Key Note Address by Dr. Jamie SHEA
Deputy Assistant Secretary General, NATO Emerging Security Challenges Division
At the International Conference “NATO, EU & Industry Cooperation on Cyber Security”
28 June 2017, European Parliament
Last year, 2016, was very much a year of decisions for NATO in the field of cyber defence. In many ways, 2016 was also a watershed year, when cyber defence was no longer purely a question of protecting networks against a growing and more sophisticated spectrum of cyber attacks but instead became an issue of the integrity of democratic institutions in NATO countries. The abuse of cyber space became a means not just to acquire or manipulate data, or interfere with the running of a network but to influence political outcomes and even exert outright political coercion and intimidation.
It was against this background that NATO had to raise its game in cyber defence.
Its most important response thus far was to declare, at the Alliance’s Summit in Warsaw in July 2016, that NATO now considers cyber space as an operational domain. This means in essence that NATO has decided to shift the focus from information assurance to mission assurance. In order to adjust to this new reality in which cyber is not only a new fifth domain of warfare in its own right, but is also impacting on the four traditional domains of warfare (air, land, sea and space), NATO’s defence ministers meeting last February approved a roadmap outlining the steps that need to be taken so that the Alliance can fully implement the domain concept by 2019. This roadmap provides for a closer relationship between the Supreme Allied Commander Europe and his Allied Command Operations and the NATO Communications and Information Agency in The Hague, which is responsible for the daily protection and monitoring of NATO’s networks in peacetime and for the security and acquisition of NATO’s information technology.
NATO is also updating its operational plans to better incorporate and prioritize cyber defence and to have a clearer sense of cyber defence requirements during operations. For instance, which cyber effects would need to be generated at an early stage and how can the cyber aspect be better reflected in graduated response plans and crisis response measures, which the NATO Council would authorize SACEUR to implement? Clearly, cyber space has accelerated the speed at which crises can unfold, leading to the requirement for much better and earlier situational awareness and responsive decision-taking. Operating “at the speed of relevance” has become the new buzz phrase.
As NATO moves towards cyber as a domain, it needs to focus on the four key pillars of a successful strategy. These are people, processes, organization and technology. The celebrated German tank commander, Heinz Guderian, defeated the French army in May/June 1940, not because he had a margin of superiority in any single one of these four areas (indeed, we now know that the French had more, and heavier battle tanks than the Wehrmacht), but because he achieved a much better inter-relationship and synergy among these four areas, though constant experimentation exercising and conceptual thinking, than the French Generals were able to do. So how does this paradigm of the coherent development of people, process, organization and technology apply to NATO’s current approach to cyber defence?
In the first place, NATO needs to practice better for modern, realistic cyber attack scenarios in its Crisis Management exercises and also in its Trident series of military exercises, so that we can cope effectively with this new reality. This is a matter of organization. It involves a better coordination of effort across the NATO Command structure. Already SACEUR has set up a Cyber Division at Allied Command Operations, in order to better identify requirements and ensure that NATO’s capability packages to common fund its acquisitions reflect the cyber dimension. In this respect, NATO will need to meet the challenge of speeding up its upgrades to its information technology and to the NATO Cyber Incident Response Capability, which is responsible for the daily defence of NATO’s networks. We must move from a culture where capabilities are acquired in big chunks or platforms and at intervals of every ten or fifteen years to one in which information technology can be constantly upgraded in an evolutionary way and with smaller amounts of investment but on a more frequent basis.
Another issue associated with making cyber an operational domain is that NATO will need to learn more from its Allies who have already moved in this direction, such as the US, the UK, France and the Netherlands, how their models are working and how they are using cyber effects as part of their military operations. This is all the more important as NATO will not develop offensive cyber capabilities and would therefore need to be able to rely upon national capabilities (subject to political approval by NATO overall) in instances where NATO military commanders believe that a cyber effect rather than the use of a conventional weapon is the best way of producing a desired military outcome.
The second major initiative of NATO’s Warsaw Summit was to adopt a Cyber Defence Pledge. This will help NATO to improve the process of cyber defence planning. The Pledge commits Allies to spend at least a portion of their extra investment on improving national cyber defences, even if there is no specified minimum amount. Allies have performed self-assessments of their cyber defence hygiene by reporting on seven capability areas – from strategy, organization, processes and procedures, threat intelligence, partnerships to capabilities and investments. They have been asked to bench-mark these assessments according to four levels – from advanced to basic. The national responses will allow the NATO staff to develop more precise and relevant metrics, as well as to form a more reliable common baseline of overall NATO capabilities. In turn, this greater transparency will help the NATO staff to identify gaps and prioritize requirements. On this basis the NATO Defence Planning process, which has already incorporated a set of basic cyber capability targets for each NATO member state, will be able to suggest more ambitious targets and ones more adapted to the needs of individual states in the future.
Beyond these two flagship initiatives of the Warsaw Summit, a good portion of NATO’s effort to step up its game in cyber defence, is to enhance its ability as a platform to assist the Allies across a whole spectrum of cyber defence needs. For instance, a new Memorandum of Understanding has been offered to Allies to improve intelligence-sharing, incident coordination and lessons learned from cyber attacks between NATO HQ and individual Allies. Already 21 of the 29 member states have signed this new Memorandum of Understanding.
NATO has set up a new Intelligence Division with a strong cyber threat intelligence function, which should incentivize Allies to provide more early warning and advance notice of cyber attacks or malware and not only lessons learned and post incident information. Enhanced intelligence-sharing among Allies will not only help to parry cyber attacks or to limit the damage but also to build over time a much more detailed and comprehensive picture of hacker groups, proxies, methodologies and attribution.
Next we come to people skills. One of NATO’s most useful contributions to its member states is in the organization of training and exercises to improve the skill set not only of operators in NCIRC and the NATO command structure but also national cyber defence teams. The annual Cyber Coalition exercise now attracts over four hundred participants and the Locked Shields exercise is recognized as one of the most demanding and intensive Red Team-Blue Team exercises. This year, it involved more than 800 players and was won by the Czech Republic.
Portugal has taken the lead in the Alliance on training and education and will soon acquire the NATO Communications and Information School, which is being transferred from Latina in Italy to Oeiras in Portugal. Belgium has successfully led a group that has developed a malware information-sharing platform, which has not only been implemented among Allies but also between NATO and the European Union. A variant of this is also being used to facilitate the exchange of information between NATO and industry and with the possibility of more open and more confidential platforms according to the level of certified access and the sensitivity of the information being shared. A third cyber defence project focuses on situational awareness and incident coordination, including an operations and maintenance contract. The system has been successfully implemented by the Netherlands and Romania. All in all, 21 Allies and four Partners participate in Smart Defence projects.
If NATO is to raise its game, we need also to have even stronger partnerships. NATO has reached out first and foremost to industry and formed a NATO Cyber Industry Partnership. Thus far, the NATO Communications and Information Agency has concluded nine individual industry arrangements to share threat intelligence and early warning indicators. An improved series of NATO industry workshops, such as the annual NATO Information Assurance Symposium in Mons and a series of threat vector workshops, are bringing industry and NATO together to discuss innovation, improving procurement and acquisition and threat intelligence.
Finally, we come to technology. Earlier engagement with industry is designed to help NATO better understand which products are out there on the market, which NATO could better exploit and help industry to see where NATO’s procurement is likely to be heading in the future. It can also improve supply chain management and stimulate diversity on the supply side. An information exchange has been set up at the NATO Communications and Information Agency and this has been conducting pilot projects to see how we can better link up with academic research and small and medium-sized companies that are often in the forefront of innovation but which have often been reluctant to engage NATO directly or uncertain where to plug in to the NATO bureaucracy.
NATO is also building stronger relationships with other countries who have concluded a formal partnership arrangement with the Alliance. A technical arrangement on cyber defence was recently agreed with Finland. A trust fund for the provision of cyber defence equipment and analytical and forensic capabilities is in operation with Ukraine. Moreover, NATO has been helping countries such as Jordan, Moldova and Georgia with cyber defence organization at the national level and doctrine and training. Partners are increasingly joining the Cooperative Cyber Defence Centre of Excellence in Tallinn or sending staff or observers there.
In Brussels, NATO and the European Union are now coming much closer together in the cyber defence field. A technical arrangement on the sharing of non-classified information between NCIRC and the EU CERT has been in operation for over one year and the recent Action Plan to implement the NATO EU Joint Declaration agreed by NATO and the EU last December provides for more NATO EU interaction; for instance in sharing information on operational planning for cyber defence during military missions, harmonizing training requirements, cooperating more on research and development and standards between the European Defence Agency and NATO’s Allied Command Transformation, and more mutual participation in each other’s training and exercises, such as NATO’s CMX and Cyber Coalition and the EU’s Cyber Europe.
In conclusion, cyber is different from the other domains of conflict. The pace of innovation is much faster. Resources need to be spread over a far greater number of functions and applied much more selectively than in a conventional capability programme if a cyber construct is to operate successfully. Many more actors can be players with a minimum need for major investments or large organizations to gain entry level. There is the problem of attribution and as the recent hacking during the US elections has shown, still a good deal of uncertainty as to when a cyber attack, which does not necessarily kill people or destroy anything physical, can really be considered as an act of aggression and elicit an appropriate response.
Whereas we have a good idea how to deter a nuclear attack or a conventional attack, or to deal with crises in the traditional domains, or what kind of arms control or confidence-building arrangements can be useful to keep things peaceful, we still do not have a good idea how we can deter or respond to major cyber attacks, even when they are clearly designed to undermine our governments or our political processes. Accordingly, the cyber domain will require NATO, as with most other organizations, to work increasingly top down on anticipating the strategic trends and adjusting policy and doctrine more quickly, while working bottom up at improving basic cyber hygiene to lower its attack surface and reduce the scope for own goals due to basic human error or shortage of trained personnel. We need to learn better to do two things simultaneously – learning to transform the plane while we are flying it more skilfully – if we are to keep pace, let alone ultimately master the evolving cyber threat.
Dr. Jamie Shea is Deputy Assistant Secretary General for Emerging Security Challenges at NATO. The views in this presentation are entirely those of the author alone. They should not be construed as representing an official position of NATO but are contributed in a purely personal capacity.