November 15, 2017
NATO Takes Another Square on the Cyber Chessboard
By Kenneth Geers
Last week, on November 10, NATO defense ministers endorsed a set of principles outlining how the Alliance can integrate the cyber capabilities of its member states into Alliance military operations. Most significantly, NATO Secretary General Jens Stoltenberg announced the creation of a new Cyber Operations Centre to help NATO defend cyberspace as a military domain as it has defended allies on land, sea, and in the air since the beginning of the Cold War.
Computer network operations typically do not kill anyone—at least not directly—and as a result, national security decision makers have been unsure how best to defeat them, or whether they have the capability and authority to do so. Traditional concepts like deterrence, arms control, and armed attack must be updated for the Internet era. Conventional military defense is stronger within the context of an alliance, therefore cyber defenses will be as well.
However, because the geography of cyberspace is difficult to conceptualize, and because every cyberattack seems to come in a new form, it will be difficult to find an international consensus. NATO’s new Cyber Operations Center is a necessary step forward.
This move has been a long time coming. Ten years ago, the relocation of a Soviet war memorial in Estonia precipitated a country-wide cyberattack that WIRED Magazine titled “Web War One.” Tallinn is a small city, and the cyberattack which took place in 2007 was not the biggest or most sophisticated hack in history. However, for national security decision makers, the incident tied together two important concepts: 1) modern society had grown more dependent on information technology than we knew, and 2) geopolitical conflicts were spilling over into cyberspace. Adding to the degree of complexity was the fact that no one could prove if the culprit were a government or a non-state actor.
Long before the Tallinn attack, in the 1980s, it was already clear to observers that computer network operations were capable of stealing classified information. However, in 1999, during its air campaign over Serbia, NATO Headquarters tasted digital operations of a different sort: a cyber war prototype, in the form of an onslaught of virus-laden spam. The viruses were overwhelming to the point that network support staff had to run out and buy new computers during the middle of an ongoing war.
Despite these incidents, in 2007 it still was not clear to most international relations analysts—or hackers—that cyberattacks could pose a national security threat. Thomas Rid, a professor of strategic studies at Johns Hopkins School of Advanced International Studies, even wrote a book called Cyber War Will Not Take Place in 2013. However, cyber war skeptics often lack experience in government, and failed to appreciate just how fast information technology conquered the world and changed our traditional notions of national sovereignty and law enforcement jurisdiction.
Consider the difference between Estonia in 2007 and Ukraine in 2014 (apart from their most important common denominator: Russia was behind both of the attacks). The first cyberattack focused primarily on knocking websites offline via distributed denial-of-service (DDOS) attacks. This incident had the potential to cause societal upheaval, but the attack was too limited in scope and duration. The second cyberattack in Ukraine facilitated military operations, undermined diplomacy, distributed propaganda, roiled social media, commandeered critical infrastructure, and in a missed warning to the United States made a mockery of the 2014 Ukrainian presidential election.
In the absence of a coordinated international response to repeated instances of cyberattacks, different countries have developed their own individual defenses. The United States created a Cyber Command (USCYBERCOM), which was quickly copied around the world, while the Shanghai Cooperation Organization (SCO), which encompasses Russia, China, and India, published an International Code of Conduct for Information Security. In an effort to bridge the gap, and to prevent a Cold War 2.0, the Organization for Security and Cooperation in Europe (OSCE) encourages both sides to adopt a series of Confidence Building Measures (CBMs) in cyberspace.
Over the past fifteen years, after law enforcement and counterintelligence agencies began to hire professional cybersecurity staff, the cyber war equation changed. In the 1980s and 1990s, the perpetrators behind cyberattacks remained anonymous, and the “attribution question” was paramount. Today, more detailed defenses and cyber countermeasures have given countries a pretty good idea of who is firing the cyber weapons, but the outstanding question now is what to do about it. It turns out that cyber war is more strategy than tactics.
Consequently, substantial and necessary progress on international cybersecurity will most likely come from within the European Union and NATO, the strongest political and military alliances on Earth. Why? Cybersecurity is an international problem that requires an international solution. The best way to move forward is in the context of an alliance. The collective power of more than two dozen national intelligence and law enforcement agencies can not only solve the attribution problem but also address a wide range of cyberattacks with credibility by proactively sharing intelligence and reactively conducting cyber investigations. In effect, they can expand the circle of trust, and shrink the room for bad actors to operate with impunity.
To this end, a limitation on cyber espionage within NATO will be a significant first step. The primary reason is that a cyberattack—or the malicious manipulation of data—is the evil twin of cyber espionage. The only difference between the two boils down to a few keystrokes.
The strength of the NATO alliance lies in its size and diversity. The physical location of computers still plays an important role in cyber defense; a number of NATO members are on the Mediterranean, while others border the Arctic Circle. Further, in the cyber realm small nations can punch well above their weight: Luxemburg only equips a few hundred traditional soldiers, but surely employs far more information technology (IT) security specialists than that in its legendary banking sector. Human capital and information technology both scale well.
For war-torn areas such as the Balkans, the very concept of cyberspace can be a unifying force for the future. Computer code, network protocols, operating systems, and applications are for the most part international creations that bring international rewards (and risks). Akin to railroad tracks in the nineteenth century, internet cables facilitate the free flow of people, goods, and ideas. Ultimately, no nation-state can withstand the power of information technology.
The challenges of cybersecurity must be addressed by a great international alliance. The movement of myriad actors in the realm of cyberspace resembles democracy far more than autocracy.
Ultimately, NATO cannot fight a twenty-first-century war with twentieth-century weapons. After so many destructive cyberattacks on governments and civil society around the world, every student, soldier, statesman, and spy should know that and act accordingly.
Kenneth Geers is a nonresident senior fellow with the Atlantic Council’s Cyber Statecraft Initiative and a senior research scientist at Comodo. You can follow him on Twitter @KennethGeers.