As NATO’s missions become increasingly more network centric, the dependency between operations and communication and information systems (CIS) will become more acute.
Indeed, all NATO operations are “information-enabled” or “information-led,” sharing information and protecting it. It is now essential for success across the entire spectrum, from humanitarian relief to war.
Protecting CIS through a formal cyber defence program is an integral part of mission success. But we must balance two competing concepts: sharing information in order to be effective in coalitions, and protecting information to prevent it from falling into the wrong hands or being manipulated and used incorrectly.
This paradigm shift from need-to-know to obligation-to-share has led us to a share-to-win approach within the NATO Network-Enabled Capability community. However, this approach exposes us to an unprecedented level of risk from cyber attack and exploitation by external parties. When we open our networks and our information to a broader community that now includes non-NATO nations, other ministries and NGOs, we assume greater risks. These organizations may have different security and privacy concerns, different defensive procedures for their networks, and different protection requirements for their information. In short, the technical, procedural and legal challenges of sharing and protecting information and networks increase exponentially as we add partners and collaborators.
This need to share information to support operations, combined with the increased complexity and interconnectivity of computer networks, the growing number of cyber incidents and our need to be more interoperable across NATO and coalitions, has raised the profile of cyber defence within NATO.
Though some perceive cyberspace as the fifth dimension of war and conflict, NATO is far from declaring it a warfare domain equal to land, sea, air and outer space. Nonetheless, we are developing the necessary capabilities to defend our networks from exploitation and external attacks. At the 2002 Prague Summit, it was decided to strengthen NATO’s capabilities to defend against such attacks, a decision which initiated the NATO Computer Incident Response Capability, or NCIRC, project.
Strategic policy
The cyber attacks of 2007 in Estonia were a strong reminder of the vulnerability of our modern societies. Cyber knows no organizational bounds. Attacks against militaries, public institutions and individuals will happen without warning and without discrimination. As a result of the lessons learned from those attacks, and NATO’s own work on cyber defence, NATO developed a Cyber Defence Policy, approved by the North Atlantic Council in January 2008.
The policy includes two new key elements. The Cyber Defence Management Authority (CDMA) has sole responsibility for cyber defence throughout NATO and will initiate and coordinate immediate defensive action where appropriate. It is a strategic-level body dealing with both technical and political aspects in a practical and pragmatic manner.
It also provides a consultation mechanism for handling requests for urgent support from member and partner nations subjected to attacks. Upon request by an affected ally, the CDMA can organize and dispatch response teams. This mechanism has already been put to the test, most notably the deployment of an assessment team to Georgia in August 2008.
As NATO did not previously have formal obligations to protect member states against cyber attack, one of the main issues during the development of the policy was the distinction between the responsibilities and roles of NATO and those of individual nations. While it was agreed that Allies have prime responsibility for protecting their national networks, it was also decided that NATO be able to assist Allies who request support against cyber attack. Likewise, Allies with sufficient competence should be able to provide support to NATO. There is now a shared responsibility for communications of vital importance to the functioning of the Alliance, which reflects the basic NATO principle of collective security and is of particular importance for protecting the links between the Alliance and national systems.
The second key element of the policy was the development by NATO’s Military Authorities of a Cyber Defence Concept. It contains assessments of the threats, vulnerabilities and risks relating to CIS and addresses technical, organizational and other measures to counter the cyber threat. It emphasizes the importance of preventing attacks through a mix of physical security measures, deterrence and intelligence. A fundamental principle in this strategy is defence in depth, which is aimed at preventing direct attacks against critical assets.
Since prevention may not always be successful, the Concept notes the importance of the capability to detect and respond to an attack in a timely and effective manner. The establishment of the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, formally accredited as a NATO centre of excellence 18 months ago, has attracted considerable international interest and has already proven a valuable asset.
Response and cooperation
At last year’s NATO Summit in Strasbourg/Kehl, heads of state and government highlighted NATO’s commitment to cyber defence and stated that the Alliance will “accelerate its cyber defence capabilities.” They also stated that “cyber defence is being made an integral part of NATO exercises” and NATO will strengthen its cooperation with partners.
On the first point, NATO created the Computer Incident Response Capability FOC (Full Operational Capability), which will add new and valuable capabilities to help create a more trusting environment. This is of paramount importance to establish a network-centric environment where an integrated, scalable and fully distributed CIS will allow secure movement of information from any source to any destination in a NATO or coalition operation.
The second involves the inclusion of cyber scenarios in NATO exercises. Exercises are one of the best methods of enhancing our cyber defence awareness and encouraging the development of critical capabilities. In May 2008, the NATO C3 Board tasked the CDMA to organize the first NATO cyber defence exercise, which was executed in November 2008. In 2009, 19 nations participated in or observed the exercise.
The third deals with cooperation. Partners are showing an increasing interest in cooperating with NATO on cyber defence, and considerable scope exists for mutual benefit. Last summer, NATO nations approved the “Council Guidelines for Cooperation on Cyber Defence with Partner Nations and International Organizations,” which provides a general framework for collaboration. Cooperation will be tailored to the needs and interests of individual countries and will, to a large degree, be on a case-by-case arrangement.
Cooperation is a two-way street. The Alliance can provide information and assistance, but it also benefits from the exchanges and aid of those with extensive cyber experience. Further refining these guidelines, last March NATO approved the “Framework for Cooperation between NATO and Partner Nations,” to provide objectives, principles and procedures for cooperation on cyber defence through the best use of existing cooperation programs.
Legal framework
One dimension of the policy requiring further work is the legal aspect. Insufficient legal frameworks and instruments at both the domestic and international levels pose a major challenge to the implementation of cyber defence. There are no universal international agreements for the monitoring, record keeping, and cooperation necessary to track and trace cyber attackers. There are specific legal aspects of cyber defence directly affecting the Alliance. In case of a cyber attack, for example, it is almost impossible to identify the aggressor. NATO cannot allow itself to act militarily, based on assumptions. Though these questions require political rather than legal answers, as was the case on September 11, political decisions must be made on the appropriate legal basis.
At the Strasborg/Kehl summit, as a part of the Declaration on Alliance Security, member nations tasked the Secretary General to develop a new Strategic Concept for the next summit in 2010 – the existing strategic concept dates back to 1999. The new concept should identify the most relevant threats to Allies’ security interests, and the NATO priorities in the fight against terrorism, proliferation, cyber defence, energy security, piracy or maritime surveillance.
Cyber defence is a critical part of this high level conceptual and strategy work. Good legal frameworks, a common understanding of the legal challenges, and work focused on solving some of the challenges will give the Alliance a better basis for consultations regarding cyber warfare in the future. One of the challenges, of course, is to balance the need to protect and defend our networks and systems against the need to protect the privacy of individuals, a challenge that gets into national sovereignty and privacy concerns – hence the need at some point to take it away from engineers and scientists and to hand it over to lawyers.
Major-General Glynne Hines is Director, NATO Consultation, Command, and Control Staff, the principal advisor to the Military committee and the North Atlantic Council on all operational and technical aspects of CIS and network enabled capabilities. He was recently appointed as NATO’s Military Authority for Cyber matters. Previously, he served as Director General Information Management Operations and Canadian Forces J6 and Chief of Staff, Assistant Deputy Minister (Information Management).