Cyber as a critical facilitator of the global world is well recognized and the concomitant importance of a safe and secure cyber system is equally understood. But the continued and highly successful attacks on cyber systems in recent years have undercut any sense of real security. Just to state a few: the US Department of Defense has publicly acknowledged intrusion into secure systems; the most knowledgeable information technology companies like Google have been successfully attacked; and key cyber security firms like RSA have similarly been penetrated. Critical infrastructure, such as the electric grid, has had its vulnerability demonstrated by the STUXNET virus, and WIKILEAKS has shown the power of the so-called insider threat.
In response to the very critical nature of the problem, NATO leaders to their credit have identified cyber as a key issue, most notably in the 2010 Lisbon Summit declaration and in 2011 the Alliance adopted a revised cyber security concept and associated action plan. But rather than develop a response that meets the magnitude of the issues, the NATO effort thus far has been bureaucratic and essentially ineffective. It has these limitations for three reasons: its “principal focus” is on the NATO networks, which are only a small portion of the networks on which the national forces that comprise NATO’s military arm rely; it undertakes to develop only “minimal requirements” for the national systems that constitute almost the entirety of the NATO military capability; and it offers to assist only “if requested” nations with respect to key critical infrastructure systems, such as the electric grid and telecommunications, that are as critical to military readiness as weapons systems and personnel.
This is a problem that can be fixed but it will take leadership and new methods of action. It will require changes in technical approaches to hardware and software as well as changes in organization, processes and personnel. It will require overcoming the technologists’ inclination to say the problem lies in the governance and organization of the cyber realm and the governance authorities’ tendency to look for a technological silver bullet. Both are required, and both are entirely doable. Specifically:
On the technical side, NATO needs to establish standards for resiliency—that is, the understanding that attackers may breach computer and network defenses but that operations must nonetheless successfully continue. There is no doubt that breaches must be anticipated—the vulnerabilities discussed above underscore the point. Resilience means that the networks can operate well enough despite such breaches.
From a technical perspective, there are existing techniques that can be deployed to accomplish resilience. These include methods, among others, of integrity assurance, redundancy, non-persistence, safe languages, and encryption. Requiring NATO networks to utilize machines and software with such capabilities is an imperative and a necessary prerequisite to cyber resilience.
But, as noted above, NATO networks themselves are only a small part of NATO’s capabilities. National military networks (including hardware and software in host machines and servers) also need to meet the much more significant standards that are required for resilience. If the national networks do not meet such standards, they will be a source of cyber attack and can be utilized to defeat NATO capabilities.
If national militaries cannot meet such standards and are a source of malware and other cyber issues, those networks would have to be cut off from NATO operations—and that would undercut NATO’s greatest strength, its interoperability. In the recent Libyan operation, aircraft from Belgium, Canada, Denmark, France, Italy, Norway, the United Kingdom, and the United States flew together but if one or more of those country’s networks had been infected, those nations could not have been included in NATO’s combined air operations unless resilience capabilities were present.
To achieve adequate resiliency will require going beyond the hardware and software of the host machines and servers. It will require that the networks themselves contribute to resiliency. Network operators have great understanding of what flows over their networks and the capacity to affect those flows. Accordingly, the Internet service providers—that is, the telecommunications companies—need to be part of the resiliency solution.
Moreover, since it will be impossible to assure security in the absence of electricity or telecommunications, those critical infrastructures must also have resilience capabilities. The telecommunications companies are, of course, the Internet service providers noted above but the multiplicity of electric power generators, transmitters and distributors is a vast and complex set of entities. Understanding the critical nature of these entities to security and their particular vulnerability to cyber attack underscores the need for a new paradigm to provide resilient security. Rather than a purely governmental focus, what will be necessary is a partnership between and among governments and private entities. Most obviously, since these sectors are not in any way under NATO’s guidance, there needs to be established a joint standards group with appropriate military and civilian authorities in Europe, the United States, and Canada.
Organizing the capacities of network operators and electric power entities to contribute to resilience is a new task. It has been discussed in numerous fora; various companies have taken such measures as they deem appropriate; and some useful but nonetheless insufficient standards have been developed such as by the North American Reliability Council in the United States which is the self-regulating group of electric transmission operators. None of these meets the magnitude of the problem.
However, to go beyond current efforts and achieve adequate resilience will require coordinated regulation by the NATO countries far beyond current approaches. It should be clearly recognized that the required legislative and regulatory authorities do not exist for the most part. And, beyond the authorities themselves, no concept of operations has been developed that meets both security needs and private sector requirements. All of this means that a new approach to cyber security will be necessary, one that is much more inclusive and require a combination of military, civilian governmental and private industry actions. The necessary rules extend beyond NATO’s authorities and will require national action entwined in an international governance approach.
Establishing the framework for such a coordinated cyber approach is a critical step for the transatlantic nations, and effective implementation will require continued high level attention. This will not be an easy task, but there are instances—for example the Basel accords in the financial arena—where such agreements have been created that affect both governmental and private operations. Such a step—call it the creation of an international Cyber Security Board—needs to be undertaken in the cyber arena also.
Franklin Kramer is a distinguished fellow at the Atlantic Council and a former Assistant Defense Secretary for International Affairs. This piece is based on his Atlantic Council publication ‘Transatlantic Nations and Global Security: Pivoting and Partnerships’ and is part of a series of New Atlanticist pieces on NATO’s 2012 Chicago Summit.