Late one Saturday evening in March, NATO’s Headquarters experienced a large-scale cyber-attack at the hands of a group calling itself Anonymous Bierkut from Ukraine. Non-classified networks were targeted, putting internal email services and public websites out of action for several hours. The attack was more of a nuisance than a serious threat but it served as a salutary reminder that even the best protected and cyber-aware organisations can still come up against disruption.
Faced with an evolving threat, NATO is updating its 2011 cyber-defence strategy and will unveil the results this week in Wales.
Every major international dispute these days comes with assorted cyber-attacks and the Anonymous Bierkut incident has reminded NATO that it cannot rest on its laurels. Just like the technology we use to defend ourselves, our policies quickly become obsolete and need to be modernised. The same advances in technology that help an organisation to improve its defences also help the attacker to improve their hacking skills. Cyber-attacks are becoming more intense, deceptive and sophisticated and pose a serious threat to modern infrastructure.
As a result, any cyber-defence strategy worth its salt has to be comprehensive and enable an organisation to keep pace with evolving threats. It has to be frank about vulnerabilities, clear about different levels of responsibility for cyber-defence and define the crucial inter-relationships both within and outside the organisation.
The starting point of a policy is to be clear about when the organisation as a whole needs to act and when individual member states should act alone. But when it comes to cybersecurity, NATO must assume its collective responsibility.
Cyber-attacks can reach a threshold that threatens not only an ally but the alliance as a whole. Under article five of the North Atlantic Treaty, an attack on one member of the alliance should be treated as an attack on them all. That could include cyber-attacks but too much clarity about when NATO would or would not act could reduce deterrence by encouraging attacks below a certain threshold.
At the same time, it is important for allies to be able to count on each others’ assistance to cope with cyber-attacks below the threshold and the new policy aims to enable NATO not only to defend its own networks but also to provide assistance to allies when they need it.
One approach is to call on groups of NATO states to lead on smart defence projects. Three such projects are already running, focusing on malware, cyber-defence training and defining multi-national crisis management systems. Assistance can also be provided by NATO’s Computer Incident Response Capability, which has two rapid reaction teams at its disposal as well as a forensics faculty.
This said, the bulk of assistance will be delivered on a bilateral basis with NATO acting as the hub. The alliance might, for example, draw up lists of national cybersecurity specialists who can be mobilised at short notice. Another option is to get member states to form partnerships, perhaps with one partner that is good at cybersecurity and another that is less advanced. These partners can then develop an intimate understanding of each other’s procedures and work together to deal with threats.
Cooperative cyber-defence is based on trust and on a balance between dependency and self-reliance. If member states want NATO’s help on this issue, they will have to make their own investments too. They need to develop standard methodologies and ensure their own capabilities match NATO standards. IT networks have proliferated in an ad-hoc fashion over the years with a mixture of old and now need to be streamlined to make sure NATO information is safe.
Allies will have to identify which parts of their national IT systems are needed by NATO for its communications. Once these national systems have been identified, allies can agree on minimum standards of cybersecurity to bring them up to the same standards as the NATO common networks.
Over the last few years, the alliance has developed much more expertise in cyber-defence. An updated policy, like any good strategy, will help allied leaders to focus more clearly on the top priorities and to provide political impetus; but the key to success will continue to lie in candidly measuring the results against a cyber-threat that will not stand still.
This article is based on Jamie Shea’s presentation at Cardiff University’s conference, NATO After the Wales Summit