATO officials to scour media reports of Edward Snowden's revelations. (I hope that my expert witness statements in Big Brother Watch v UK and Privacy International v GCHQ were helpful :)
NATO suffered a substantial Distributed Denial of Service attack for the first time on 15-16 March 2014, the night before the Crimean "referendum" on joining Russia, bringing down the NATO website for 12 hours. Successful attacks on public-facing websites have no impact on NATO readiness, but are embarrassing. The Alliance was previously focused on espionage attempts against their systems.
The enhanced strategy clearly needs to be implemented quickly, before Putin's unconventional warfare tactics and Little Green Men start making higher profile "virtual" appearances in Ukrainian and NATO member systems.