NATO needs continuous responses in cyberspace

President-Elect Joe Biden’s transition team has declared cyber threats as “one of the defining challenges of our time.” In its early days, the incoming US administration must take on cybersecurity threats as one of its key priorities. Nowhere will that effort be more important than with the United States’ closest Allies at NATO, a cornerstone for Western security. Today, NATO’s security is threatened by Russia’s and China’s continuous cyberattacks on the Alliance and its members. To accomplish its mission of deterrence and defense, NATO needs to implement a strategy of proactive, continuous responses to China and Russia in cyberspace, where great power competition is playing out in real time.

Russia and China challenge NATO and its members in cyberspace on a daily basis, as part of ongoing hybrid campaigns to undermine the transatlantic community. The Kremlin’s actions have involved intrusions into Allies’ critical infrastructures, manipulating Allies’ elections through hacks and disinformation, and even blocking GPS information critical to NATO activities. The Chinese government has engaged in cyber espionage against Allies’ military capabilities; intellectual property theft related to sensitive technologies, industries, and infrastructure; and disinformation against transatlantic countries, including around the coronavirus. These efforts to weaken NATO countries and Alliance cohesion represent a persistent threat to Allied security.

NATO has recognized the collective dangers of these hybrid attacks in cyberspace. Up to this point, however, the Alliance has taken a reactive approach, responding as if Russian and Chinese cyber attacks are each isolated incidents. But because Russian and Chinese cyber efforts are part of continuous campaigns directed at the overall capability of the Alliance, NATO’s response has been insufficient, failing to reduce or dissuade further attacks. To assure the security of its members going forward, NATO needs its own continuous response campaign to these threats.

President-elect Biden and his team have pledged to renew US leadership in cooperation with Allies and partners. That agenda should start at NATO, and a key focus should be on cybersecurity. In early NATO meetings, the Biden administration should champion a cybersecurity continuous-response campaign, built around three key actions.

First, NATO should require the development and implementation of resilient cybersecurity architectures for itself, its members’ forces, and its key critical infrastructures. A resilient cybersecurity architecture involves an integrated set of capabilities that work as a system to reduce the disruptive effects of cyber adversaries. Key elements of a resilient architecture should include use of private sector cloud technology; zero-trust architecture for effective access management; development of secure hardware capabilities; and machine-learning and artificial-intelligence-augmented cyber defenses. This architecture also needs to be flexible to incorporate emerging technologies as they are developed.

NATO itself cannot develop such architectures. It can, however, underscore their necessity and require its members to do so, using the NATO Defense Planning Process (NDPP), acquisition procedures, standards and targets, and innovation from Allied Command Transformation to support a comprehensive research and development effort. In establishing requirements for these resilient architectures, NATO must recognize that one size will not fit all. Not only will requirements differ among military, government, and critical infrastructures operators, but, as has been shown in the development of autonomous vehicles and space capabilities, there are a variety of different approaches that may prove effective. In fact, having diversity within these capabilities will increase resilience by complicating adversaries’ abilities to infiltrate and attack them. 

Second, NATO, in coordination with its nations, should undertake active cyber defense.  Even the best exclusionary capabilities in a cybersecurity resilient architecture can fail due to technical loopholes or human error. As a result, the Alliance needs “active cyber defenses” that can create resilience even when an attacker has breached cyber protections. These capabilities affect only those networks in which operators and owners have installed them and are not for offensive purposes. As the US National Security Agency explains, key elements of active defense capacities include “real-time communications,…sensors that report data on the current state of the network, sense-making analytics to understand the current state, automated decision-making to decide how to react to current  state information, and capabilities to act on those decisions to defend the network.” NATO should include such active defense capabilities as a requirement of an overall resilient cybersecurity architecture.

As a key element of active cyber defense, NATO must be capable of hunting for adversaries within cyber systems critical to defense. The Alliance should develop highly capable expert hunt teams to review system activities, detect anomalies, and defeat intruders, for example by deleting malware and closing unnecessary ports. NATO can significantly enhance Allies’ active defense efforts by establishing an NDPP requirement for national cybersecurity hunt teams, along with command arrangements for those teams in both hybrid and Article 5 contingencies. It should also establish several NATO Standing Cybersecurity Hunt Teams that would operate with the consent and active partnership of national governments and critical infrastructure network operators. As Microsoft has explained the role of hunt teams, Standing Cybersecurity Hunt Teams, acting in conjunction with national capabilities, can contest the continuous cyber campaigns of Russia and China. According to the US Department of Homeland Security, such hunt teams can conduct deep technical analyses of live networks to identify “previously unobserved threats.” Standing Cybersecurity Hunt Teams, with a focus on active defense, would expand on the capabilities of NATO’s current Cyber Rapid Reaction teams which are limited in numbers and operate reactively.

While the cybersecurity of infrastructure and government systems is a national responsibility, a breach of cybersecurity at the national level can have collective consequences. Standing Cybersecurity Hunt Teams can be a capability, as well as connective tissue, to identify and mitigate cyber threats across national boundaries and enhance NATO’s collective defense. Standing Cybersecurity Hunt Teams would be able to utilize information and experience gained from contesting Russian and Chinese cyber-attacks against one ally in the defense of others. A Standing Cybersecurity Hunt Team can also serve in a capacity-building role to help allied nations develop their own cyber capabilities, for example, in conjunction with the NATO Cooperative Cyber Defense Center of Excellence.

Third, NATO should coordinate a strategy of persistent engagement to reduce Russian and Chinese activities to undercut the Alliance in cyberspace. The concept of persistent engagement was developed by US Cyber Command, but the rationale likewise applies to NATO, deriving from the need to combat the continuous campaigns of cyberattacks coming from Russia and China. Persistent engagement involves tracking adversaries, understanding their goals, analyzing the tools used for attacks, and taking actions to degrade their capabilities to blunt ongoing, or prevent future, attacks. The Alliance needs a persistent engagement cyber strategy as a key element of its deterrence and defense.

Customary international law, including the law of countermeasures, pleas of necessity, and other cyber norms, provides the international legal basis for a strategy of persistent engagement. Because NATO Allies have already been attacked and are continuously being targeted by these adversaries, offensive actions to counter such activities are justified, as long as they are conducted proportionately. While persistent engagement arguably could increase instability in cyberspace, Alliance inaction is far more dangerous. If Russia and China perceive no consequences to their malign actions in cyberspace, they will only continue and even intensify them.

Inasmuch as NATO capabilities generally reside in nations, NATO nations are the appropriate vehicle to implement persistent engagement. However, many Allies lack the capacity to undertake persistent engagement on their own. As a result, NATO should leverage its collective nature to help Allies coordinate a strategy of persistent engagement. NATO should focus its persistent engagement efforts in three areas of high consequence to member nations: 1) disruptions of key critical infrastructure (e.g. electric grids, telecommunications networks, energy pipelines, and finance systems); 2) cyber espionage to undermine NATO military capabilities and advanced defense technologies; and 3) manipulation of Allies’ democratic processes, such as elections. NATO support to Allies in these areas is fundamental to its core task of collective defense and security.

To accomplish persistent engagement effectively in an Alliance context, NATO should leverage its intelligence and defense planning capacities to develop a system for Allies to constantly track cyber threats from Russia and China. Through its Intelligence and Security division, NATO should gather intelligence on which Allied critical infrastructure, military capabilities, or democratic processes are being targeted. Using this information, NATO’s Cyberspace Operations Center (CYOC) could outline ways to diminish Russian and Chinese capabilities to execute such attacks. The CYOC should share its analyses with pre-designated Allies who would work with targeted countries and employ their own cyber effects against the identified threats. Nine NATO nations have already volunteered to provide such effects in support of NATO activities. These cyber-capable Allies would be responsible for persistently disrupting adversaries’ cyber activities based on NATO’s guidance. This model would make NATO’s CYOC a planning hub for an Alliance-wide approach to persistent engagement. It would allow NATO to empower its members to take individual or multilateral actions against adversaries’ hybrid campaigns in cyberspace.

While NATO remains a defensive alliance, waiting to respond to each cyber incident it suffers will cost NATO the “fight” in cyberspace. Facing continuous hybrid campaigns from Russia and China, NATO needs a more proactive cyber approach to support Allies, even before the Article 5 collective defense threshold is met. By building resilient cybersecurity architectures, adopting active cyber defense, and coordinating a strategy of persistent engagement, the Alliance can create its own continuous response campaign to effectively respond to attacks in cyberspace.

This article was also published in the Center for European Policy Analysis’ blog Europe’s Edge.

Franklin D. Kramer is a distinguished fellow with the Scowcroft Center for Strategy and Security and a board director of the Atlantic Council

Lauren M. Speranza is director of Transatlantic Defense and Security at the Center for European Policy Analysis (CEPA).

Conor Rodihan is an assistant director in the Scowcroft Center for Strategy and Security’s Transatlantic Security Initiative.

Further reading:

Related Experts: Franklin D. Kramer

Image: A woman looks at the screens during the Locked Shields, cyber defence exercise organized by NATO Cooperative Cyber Defence Centre of Exellence (CCDCOE) in Tallinn, Estonia April 10, 2019. REUTERS/Ints Kalnins