By Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO
We may not see cyber-attacks but they are happening every day, and with increasing severity. In the UK, 90% of large organizations have reported cyber breaches over the last two years and the average cost of dealing with these attacks has gone from £600,000 in 2014 to £1.5 million this year. Hardly a day goes by when a newspaper does not contain an article on the latest cyber intrusion, whether it be the compromise of data of 500 million individuals linked to Yahoo, or the theft of over a billion dollars from the Bangladesh national bank through a compromise of the SWIFT payment system. Critical infrastructure is becoming increasingly targeted, as evidenced in the recent hacking of the San Francisco mass transportation system, which blocked the payment systems and access gates at the stations on this system for over 48 hours. We also are becoming increasingly aware of the vulnerabilities that the Internet of Things will engender, exemplified by the massive attacks recently directed in the United States against the internet service provider DIN, which used hacked video cameras to disrupt very popular US sites such as Amazon, Twitter, the New York Times and CNN.
We have been used for some time already to cyber crime in terms of the theft of money or individual identities; but what is increasingly of concern is the use of cyber for political interference or coercion. For instance, last year the power grid in Western Ukraine was shut down for several hours, denying power to 220,000 customers. The recent US election campaign was also marked by a number of cyber attacks against the Democratic Party in order to leak compromising e-mails, and many US states reported attempts to gain access to their voter registration lists. In short, we are beginning to realise that the aggressive use of cyber space can serve multiple purposes. Not just for information or financial gain, but also for propaganda, disruption, actual physical destruction, extortion and ransom and now also interference with a view to influencing political debates in other countries. Therefore, it is not just every conflict or crisis that will have its cyber dimension, but worryingly normal political processes as well.
This more brazen use of major cyber attacks by both state and non-state actors (who seem to believe that the gains outweigh to risks) raises the question of what we can do to set red lines to discourage these attacks before they escalate into a serious bilateral dispute or international crisis. The traditional focus on defence or deterrence by denial no longer seems adequate when the hacker (like the bomber in the 1930s) always finds a way to get through. One proposal is to be quicker and bolder in naming the perpetrators, as the US has recently done in pointing the finger at Russia for the attacks against the US election process, and threatening appropriate retaliation at an unspecified time and of an unspecified nature. A second response is for Western countries to be more ready to use cyber instruments themselves, as when the US Pentagon recently went public in announcing cyber attacks against the propaganda machine and command and control of ISIL in Iraq and Syria. A third proposal is to try to identify specific individuals, to publically name and indict them and then to use international arrest warrants via Interpol to try to bring them to justice. The US has done this vis-à-vis 5 members of the PLA in China. Others have spoken of threatening sanctions. Whether any of these measures will work remains to be seen but what is now clear is that we have to anticipate the cyber consequences of nearly every major political event, such as an election campaign. For instance high-level meetings between the West and Ukraine seem nearly always to entail a cyber attack. It is no coincidence that when the EU recently held a Summit with President Poroshenko, European Commission networks suffered a major denial of service attack the same afternoon.
Given this context, the key tasks of those who believe in the positive power of cyber space to spread individual freedom and to grow our economies will be to maintain trust in the use of the internet, to uphold privacy, to maintain competition among service providers but also to increase the security of our information systems, so that they are far less prone in the future to penetration and mis-use by ill-intentioned actors. This of course will be a major challenge and many international organizations will have to follow a coordinated approach if we are going to be successful. NATO too has its role to play.
In the first place, we have declared that Article 5, NATO’s collective defence pledge, can be invoked in response to cyber-attacks above a certain threshold. Thus, cyber defence is part of the Alliance’s core task of collective defence.
We have also recognized that cyber-attacks can seriously undermine NATO’s missions around the world. Our forces are increasingly likely to cooperate in environments where cyber tools are used to disrupt our command and control, manipulate our data or even paralyse our weapons systems. Thus, at their recent Warsaw Summit, NATO’s leaders declared that cyber is now an operational domain for the Alliance. This means that we are looking at our organization, capabilities, and planning to ensure that we can manage the risks, recover quickly and function as smoothly in cyber space as in the more traditional areas of land, sea and air operations.
Naturally, NATO’s capabilities in the cyber domain will continue to depend on what individual Allies produce at home. We can not afford any weak links in the chain of cyber defence due to some Allies under-investing in this area or not being fully interoperable. Therefore, at the Warsaw Summit, NATO’s leaders also adopted a Cyber Defence Pledge and we are currently seeking how to best implement this, also by using NATO’s defence planning system to set individual Allies realistic targets and to devise a rigorous method of assessment to ensure that those targets are met. Along the way, NATO is also helping allies to improve their cyber intelligence. Our Cyber Threat Assessment Cell uses information gathered both by individual Allies and the Alliance itself and we share real-time information through a dedicated malware information-sharing platform. This has also been recently established with a number of industry partners, as 90% of information technology networks are owned and operated by the private sector and private companies are often in the lead for early warning, threat assessments and analysis, and the innovative ideas that can help us achieve a more secure cyber space. For all these reasons, NATO has also launched a NATO Cyber Industry Partnership through which we are engaging industry, not just on information-sharing, but also on supply chain security and innovation and experimentation, particularly looking to reach out to those small or medium enterprises that are often at the forefront of creativity in the cyber domain.
Finally, NATO’s activities in the area of education and training are helping Allies to develop the skills and techniques that are just as important for secure cyber defence as better technology. Just recently, we held another Cyber Coalition exercise in Estonia, an event which annually gathers over 400 operators from both NATO and partner countries who test their skills against the whole gamut of malware, denial of service attacks and other forms of cyber threat. Portugal is also soon to open a NATO Cyber Defence Academy, which will offer a range of advanced training courses, as well as research and development. Many of NATO’s activities within the Science for Peace and Security programme involve help with cyber training or the development of national cyber defence strategies for partners as diverse as Iraq, Jordan, Bosnia and Ukraine.
For all that NATO is doing to adapt to a changing world, one thing will not change. NATO is a defensive Alliance and its actions will always be proportionate and in strict accordance with international law. That in turns means that NATO will strongly support efforts to foster a more transparent and secure cyber space through the development of voluntary norms of behaviour by individual states and related confidence-building measures.
Cyber defence depends ultimately on effective partnerships. For that reason, NATO has recently been reaching out to Finland with the aim of concluding a framework for cyber defence cooperation with this important country. Cooperation in cyber defence is also at the heart of the new agreement between NATO and the EU to extend their cooperation. An arrangement on information-sharing between the NATO NCIRC and EU CERT is functioning smoothly and NATO is now proposing to the EU to have more mutual participation in exercises and to base these exercises on the same scenarios to better test procedures in a crisis. There is of course still a long way to go but all the activities described show that NATO is determined to not only catch up with the evolving cyber threat but increasingly to get out in front of it as well.
Jamie Shea se rendra par ailleurs au FIC et rencontrera sur le terrain de nombreuses PME, actrices sur le segment de la sécurité. Un rendez-vous attendu par toute la communauté où S&D sera bien entendu présent.