With our societies increasingly dependent on modern information technologies, rapidly evolving cyber threats pose a growing threat. NATO will have to find a response.
Since the 1990s, billions of people worldwide have been using information and communication technologies (ICT). The Internet has evolved from a simple information exchange platform to the backbone of modern economies and societies. The impact of ICT on our personal, social and professional lives is enormous, and the benefits of Internet connectivity and the opportunities it offers to individuals and businesses are obvious. But there are two sides to every coin: While the confidence of our societies in digital infrastructure is growing exponentially, technology remains inherently vulnerable. The rapidly evolving cyber threats challenge the confidentiality, integrity and availability of ICT infrastructures and can lead to disasters of unknown magnitude.
To understand the challenges NATO is facing in terms of cyber defence, it is necessary to first address the various attacks and threats in cyberspace.
Cyberattacks, defined as “any type of offensive manoeuver employed by individuals or whole organisations that target computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts, usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system”, are more common than we think. Many of these attackers use advanced persistent threats (APTs) as their modus operandi to stealthily enter networks or systems and remain undetected for years.
A cyberattack can take many shapes and forms. Based on the source, the target and the intended damage, cyberattacks can be divided in a number of broad categories.
The first category are “arbitrary attacks” – far-reaching, global attacks that do not distinguish between governments and businesses. A well-known example of an undifferentiated attack is the Red October cyber espionage malware programme, which was discovered in 2012. “Red October” was operated worldwide for five years before it was discovered and transmitted information ranging from diplomatic secrets to personal information. The malware was installed by email with attached documents programmed to exploit vulnerabilities in Microsoft Word, Excel and the Java browser plugin. This advanced cyber espionage campaign was aimed at diplomatic, governmental and scientific research institutions worldwide. It was never revealed who was behind these attacks.
A second category of attacks are “destructive attacks” – attacks aimed at harming the target organisation. Examples are the malware “Wiper”, which deleted information from the hard disks of Iranian oil companies in 2011. The modular computer virus “Shamoon”, a malicious phishing email that entered Saudi gasoline company Aramco in 2012, caused the company to spend a week restoring its services. When it comes to defense, the best known malicious computer worm is “Stuxnet”. It was allegedly designed by the US and Israel to sabotage Iran’s nuclear programme and cause a series of “unfortunate accidents”. It was discovered in 2010 and has since emerged in various forms and shapes.
A third category of cyberattacks is labelled ‘cyberwarfare’: politically motivated destructive attacks aimed at sabotage and espionage. Some examples are the 2007 cyberattacks on Estonia, targeting government and commercial institutions. Other cases of cyberwarfare took place in Asia: in July 2009, major government, news media and financial websites in South Korea and the USA fell victim to a series of coordinated cyberattacks, involving a ‘botnet’ or a large number of hijacked computers that maliciously caused a server overload due to the influx of data. Between 50.000 and 166.000 computers were hijacked during the attack, with a majority located in South Korea. The timing of the attacks, coinciding with a North Korean short-range ballistic missile test, made researchers to believe that North Korea was the source of the attack, although no substantial evidence was provided for this claim. In 2010, rivalry between South Korea and Japan in female figure ice skating at the Vancouver Winter Olympics, triggered a cyberwar between “netizens” (a contraction of (inter)net and citizens) from both countries. Other cyberattacks occured during the Russo-Georgian War in 2008 and against Iranian nuclear facilities in 2006: President Bush then launched one of the first known uses of offensive cyberweapons when he ordered the execution of Operation Olympic Games, targeting the Iranian nuclear facility at Natanz. Bush ordered the operation since he believed that it was the only way to prevent Israel from striking the facility with conventional weapons.
Other categories of cyberattacks involve government espionage (stealing information from/about government organisations) and corporate espionage (stealing data from corporations related to proprietary methods or emerging products/services). A well-known example of government espionage is the massive spying by the US on many countries, including allies, as revealed by Edward Snowden. The disclosure of the fact that the National Security Agency (NSA) also spied on Germany’s Chancellor Angela Merkel, made news headlines all over the world and caused a diplomatic incident between the two countries. With ‘Titan Rain’, a series of coordinated attacks on American computer systems in 2003, hackers gained access to sensitive information on the computers of US defence contractors like Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. The attackers were able to hide their identity, but it is believed that this government-inspired espionage originated in China. An example of a corporate espionage cyberattack is ‘Operation Aurora’, a series of cyberattacks in 2009 conducted from Beijing that targeted dozens of organisations, such as Adobe, Juniper Networks, Yahoo, Symantec, Morgan Stanley and Dow Chemical. The perpetrators had ties to the Chinese Army and tried to gain access to these high tech, security and defence contractor companies, and possibly tried to modify source code repositories.
Another cyberattack category is “internet activism” (also called “hacktivism”), the use of technology to promote a political agenda or social change, often related to free speech, human rights or freedom of information networks. A famous hacktivist is Julian Assange, the man behind the non-profit organisation Wikileaks. In 2010, this whistleblowing organisation published more than 90.000 documents on the wars in Afghanistan and in Iraq. Perhaps the most well known hacktivist group is “Anonymous” which has been very active in the last decade. It attacked the Scientology Church in 2008 and with Operation Payback, it attacked high-profile opponents of internet piracy like the Motion Picture Association of America and the British Phonographic Industry. Law firms, politicians like Sarah Palin and Joseph Lieberman and financial services providers like Mastercard, Visa and Paypall were also hacked by Anonymous. Anymous also declared war on ISIS after the 2015 Paris terror attacks and in February 2017, it took down more than 10.000 child pornography sites on the Dark Web.
Other categories in cyberattacks are: stealing e-mail addresses and login credentials for specific web resources, stealing credit card and financial data, and stealing medical data.
Soft and Hard Threats
From a national security standpoint, cyberattacks present a multitude of threats, of which espionage, sabotage, propaganda and economic disruption are the most important types.
Cyberespionage, or cyberspying, is ‘the use of computer networks to gain illicit access to confidential information, typically that held by a government or other organisation’. The ‘soft’ threat of espionage, including cyberespionage, is not considered an act of war since all major powers use it. However, espionage incidents can cause serious tensions between nations. Succesful cyberespionage operations can give the spying country a considerable advantage over the country that was spied on: all powers spend large sums of money on finding out what the adversary is doing and to what intent. A succesful cyberespionage operation in the field of defence technology can save the spying country a lot of money on research and development, or bridge a technological gap in a short time span that otherwise would have taken years. The attackers use cyberespionage for economic, political, or military gain. They are deliberately recruited and are highly valued for their technical know-how. China has several cyberespionage battalions, of which Unit 61398 is the most controversial one since it is believed to be responsible for several attacks on the US. The US, Russia and North Korea also have units within the armed forces and the security forces that specialise in cyberspying.
Cyberpropaganda, defined as “‘the use of information technologies to manipulate an event or influence public perception toward a certain point of view”, is a second ‘soft’ form of cyberattacks. It is a form of psychological warfare that uses social media, fake news websites and other digital means with the aim of de-legitimising the political and social system of a country. Cyber propagandists deliberately attempt to shape perceptions, manipulate emotions and direct the behaviour of large internet audiences to achieve a response that furthers the intent of the propagandist. Cyberpropaganda can also be used to influence elections in democratic countries. A case currently under investigation by Special Counsel Robert Mueller is that of the presumed Russian attempt to manipulate the 2016 US presidential elections. The theft and leaking of Hillary Clinton e-mails while she was Secretary of State under President Obama, are a good illustration of cyberespionage and cyberpropaganda at once.
But cyberattacks are not per definition ‘soft’ threats. They also consist of ‘hard’ threats and can be used to support traditional warfare.
Cybersabotage or “destructive hacking” can be defined as “the deliberate and malicious use of cyber means to disrupt the normal processes and functions of cyber infrastructure or to destroy or damage equipment or information”. Cybersabotage can take place when contaminated hardware or software are purposefully installed during the manufacturing and installation process or are delivered over the internet. Not only military systems like computers and satellites can be targeted. Since power, water, fuel, communications and transportation infrastructure are all connected to the internet and with cyberspace, they are all vulnerable to disruption. Potential targets also include power grids, trains, or the stock market. The military and civilian spheres of a nation are susceptible to malicious interception. In cybersabotage, a denial-of-service (DoS) attack is the most common attack: an attempt to make a machine or network resource unavailable to its intended users. A DoS, when properly executed, can be as devastating as a physical attack against the infrastructure. Coordinated DoS attacks can lead to large-scale economic disruptions. In 2017, Ukraine and the British National Health Service became victims of DoS attacks resulting in financial losses in the millions. Only recently, the controversial president of Venezuela, Nicolàs Maduro, accused the USA of sabotaging the Venezuelan power grid with cyber attacks, which led to an almost complete power failure in the afflicted country.
NATO and Cyber Defence
Since cyberattacks pose a genuine threat to national security and to the stability of the international system, states have developed cyber defence strategies and established organisations within their defence and intelligence departments to counter cyber attacks. Of course, NATO could not fall behind. The first time that cyber defence was on the Alliance’s agenda was at the Prague Summit in 2002. The need to improve the protection of communications systems was reaffirmed at the 2006 Riga Summit, but it was the major cyber attack on NATO ally Estonia a year later that triggered NATO cyber defence action.
First, a NATO Cooperative Cyber Defence Centre of Excellence was established in Tallinn in Estonia. Nearby, at the NATO Cyber Range in Tartu, cyber experts can develop their capabilities through realistic exercises. As of January 2018, CCDCOE is responsible for identifying and coordinating education and training in cyber defence for all NATO bodies across the Alliance. Secondly, the first NATO Policy on Cyber Defence was approved in January 2008 and at the Lisbon Summit in 2010, a new Strategic Concept was adopted. An in-depth NATO cyber policy was to be developed, as well as an action plan to implement it, both of which were approved in June 2011 by the NATO defence ministers. A year later, cyber defence was integrated into the NATO Defence Planning Process, in which relevant cyber defence requirements were identified and prioritised throughout the process. In 2012, at the Chicago Summit, the Allies reaffirmed their commitment to bring all of NATO’s networks under centralised protection and in The Hague (in the Netherlands), the NATO Communication and Information Agency (NCIA) was established to be in the frontlines against cyberattacks. In close cooperation with governments, the industry and the academic world, the NCIA provides resilient Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (C4ISR) systems to acquire, deploy and defend NATO’s communications systems. A Cyber Security Service Line (NCIACSSL) was established for the planning and execution of life cycle management activities. It also provides specialised cyber security services covering the spectrum of scientific, technical, acquisition, operational, maintenance and repair support throughout the lifecycle of NATO information communications and technology.
The Wales Summit in 2014 was another milestone in developing NATO’s cyber defence capabilities, when a new Cyber Defence Policy was endorsed which aimed at boosting cooperation with the private sector and the NATO Industry Cyber Partnership (NICP) was established. In 2016, NATO and the EU concluded a Technical Arrangement (TA) on Cyber Defence to help both organisations to prevent and respond to cyberattacks. The TA provides a framework for exchanging information and sharing best practices between the emergency response teams of the 200 strong NATO Computer Incident Response Capability (NCIRC) that was established within the NCIA and the Computer Emergency Response Team of the EU (CERT-EU). At the Warsaw Summit, the NATO Allies recognised cyberspace as a domain on its own, in addition to the existing operational domains of air, sea and land. Other updates, initiatives and pledges followed suit, and on 8 November 2017, the defence ministers created a new Cyberspace Operations Centre to be established in Belgium. The Centre will provide situational awareness and coordination of NATO operational activity within cyberspace. To do so, NATO can make use of national cyber capabilities for its missions and operations.
Finally, Allies took stock of their progress to enhance national resilience through the Cyber Defence Pledge. Although each Ally remains responsible for its own cyber defence, NATO supports its members in boosting these defences by sharing real-time information about threats and by exchanging best practices on handling cyberthreats. In addition, NATO maintains rapid-reaction cyber defence teams that can be sent to help Allies in addressing cyber challenges. It also develops targets for Allies to facilitate a common approach to their cyber defence capabilities; and invests in education, training and exercises, such as Cyber Coalition, one of the largest cyber defence exercises in the world.
Cyber threats continue to evolve. NATO networks, covering over 60 different locations and serving more than 100,000 people, have experienced increasing cyber attacks over the past decade. NATO’s cyber defence systems register suspicious events on a daily basis, ranging from simple attempts to technologically sophisticated attacks on NATO’s IT infrastructure. Most of these attacks are detected and handled automatically, while others require expert analysis and response.
NATO, in close cooperation with the EU and industry, is already making big efforts in the field of cyber defence. But the following challenges remain.
In cyberspace, there is no clear division between the military and the civilan realm. Cyberattacks on civilian targets can be as devastating as a physical attack. Although the outcome of the cyberattack can be military, cyber defence cannot be achieved through military means alone. Many more actors are involved, like civilian governments, private industry and individuals (think of Bill Gates or Marc Zuckerberg, or Assange and Snowden). This challenge is already tackled by NATO, but experts are just beginning to understand the complexity of cyberspace and the consequences of worldwide interconnectivity and dependence on ICT. A lot more has to be done, in close cooperation with the industry and academia.
Another challenge for NATO is to determine who the adversary is: most hostile cyber activity is below the threshold of armed conflict. Malicious cyber activity can come from state actors or non-state actors (terrorist organisations, hacktivists or individuals) or state actors disguised as non-state actors. It is difficult (even dangerous) to determine a proportionate and effective response if the actual source of the threat is unknown or uncertain.
A third challenge for NATO is to align the various national cyber defence strategies that individual Allies have developed. These strategies are based on national assumptions, preferences, and technological and industrial singularities; it is a real challenge to design a concrete NATO strategy and action plan for cyber defence that takes into account all these national interests.
Which brings us to the fourth challenge: the legal and judicial aspects of a NATO-led cyber defence. NATO’s three essential core tasks – collective defence (Article 5), crisis management and cooperative security – should also be executed in cyberspace. However, in cyberspace there are many more stakeholders, myriad threat actors and a lot of actions in grey space. Questions that need an answer are, for example, the relationship between national capabilities and sovereignty, and the authority of NATO. The efforts undertaken by NATO to mainstream cybersecurity activities have thus far proven insufficient to fully address the growing cyberthreat. And what about privacy regulations? NATO is forbidden to target the citizens of its member states, but does this also apply to cyberspace? Does Article 5 apply to cyberattacks, and what should be the response? What is the role of international law in cyberspace and with regard to defensive and offensive cyberweapons? There is no coherent international legal framework, due to the technicality of the cyber defence issues and, perhaps, because major powers like the US, Russia and China prefer to operate in ambiguity. And what about the law of armed conflict, telecommunications or satellite law, and criminal law, which are all affected by cyber defence measures? What will be the actual or legal responsibility of NATO? These questions are a serious challenge for NATO in the near future.
Challenge number five is the rapid pace of change in cyberspace. Serious investments in information gathering, human talent and technical capalities are necessary to keep abreast of the threats. Cyber technology continues to evolve and the vulnerability to attacks increases as a greater range and number of devices connect to each other and to the internet. More cooperation with the industry and civilian actors is required to prepare for the future cyber battlefield where there will be no line between the military and the civilian world.
NATO has already come a long way on cyber defence issues and is doing much to improve the Alliance’s cyber defence capabilities. At the same time, the ever-evolving cyber environment and the ongoing evolution of threats require NATO to step up its investment and cooperation with industry and civilian actors. While the foundation stone has been laid, the building itself is still under construction.