A person using a computer keyboard.

6 January 2015 – Savonlinna, Finland

by Timo Mustonen

In the midst of SONY hacks and distributed denial-of-service (DDoS) attacks to the console gaming of Microsoft and Playstation it is prudent to think “What about defence?” How are our crucial infrastructure and data protected? For those in NATO … they’d like to think they have you covered.

During June 2014, the NATO Foreign Ministers met in Brussels and discussed the crisis in Ukraine (talks were facilitated by an endless supply of mineral water, it would appear). They also talked about a new NATO cyber defence that would later be endorsed at the NATO Summit in Wales in September. The establishment of the NATO Cooperative Cyber Defence Centre of Excellence in Estonia in 2008 shows that NATO has been thinking of network and data security for a good while now. Technology develops in leaps and bounds, and NATO must adapt as quickly as a multinational bureaucratic nightmare can. This is the core concept of the new enhanced cyber defence policy.

Early November 2014 saw the Atlantic Council host a discussion on the cyber defence issues of NATO, where policy was discussed (further), including NATO’s cyber capabilities – as well as a notional role the private sector might play in the battle. During the discussion H.E. Sorin Ducaru, Assistant Secretary General for Emerging Security Challenges for NATO, explained the NATO cyber defence policy as a three layered approach: recalibration and enhancement of the cyber defence paradigm within NATO; reinforcement of capability development and capability building; and re-evaluation of partnerships and governance in the area of cyber defence.

But experience says some key markers are missing from that that list. For example, the fact that the profile of a ‘cyber-terrorist’ is non-traditional: country, organisation, company, collective or an individual. Similarly, ‘location’ is no longer a helpful integer in the query. Anyone with a smart device and an internet connection has the capability to create trouble. Can NATO defend itself, its member states and citizens from attacks? And a popular follow-on question: what constitutes an attack? At which point would an issue escalate from the local or national level and into a collective NATO crisis? It would seem that NATO cyber security works on a ‘request’ basis where a nation can raise an issue and request assistance in dealing with it. That all seems perfectly civilised, but reactive solutions would be slow-coming and take even longer to deploy.

Article 5: Is an attack on one an attack on all?

What would it take to make a cyber-attack an Article 5 problem? The Wales Summit Declaration underlines NATO’s fundamental responsibility for defending its own systems, while nations are expected to patrol their own beat. The new policy also confirms that NATO member states are able to invoke Article 5 of the North Atlantic Treaty as a matter of collective self-defence in case of a cyber-attack (with effects comparable to those of a traditional armed attack). That is something we have not yet seen, at least on a scale larger than Stuxnet attacking specific Siemens software and programmable logic controllers. These do tend to be the larger players, and distempered teens in their parents’ basements remain the responsibility of local enforcement. The closest thing to enforcing Article 5 would be the Sandworm attack in Estonia by a Russian hacking group.

NATO is also looking to reinforce its capabilities and has approved the creation of a cyber-training centre in Tallinn, Estonia to combat this challenge. Constant training is required to keep ahead of the curve in the cyber world, and this is a good step towards getting NATO ops up to speed.

NATO does deal with cyber-attacks daily and has a good track record so far, and while NATO keeps building its systems nations are expected to enhance theirs as well. Private sector interests are a key element here: NATO has started dialogue with close to 1500 companies in order to improve its capabilities and supply chain defences, and allow allies to learn from industry. While it is true that many computer systems fall under the big three – Microsoft, Apple and Linux – two of these are public companies and one more a collective effort; much of data security is also dealt privately through companies providing virus defence, firewalls, and other services.

The question here emerges: “is it better to outsource these services, or keep parts in-house?” Private companies work well in plugging the holes and dealing with day to day cyber threats. These companies have the know-how, but does NATO need its own ‘software company’ to take charge mandating cyber safety? Dialogue is the first step in “building an alliance with Industry, and the key is building trust – to share sensitive information in order to respond to threats,” said Koen Gijsbers, General Manager of the NATO Communications and Information Agency. How this trust evolves will remain to be seen. Private sector interests can help assemble a network or a set of tools that can fit any digital solution in use in NATO today. But my concern remains: how many systems are we, in fact, talking about? A more over-arching solution from private sector interests seems preferable – and individualised solutions from local companies would make for faster application, but as Gijsbergs states, it all boils down to trust.

Malingering Questions

The seminal question in the NATO cyber security discussion is – and forever will be: “what do we do with the building once it’s already on fire?” What are my responsibilities to others around me, or towards the owner of the burning building? There’s been a great deal of discussion, for sure, the corpus of research is growing, but the position stands: strategy and capability only only seem to develop in parallel to private sector counterparts. In cyber terms, Article 5 requires a ‘large scale’ attack and that might not be enough for more than a defensive action, rather than an effective counter-strike. How far is NATO willing to go in the domain of full-on cyber war? We just don’t know. The problem is that, so long as it envisions its role as peace-keeper, NATO will not be positioned to even think ‘large scale’.


Feature photo / “Computer Keyboard, c. 2013” – MoD Defence Imagery, 2014

DefRep’s Analysis is a multi-format blog that is based on opinions, insights and dedicated research from DefRep editorial staff and writers. The analysis expressed here are the author’s own and are separate from DefRep reports, which are based on independent and objective reporting.

By Timo Mustonen

Timo is a former soldier turned academic. He has achieved a Masters in International politics with Intelligence and Strategic Studies from the Aberystwyth University in Wales and holds a Bachelor's degree from the same university. Timo has worked his way through both public and private sectors all over European political sphere from governments to think tanks, consultancies and EU regional policy agencies. He currently works as an analyst for Defence Report, as well as an analyst for a Finnish innovation consultancy on EU matters. Timo can be contacted at: [email protected]