February 27, 2012
Transcript: Transforming Toward a Smarter Alliance - NATO's Role in Cyber Security
Welcome and Moderator:
Director of International Security Program,
Leendert Van Bochoven,
NATO and European Defense Leader,
Harriet P. Pearson,
Vice President Security Counsel and Chief Privacy Officer,
Director of Cyber Statecraft Initiative,
Date: Monday, February 27, 2012
Federal News Service
BARRY PAVEL: Good morning, everyone, and welcome to the Atlantic Council. If you’re expecting Billy Crystal then you’re in the wrong place. (Laughter.) I’m Barry Pavel, the director of the International Security Program here, and the director designate of the Brent Scowcroft Center on International Security when it launches later this year. It’s great to see you all here for this panel discussion on a new Atlantic Council issue brief on NATO and cybersecurity which provides actionable recommendations on NATO’s current and future role in this very important domain.
The recently adopted NATO cyberdefense policy and action plan is by far the most important step that the alliance has taken to mature its cyber capabilities and its cyber approach. There is an increased recognition that the growing sophistication of cyber activities, including threats, intrusions, attacks, what have you, makes the protection of the alliance’s information and communications systems an urgent task for NATO. And because of this growing pattern, we think this event is very timely.
Today’s discussion is part of the council’s smarter alliance initiative in partnership with IBM. This initiative was established in response initially to the NATO secretary-general’s call for European allies to adopt a smarter approach to leveraging scarce defense resources, to develop and sustain the capabilities necessary to meet current challenges and also to meet future challenges. If you haven’t heard of smart defense, then you’ll be – certainly be hearing more about it in the next few months in the run-up to the NATO Chicago summit.
The first part of this project culminated last December. We had a conference here on December 7th where we launched a series of issue briefs on NATO’s own organizational processes and structures and the need for reform, borrowing lessons from the private practice wherever possible, and essentially transforming NATO’s structure to make it more relevant, more effective, more efficient. We can certainly make those issue briefs available if you haven’t seen those. And we considered those also crucial for NATO’s continuing role as a guarantor of trans-Atlantic security.
Today’s event is a continuation of that effort and the unique platform that we have created between – for collaboration between the Atlantic Council’s experts and IBM, which has enabled us to provide NATO, and the security community more broadly, with a unique combination of think tank insights and industry insights, which we think is particularly relevant to our security challenges, but in particular to cybersecurity, which you’ll hear a lot about today and which will be our focus.
So I’d like to thank IBM for their substantive and very productive partnership in support of this initiative, and particularly to my colleague Leendert Van Bochoven, who you’ll hear from very shortly. He’s the NATO and European defense leader at IBM. And I wanted to thank him for his leadership and his assistance on this timely and very important effort.
Our collaboration with IBM has also expanded beyond the smarter alliance initiative. Together with the Brussels-based security and defense agenda, IBM and other partners, we are also part of this year’s addition of what’s called the Security Jam, which is a very interesting virtual and interactive online conference that brings together thousands of global security stakeholders, representatives of national governments, of militaries, international institutions, think tanks, industry and the media – all online collectively looking for solutions to some of our most pressing security issues.
This year’s version of the Security Jam will take place on March 19th to 23rd. I strongly recommend your participation. It’s a very interesting set of interactions which I know I benefited from, and I’m certain that you would as well. And the recommendations from that jam will be presented to the NATO and European Union leaders ahead of the May 2012 Chicago summit. You can find more information about the jam and about the smarter alliance initiative on the Atlantic Council’s website, acus.org, where you can also find the issue brief that is available today on NATO’s cyber capabilities, which you’ll hear about during the panel.
So without further ado, I’d like to hand the floor to Leendert Van Bochoven to also introduce the panel.
LEENDERT VAN BOCHOVEN: Thank you very much, Barry, for the very kind introduction. Ladies and gentlemen, again, a warm welcome also on behalf of IBM; we’re very pleased that you’re here. And again, like last time in December, unfortunately it’s standing room even for some of the people in the back of the room. I apologize for that, but I think it’s drawing a crowd for some reason. So I’m very pleased with this turnout here today. And I hope – I’m looking forward to a very interactive dialogue here about this initiative between the Atlantic Council and IBM to talk about the Smarter Alliance Initiative.
In May – or in November 2008 it was, we launched the Smarter Planet campaign. And that was talking about three sweeping trends that are happening around the world right now. And the first one is that everything is getting instrumented. We see instrumentation everywhere. Second thing is that things are getting interconnected. And the third thing is that a lot of intelligence are being infused in systems.
We see these three sweeping trends around the globe, and I think they equally apply to cyberdefense or to the cyberspace. In fact, sometimes we say, it is the soft underbelly, so to say, of the smarter planet strategy is you also have to defend it, because if you connect everything together you have to defend it properly as well.
We think this dovetails very nicely with the smart defense concept that the secretary-general launched last February at the Munich security conference, where he talked about prioritization, cooperation, and specialization. Because that ultimately requires a way to collaborate, and we think that that’s the – (inaudible) – and the Smarter Planet strategy. So the Smarter Planet approach, we think, directly supports the smart defense initiative.
Cyberdefense is one of the top issues that NATO’s faced with right now. As you’ve seen, there’s an emerging security challenges division, there’s been – and Ambassador Iklody has been appointed to lead that. So cyberdefense clearly is ranking very high on the agenda of NATO. So the focus of today will be about some of the recommendations that we’ve worked on together with Atlantic Council with Jason Healey.
Following this paper here, we’ll have two more papers that will come out in the coming period. The first one will be early warning and detection – how to really spot what’s going on and what role does NATO play in early warning and detection – that’s the first one. The second one will be about collaboration with EU and NATO, which we believe is fundamental, and the second one is NATO public sector collaboration – or, sorry, private sector collaboration as another topic. So two more papers to follow.
And Barry already introduced the Security Jam, which will be happening end of March. I strongly encourage you to join that because cyberdefense (will/we’ll ?) be featuring as one of the key forums in that Security Jam. So without any further introductions, I’m leaving the floor to you.
MR. PAVEL: Let me briefly introduce my panelists here, whom you’ll be hearing from. I’ve already introduced Leendert; he’ll join us during the Q-and-A session. I’d also like to introduce our very own Jason Healey, who is director of the council’s Cyber Statecraft Initiative, and Harriet Pearson, who is vice president, security counsel and chief privacy officer at the IBM Corporation.
Harriet Pearson leads IBM’s global engagement in public policy and industry initiatives relative to cybersecurity, data security and privacy. She currently serves on the executive committee of the Center for Information Policy Leadership and the advisory boards of the Electronic Privacy Information Center and the Future of Privacy Forum. In 2007, Harriet was recognized with the Vanguard award, which is given annually to professionals who exemplify leadership and innovation in the field of privacy.
Jason has been with the council since April 2011, when we launched our Cyber Statecraft Initiative. And under his leadership, the initiative has been actively fostering international cooperation and understanding of new forms of conflict and cooperation in cyberspace. The initiative will mark its first year in April, and we’re pleased to see that this effort has become a well-established platform within the council’s international security program on dealing with the emerging cyber challenges that we’ll be discussing today.
Jason has unique experience working on issues of cyber conflict and security, spanning the public and private sectors. He’s served time at the White House, 2003 to 2005, as the director for cyberinfrastructure protection, and also worked for Goldman Sachs as an – and as an executive director in Hong Kong he managed Asia-wide business continuity and created the bank’s regional crisis management capabilities to respond to earthquakes, tsunamis, terrorist attacks, et cetera. He is a prolific writer and commentator on issues of cyberdefense and conflict.
We’re pleased to have both of you with us here today. And without further ado, I’ll give the floor to Jason to kick us off.
JASON HEALEY: Great, thank you very much. So for NATO and cyber – it was difficult when we started to look at this paper because there was so many different ideas out there that we wanted to capture, but it also seemed that sometimes there weren’t any really good sources to try and get it from, that you – that you had to go around to all these different trees to pick the different fruits to put it together. So one of the reasons why we wrote this as we did, was so that coming up to the Chicago summit, we’ve got all of those fruits in one basket for – so for everyone here, hopefully, you can come to one place and find out what you’re going to need coming up to the Chicago summit.
We put a few different things in here. For us, it’s very important to look at where we came from for cyber. It’s not relatively new, I mean, for NATO and cyber it goes all the way back to 1999, if not before, in allied force, when there were significant cyberattacks against NATO. And the paper helps put that into context. The paper also looks at the cyber present for NATO. Where are we right now? What policies are in place? What organizations are there?
And you’ll see in that section that right now the most important thing for NATO in cyber is getting the basics right. So there’s talk about other fancy things that – (audio break) – cyber, but – and I think this is very appropriate – NATO is saying: No, we must defend our own systems first. Before we start thinking what’s going on in individual countries, before we start thinking about offense or anything else, let’s make sure people can’t break into our own systems as a start.
So sticking to the basics is, I think, a very, very wise strategy. And I think the – (audio break) – main goal coming out of the – (audio break) – make sure we live up to the commitments that we made in the previous summit – the Lisbon summit – that set that out as a goal. So if I have one thing that I would like to see come out of Chicago, is everyone sticks to the plan and keeps it funded for NATO’s cybersecurity, to defend their own systems, and that the nations and NATO headquarters are following up on that.
In addition, there’s some other smaller things that we might look at. For example, cyber norms has been a very important issue over the last year. I can talk about that later, but I think NATO coming out of Chicago summit could start laying out some of these cyber norms about which ones will apply to NATO cyber operations.
There’s a few other ideas in the paper on how we might start thinking about offense and how that fits into NATO overall. And the answer is, offense fits somewhat awkwardly into NATO’s structure, and that’s OK. It’s new, it’s sensitive, it’s highly classified, but there are some practical suggestions in the paper.
And last, I’ll just mention Article 5, cyber and NATO, gets a lot of discussion. I, frankly, don’t even think it’s that interesting a question anymore. And we lay out in the paper why. The criteria of how we would apply Article 5 is, I think, relatively straightforward. Whether we politically do or – of course, different nations are going to argue about whether the criteria apply and how. And we can get into that when we – when we’re into the questions and answer session here, if you’d like. Thank you very much.
MR. PAVEL: Thank you very much, Jay (sp). Harriet?
HARRIET PEARSON: Thank you. And thank you, again, for allowing us at IBM to partner with the Atlantic Council on the document and on the project. I have the privilege of having one leg in an operational context, working on cyber-related aspects for a large, international organization, IBM, and on the other foot working and interacting with leaders in policy and government and other areas on these issues of cybersecurity and privacy. And, you know, the two go together – they have to. And I think one of the greatest challenges of our society is to somehow pull them together so that they complement one another as issues and as we resolve these tensions and aspects.
As we worked through this paper we really tried to bring a very practical and operational bent and a contribution to what I think could be a very complex subject. NATO as an institution, obviously, is highly complex as an operational institution and as a political entity. And if you look at the challenges of securing its own operations, it’s actually quite formidable. And I’ll make a couple of observations to add on top of Jason’s as to the basics here, based on practical experience in looking at other organizations and also working on our own.
What we do is look at strategy, execution and, importantly, collaboration as an enabler of both of those elements. In terms of strategy, what I’ve understood from my own visits with NATO and officials and the briefings that we’ve had over the years, is that NATO has a strategy. NATO has enunciated a strategy here. And one of the key elements is to keep it simple, to keep it focused and to ensure that there’s a buy-in from the stakeholders, and that the senior-most architects of that strategy – the leadership level, political level and below – have a sense of what it takes to execute.
All too often, we have seen that there is a divide between those who get what it takes to execute and take the – what it get – takes to collaborate and make it happen, and then the levels that have the direction in mind but don’t – because it’s so new, because this area is dynamic and complex and involves so many different disciplines, you don’t have as crisp of a tie-in as you might in other areas of defense. So one of the lessons learned and the elements in this document and the proposals that we’ve made, is to make sure that there is a tight linkage between that operational level and the political or more senior level that it’s charting out overall strategy and resource allocations.
This is a journey, we all know. It’s not an end point. You don’t secure something and then move on in the cybersecurity context, just as it probably doesn’t happen in other contexts. Why? Because the technology is too dynamic. The environment is too dynamic. And things are moving – just moving and changing. And so you must have it as a journey. So that first point on strategy – strategy being liked to execution at operational levels – we think is very key.
Second area, around execution and kind of operational, is this notion of having a long-term focus. The first – you know, it’s not that sexy, and I’m not – to your Billy Crystal joke, I’m no Angelia Jolie. I’m not here to say anything about something exciting or that interesting, I think, in terms of talking about execution. You can smile, it’s OK.
The point about long-term focus and starting with the basics is if you fail to – if you have a house or a premise, if you fail to secure your front door or leave your garage door open, you can never aspire to accomplish the goals that you’re seeking. And it becomes as important as that, to take the precautions that are necessary.
We talk in our organization about – not very fancy. I mean, I think in – referencing in this paper is a reference to ISO standards and other kinds of standards, which are important. Global approaches that are accepted and known to be effective in building that fundamental defense are good. But, you know what, you even simplify it further in order to translate between the operational level and the strategic level – simplify it further.
We talk about 10 essential practices. In a sense, what those 10 essential practices are doesn’t make a difference, as long as they follow a certain set of expected ones. One of the most important, actually, and one that I think resonates in this town and in this kind of an audience is the one about culture and having an awareness of what the risk is and having that communication and then endorsing and having every single person in an organization follow the plan – know the priorities, follow the plan, and be incented to do it.
And one of the most important things we’ve seen any organization that does this well, is to build that culture, which goes back to that strategy tie-in. So having that execution plan, knowing it’s a long-term journey, having the senior management support and having that emphasis on culture, and then the elements of the technology and the process changes that need to happen will make it – will make it progress.
And the final point on the – on these three is collaboration – the importance of collaboration. And on that front, what I think are two very important areas of collaboration in the NATO environment are – one is – with the physical context in Europe, one is collaboration with the European Union. Given the location of many of the NATO operations, is to focus on enhancing and building that tie-in to the geography and the institutions – the nations that represent that geography because of the physical reality of what needs to happen.
And the second area of collaboration really is with the private sector. And I think, Leendert, you mentioned that we will be having a focus to explicate that a little bit more. This notion of the private sector playing a role here obviously is very important when you think about critical infrastructure protection in the civilian context. It’s very unclear what that really means in the – in the – in the – in a more defense area, although there clearly is some kind of a role here. And I think various nations are working through that. I think in the U.S. itself there’s a robust debate happening right now around information sharing.
There are all sorts of policy and legal considerations to get through, not the least of which is privacy but there are also others. I think – I see in the audience here one – a leader of an – of an effort we have launching in the United States around the legal community getting together along with technical leaders and others to explain and explore what the legal issues are and how to summarize them so that we can understand them and work through them, perhaps with new methods and new – maybe even new policy to help out with things like liability issues or antitrust issues, those sorts of things. Take that into the international context with NATO, and you get a different set of issues – but again a very complex set of considerations that go into how do you enable collaboration to occur with the private sector?
So I leave you with those couple of thoughts on what kind of practical insights we added to the Atlantic Council’s scholarship here, that inform the document here. And with that, I’ll hand it back over to you.
MR. PAVEL: Thanks very much, Harriet. I invite Leendert Van Bochoven on to the stage as we go into discussion. Your two interventions were very, very helpful for understanding the insights from the issue brief, but they raise a boatload of questions. And I can’t resist just asking, you know, at least one or two first, and then we’ll open it up to the audience for discussion.
But what – the type – the complexity of the problem that you outlined is, to me, just enormous, where you have, even on a national basis, trying to – trying to put the public together with the private, trying to stay ahead of the cyber challenges that even organizations as can-do and effective as the U.S. Defense Department are having a hard time coping with. We also have pronouncements out of senior officials talking about a cyber Pearl Harbor, in addition to the ongoing espionage and intrusions and other types of activities.
And so the question of sort of taking this and applying this problem into the NATO context, where you have at least 28 different cultures, 28 different nations, an organization that arguably doesn’t move as quickly or as nimbly as the national organizations that constitute the members’ representatives there. I mean, what’s your sort of no-kidding, most important priority recommendation for how NATO can sort of begin to get a handle on dealing with these two – dealing with these challenges? I mean, if you had to sort of (neck ?) it down, how can they – how can they deal with this?
MR. HEALEY: The – an IBMer that isn’t here today that had – that expressed it the way that I really liked, Dan Prieto, says: Boy, you got to unpack it. And it’s one of the reasons why we’re still asking the same questions in cyber that we were 15 years ago when I got started. And you have to unpack the issues, because cyber issues can get incredibly complex really fast.
But they don’t have to be. A lot of times you get into a conversation about, for example, what future cyberconflicts might be like or if – can you figure out, if there was a large cyberattack, who was behind it. And there’ll always be a number of people that say, yes, but you may never know that, you may never be able to figure out X, Y, or Z; or you may never be able to defend against it, or – and by unpacking the issues is to just say, yes, but maybe you can. And all too often in cyber, we drive ourselves down into these discussions that have no solutions, without realizing, well, no, there’s this big part up here that do have solutions if we just don’t get caught up in all of the exceptions.
So my main recommendation to NATO – (chuckles) – for the United States, for any of the countries or organizations represented here is unpack them. Take the issues one at a time. Yes, there’s going to be overlap – deal with that later. Yes, there are going to be exceptions. Don’t let those distract you. For example, yes, you may not know if a country was really – ordered this attack to happen. And maybe the attack seemed like it came from 170 different places. But we know what happened to Estonia, see, some here. And we know that it was at least encouraged by Russia. You don’t have to get tied up into all the forensic details of how many packets there were and how many countries there were. Sometimes it really can be simple. And that – we forget that far, far too often.
MS. PEARSON: Another – I don’t know who said it first, so I don’t know how to give credit to it, but somebody I know or read about talked about how leadership is part – part of leadership – a really important part of leadership is describing the reality as it exists and then making the actions – or making it simple enough so that you figure out what the actions ought to be. And so I’m – maybe I’m conflating on a couple of different sayings here, but you get the idea, right? So it’s – leadership is seeing the world as it is, and then identifying a simple enough set of actions to take to make progress.
And I agree with you, Jason, I think the – and I’ve only come to the cybersecurity field for several years now – I think part of the reason or part of the way to make progress is to do just that. And whether it’s in the United States where, you know, we, for example, have kind of said if you get consensus on a few key issues, go forward with those two issues when you’re talking about legislation, for example. There’s no reason to try to solve the entire issue in all of its 500 forms. Make progress on the – on the – on the issues that have the consensus, because this issue is going to be around with us for quite a while. The – it’s part of, you know, the maturation of the – of the infrastructures of the world in whatever industry that you’re in, including government but also all the critical industries – the maturation of those sectors to include, you know, pervasive instrumentation and all the stuff that’s happening that most of us probably aren’t technical here, but all this is happening. I mean, it’s actually happening. All of that will require engineering process, culture, policy, legal changes that enable the proper degree of risk management. And at a societal level, getting that right is going to be a journey of many steps.
So I think the only suggestion I would have on how to take something like this and make it – make it work is to just to identify those few steps and not to get discouraged, which I think is a goal – is a – is a task of leadership, again, is to – is to keep it – keep it moving.
MR. PAVEL: Thank you very much. Leendert?
MR. VAN BOCHOVEN: Yeah. Maybe one point to build on that; I think as part of that leadership, it’s very important what you call something, I mean, what’s a name you put on this. And so if you look at the original concept that NATO implemented in cyberdefense, it’s called the IOC, Initial Operational Capability. And guess what? We’re now doing the Full Operational Capability. So – but that doesn’t mean that’s the end station here. So it’s in fact – it’s a misnomer. Right now they’re scaling up their capabilities to a level where you can basically defend your own networks. But that’s – but (then ?) certainly not the ultimate (good end all ?) of this – of this operation here. So it’s a – the Full Operational Capability is certainly not the (good-all ?), end-all to cyberdefense. So it’s important what you call things. I think that’s an important lesson that needs to go into the Chicago summit as well, that people will stay the course and will actually help NATO to progress cyberdefense.
MR. PAVEL: Thanks, Leendert. I think we can open it up to questions from the audience if any of you have them.
Yes, in the second row here.
Q: Kerry Murphy (sp), here –
MR. PAVEL: Microphone’s coming.
Q: Kerry Murphy (sp). I’m with the Atlantic Council, but I’m – I’ve also spent 25 years doing export controls in tech transfer, and I think I know – well, GE – IBM quite well, as well as GE and a number of other companies. And I wish to commend you for your leadership. I think it’s a huge step forward to bring into these policy discussions these corporations which are miles ahead of government – miles ahead of government in many, many areas, including your Washington office and that of many, many other big companies. So I think your leadership is really terrific. And if you take that as a softball question, if you’d like to point to a few other companies that are like you, I think it would help broaden this beyond what we call the policy wonks.
MS. PEARSON: You’re not a plant.
Q: No, I’m not. (Laughter.)
MS. PEARSON: But –
Q: But I am a fan.
MS. PEARSON: Well, that’s very nice. Thank you very much. I think – this is – you know, collaboration, particularly in the current era – you know, collaboration in an environment that’s really – everyone’s running lean, I mean, not only are we in an economically challenging environment, but the reality is that most institutions in the private sector are running leaner than they ever did before. And getting the bandwidth to engage on private-public partnerships is quite challenging to say the least. And that’s still though – I believe – personally, I believe – and I think institutionally that the single best way to make progress on some of the issues that require that kind of interlock and, you know, kind of really substantive engagement in the private sector, critical industries. So I think that’s (fair point ?).
Q: But I asked you for other companies – (inaudible) –
MR. : Oh.
MS. PEARSON: I think you’ll see it. I think the maturation of the issue is, I think, extending into more critical infrastructure players. And I think some of the developments in the United States have been, I think, quite helpful on that. You know, as the legislative cycles mature, I think there are more players coming into the – to the game.
MR. HEALEY: What really struck me – and a different way to answer your question – I was in the finance sector and was in the – vice chairman of the main information sharing group called the FS-ISAC. And it was amazing to me, in the early days, we said, all right, we need to share data fields. So to make sure that Morgan’s not getting hit by the same cyberattack as Goldman, as the same cyberattack of Bank of America and Citi, we need to share data fields. And there was no trust to share those data fields. And then we got together in Florida every six months and we had a lot of drinks together – (chuckles) – and – but getting together over those years, and it’s amazing to see – it only – that was – we started in probably 2001 with, you know, ‘99 the organization formed.
And it did not take very long at all, once people got to know each other, that you would have major cyber incidents, you know, big viruses hitting banks. And all of the things we thought would be important like anonymity – oh, banks aren’t want to going to let other banks know – did not matter. The banks would get on the phone each other all of the time and say – one of my buddies was Australian: Oi, mate, this is really bad. We’re not sure we’re really going to make it. There was no anonymity, like everyone knew who the Aussie was on the call.
And now after a couple years of that, they said, great, let’s share data fields. And I don’t – I certainly suspect NATO is going to be on a very similar trajectory of everybody building the trust together, getting to know who the players are, what the countries are, having a few crises and that builds the trust together, doing some exercises so that you don’t have to have the crisis first to build some of that trust. And again, this goes back to ’99, so we should – we should maybe be farther along in the process than we are, but that’s OK. The Lisbon summit was a great step, and hopefully the Chicago summit will, too.
MS. PEARSON: But the – but the – but the rate and – but I would add, though, that the rate and pace of this has to pick up. I – the reality is that we are in a different threat environment. And those kinds of basic activities, the – you know, building the trust enough to share information about what’s already happened – are table stakes. (Soft laughter.) All organizations are – ought to be engaged somehow in that kind of an activity, particularly, you know, the larger, sophisticated organizations. And the next phase after that is to get, frankly, more – looking ahead, being more anticipatory as you’re able to, to figure out how to protect against threats even more. And that’s really the evolution here and the journey that we’re on, and why those basic foundations are so important to enable that to happen.
MR. : Which is going to be tougher, because we’re all leaner.
MS. PEARSON: Right. Well, yeah.
MR. PAVEL: We have two questions from the audience. We – already in line – we have one by email who’s listening on conference. And I just can’t help but go back at this one issue – (laughter) – because it’s a critical issue.
I’m from the culture – the government culture of, you know, keeping secrets. And especially in the cyber domain, lots of very classified activities and material – related materials. And so what types of platforms – I mean, I just don’t think we can wish this away on a national basis or – and certainly on a – on an alliance-wide basis. So what types of platforms or tools can be used to help NATO get past this 50-year-long culture of classification and secrecy and not sharing? How do we get to the trust place without just talking about it and hoping that it – that it will come about? Because it’s a critical question, I think, for public-private partnerships in a domain where there’s not a lot of – not been a lot of airing of what’s going on and not a lot of this history to date. And I don’t want to beat the dead horse if you think you’ve already addressed it, but I have to go back – (inaudible). Any of you on this question?
MR. HEALEY: The – I’ve got, you know, two very practical ideas. One – and it’s not – it’s not much reflected in this paper; it’ll be in the next one – much of what the information sharing and collaboration that NATO needs can be built up over years and trust, like I just mentioned. It can also be built up with a credit card.
If you need vulnerability information and threat intelligence on what is going on, you can get – talking about the unpacking and trying to make things simple – the vast bulk of what you need from companies that have managed security providers like IBM or Symantec or – and you don’t have to build up a great trust relationship; you can let your bank account build that up for you. So it’s a really good way to short cut a lot of the things that would get caught up in government committees for years that you can go out and you can – and can just start. A vast bulk of the capability is in the private sector, and you can get it by collaboration, you can get it by purchasing it.
Another idea is the government right now, especially the U.S., is vastly over-classifying much of what – much of what we need, particularly the signals intelligence establishment from where I originally came. Much of that is classified – for example, signatures of what an attack looks like, of what malicious software looks like – that doesn’t need to be classified, because it’s traveling – those malicious software are traveling over public networks. So a lot of the sources and methods concerns that the intelligence community have can probably be put aside, because if anyone has their malicious software gets found, it’s a public network. They’re not going to – they’re going to just assume that it got spotted rather than it got collected by some – by some kind of special collection platform that only nation-states would have.
So I would love to see more signatures get automatically declassified after 90 days. That gets shared into a clearinghouse. Symantec, McAfee, IBM, others that are collecting signatures can add into this, maybe even GCHQ and other intelligence agencies. You wash them around for 90 days, and then everybody gets to share. It’s a low cost of control to get – to get these out there – never going to happen without legislation, because I think this is just – the culture of classification is just too ensconced in the United States.
MR. PAVEL: One question – the fourth row, the gentleman in the dark coat, second over who asked first. Yes.
Sorry, Ambassador Bandler. You’re third on the list. (Laughter.) There’s one more – (inaudible) –
MR. : All right.
MR. PAVEL: You can be first. (Laughter.)
Q: However, it’ll all – it’ll all – all this information will come around. But cyber and drones – well, I think you remember maybe about a month ago or six weeks ago, we had some meetings about that at the museum. And there was a lot of interesting and important information that was there. And I think – so my question is, what is the start of the art now on drones? How does it – you know, where does it begin? Where is it going to end? Is it – is it got – has it got chemical? Has it got other kinds of even worse things? Is it potentially nuclear? I think that’s unlikely. But go into that subject.
MR. PAVEL: Why don’t we take a couple questions at a time? And the gentleman behind you, also. Thank you.
Q: Thank you very much. And thank you to all four of you for presenting a very interesting program and to Atlantic Council and IBM. I’m Dave Smith. I’m the director of the Potomac Institute Cyber Center.
Jason, you made a very interesting comment, which I assume was half true and half trying to provoke a question. So here’s the inevitable question about Article 5 – (chuckles) – you say it’s almost no longer interesting, but you said “almost no longer interesting.” So let me address this out to you, but anyone else who wants to comment – you know, it’s one thing to say that, well, they can make a decision – the 28 countries can make a decision in the North Atlantic Council to invoke Article 5 if they want to. And we don’t have to resolve these issues of, well, the treaty actually says armed conflict. But in some senses, you do, because large organizations, particularly international organizations, have a hard time dealing with things. And it seems to me that leaving the argument about whether something is tantamount to an armed conflict to the day that it happens is probably not very good.
So my first question is sort of what is the – what is – what is the policy agenda to keep working through those – considering those things, considering things like certain pre-delegated authorities that were, for example, recommended by the Madeleine Albright commission but then didn’t appear in the new strategic concept?
And the second question is related. A lot of the value of Article 5 was not the implementation the day after 9/11. It was all of those years where we never implemented it because it had a deterrent value and, in fact, sometimes overstated what the treaty actually said. I mean, people used to say: We will go to war. The treaty actually doesn’t say that. But how do we – how do we work through these issues to the point where we actually can try to achieve in cyber some deterrent value from Article 5 that we had in the kinetic world, and I think we’d like to have now?
Thanks very much.
MR. PAVEL: So I’m going to cap it there. So we’re talking about sort of how vulnerable are we to drones, what’s the article – nature of the Article 5 threat. And if I can even just be more specific, at the Munich Security Conference, we had former CIA Director General Michael Hayden saying that last year, I believe it was, when the Stuxnet virus was unleashed and actually affected physical activities in a very significant way in Iran, he said it was the birth of a new class of weapons, and everything should change in light of our view of cyber. And so if I could just make sure you address that in the same context.
MR. HEALEY : I’ll look – since we’re here for cyber today, it’s interesting to me the – an overlooked area of cyber and drones, I think, is that one of the important nature of drones isn’t just that they are – you know, they don’t – you know, they may be in how they’re being used today – one of the important aspects of how drones are getting used today has been the – there’s no longer a confined battlefield, that the U.S. has been taking the legal position that when a terrorist who is a sworn adversary of the United States is in Afghanistan, they are on the battlefield.
But if that sworn adversary happens to be in Yemen or some other place, they take the battlefield with them, because they are a sworn adversary, and that’s their decision and the way that they want to operate. So therefore, if we drone them when they happen to be away from the defined battlefield of – say of Afghanistan, then that is OK, because they’re taking the battlefield with them.
And it’s interesting – I think you’re going to start seeing that – that redefinition of geography, of what’s the geographic battlefield, that it’s no longer the single country or the single theater of war; it’s wherever the adversary happens to be that happens to be one of the – one of the sworn, you know, participants in that war. You’re going to see that start getting applied to cyber, that you can have – cyber is very good at, like, terrorism redefining geography in a new way. Look at the cloud. The cloud is taking things that had been confined to one geographic area and now dispersing that, centralizing it all in different ways.
So just as drones have challenged our traditional map-thinking of geography, I think you’re also going to find cyberconflict, whether that’s national security conflict like we’re talking about here or conflict over content or intellectual property rights, really defining geography in a – in a similar but probably quite different way.
Now, Banning Garrett here at the Atlantic Council runs our Strategic Foresight Initiative and has done already some events on this redefining geography and how geography is going to be different in the next couple of decades. So I think – are we doing a publication on that or on the geography?
MR. : It’s coming, yeah.
MR. HEALEY: OK. Good.
As far as, Dave, your question, in the Article 5 – and I know that Michael and a few others might ask on this either – the – I’ve said Article 5 is almost not even an interesting question anymore, because a lot has been written on this over the last 12 years.
Michael Schmidt, a very well-known international lawyer, wrote back in 1999 that the main factors we’re going to use are scope, duration and intensity. Now he wasn’t applying that to Article 5; he was applying that to how the language of the U.N. Charter would apply, you know, about Article 2, 4 or 39 or Article 51. But that’s – that was true when he wrote it then –
we’re going to decide these things by scope, duration and intensity. And I think that’s very true today. So now for Article 5 we saw that after 9/11 the North Atlantic Council included one other factor: Was there an external – was there an external actor? Was this not domestic terrorism, but was this directed from abroad? And they were able to figure that out within 24 hours.
And they didn’t come up with that on the spot, I would suspect, but they’d been thinking about terrorism. We’ve had World Trade Center one; we’d had Khobar; we’d had Irish terrorism and Basque terrorism and Red brigades. That gave them some experience to get there. I would contend in cyber we’ve already had Estonia. (Chuckles.) We’ve had plenty of other large-scale incidents that we’ve seen – don’t get to that threshold.
For me, I would be – I wouldn’t say astounded, but very surprised if we ever got an Article 5 cyber that wasn’t equivalent to the kinds of effects that you got from 9/11 – you know, significant casualties, hundreds if not thousands, significant property damage, a – perhaps a meaningful blip over a long term of – against GDP. But that’s not to say that that will be the only time that other NATO nations would get involved.
One of the other papers that we – that we have outside is on national responsibility. And in that paper, there is an – a notional conversation between some future president of the United States and a president of Russia, if a – if an Estonia situation happened again. And I won’t go into that now, but I think there’s significant deterrence – deterrent value that we can have, if we start (sic: stop) treating this like it’s magic and start treating it rooted in the way that we deal with other problems. I’m sorry to go long, if that went long.
MR. PAVEL: Gentleman in the fifth row.
Q: Thank you. I am Christian Brik (ph), defense counselor for embassy of (Estonia ?). I do agree with most or many of the statements given today. Jay (sp), on the level of NATO’s – or current NATO’s level of cyber ambition, I sort of tend to have a slightly different opinion.
So I am asking your comment on that, that I think protection of NATO’s own networks is or should be a given. So spending a lot of time and discussions on that, and dragging our feet since 1999 or so, has sort of been too much. At the same time, if NATO is not pushing the allies to do more – to do more in a coordinated – a coordinated fashion, we end up in a situation where those who would drag their feet right now, they don’t have any added incentive to do more.
At the same time, the ones who are really progressive in cyber, they do a lot; they do it separately, without incentive and benefit of synergy and cooperation. We think that – at least when it comes to NATO’s actions in cyber intelligence, cyber forensics and planning – we need some central role from NATO. So how – do you see a sort of conflict or problem there, and how to solve that – (inaudible)?
MR. PAVEL: Either of the panelists?
MR. PAVEL: Or Leendert? I’ll join in also.
MR. : Yeah.
MR. PAVEL: Go ahead.
MR. VAN BOCHOVEN: OK. So, I mean, from our perspective, we couldn’t agree more, I think, in the – NATO’s protection should be a given. And (I ?) should just be very good at it. So very much agree to that. And I think the question is – towards pushing the allies, is – can they provide value add to the allies? Because that’s – ultimately, that’s the question. If you don’t add value, I mean, then the allies don’t get – they’re not interested in discussing things with you.
So I think the big question is, where can they add value? I think they can add value because they can sort of oversee a lot what’s happening. And I think that’s in the – in the security intelligence area. So should NATO have a competent (ph) center, so to say, on security intelligence, for example – knowing exactly what’s going on in their own networks and providing advice to member nations? I mean, I totally agree with that.
MR. HEALEY: Yeah, and I think – I think the kinds of ideas that you brought up there, Christian, fit in very well with ideas on the basics. I mean, you know, we can rack and stack those as far as priorities. But NATO has been very good about laying out standards and saying, look, the militaries – the militaries should be able to intercommunicate, and interoperability. We need to be able to do other things together.
And so I see that as an additional step that does make sense, especially if – as it can be at least informally coordinated with the EU that may be doing similar things to help the civilian infrastructure. We talk a bit about that in the – in the paper, how we might use ISO standards or the resilience management methodology from Carnegie Mellon to help – especially if you start with transparency, and at least give transparency, and then move toward standards.
If our – if our Atlantic colleague Frank Kramer were here – Atlantic Council colleague Frank Kramer were here, he would talk about one of his big concerns, which is that – if one of the NATO partners has a significant breach, especially during an operation – imagine if during the Libya operation, one of the parties that were involved in the air operation had a significant intrusion. All of a sudden, there would be a – there may be a strong lack of trust by the other partners that would then cut them out – you can no longer be connected to the air operation center systems. You know, we’re only going to communicate with you by telephone and fax, and no longer in a more automated fashion, which is what really enables modern air combat.
So Frank is concerned that you may – even if we’re technically interoperable, you may see a loss of trust that ends up – you know, has us essentially just chopping off one of the allies. And I think – if that’s the scare, I think the kinds of things that you brought up all help, say – but we can get to that goal in bringing everyone up to a similar level.
MR. PAVEL: Thanks very much, Jay (sp). We have a number of questions in line, but I’ll take the question from cyberspace, which comes from Stephen Shapiro of BSR Investments and Atlantic Council member. Stephen asks: I want to address cyber not as an issue of protection but rather as one of aggressive attack.
Not long ago I visited the Baltics at the request of Admiral Stavridis and met with defense and security officials in all three countries. All three NATO members made an identical and startling point. They are under constant, 24/7 low-level attack from Russia and feared that NATO did not consider these attacks within its defense mandate. These attacks are primarily cyber and economic, though include other nonkinetic aggression. Importantly, all three countries had primitive, if not amateur, cyberdefense systems.
Back in Brussels – albeit this was pre-Lisbon, so pre-November 2010 – NATO officials had a surprisingly casual reaction to their concerns – in fact, to the whole nonkinetic threat that some NATO members face generally, cyber included. There was reference to this cooperative center for excellence in cyber, which at the time of our visit was neither cooperative nor excellent, and that was it.
Finally, DOD has publicly announced a doctrine that equates in some circumstances a nonkinetic cyberattack to a kinetic use of force. But NATO so far has not done the same. Why – so the question is, why is NATO so sluggish in recognizing this real danger? And I think we could draw on organizational reasons as well as other reasons to answer this question, if any of the panelists want to entertain that.
MR. HEALEY: I would – I would start off with at least – without knowing exactly what was said – generally agreeing with NATO. Most of low-level attacks are not best thought of as aggression. They are not best thought of as introductory cyber warfare. They’re not best thought of as cyberterrorism. As a matter of fact, they’re almost never thought of as cyberterrorism. It’s cybercrime. And – you know, and if you’re on the other end of a criminal, it sure feels aggressive. And there’s no doubt Russia is not really reining in these groups.
But especially when NATO has so much to do, that getting involved in cybercrime when the countries already are so far behind – to now add that on as a NATO mission when it might best be tackled as law enforcement and law enforcement cooperation, or as a technical problem and it just needs a technical solution – I’m not yet convinced. You know, NATO’s outputs – it’s there for collective defense and cooperative security.
Now, when in 2007 and 2008 we saw – we saw real aggression, not low-level – not low-level stuff but really high-level stuff. I would like to make sure that NATO as an alliance is prepared to deal with that. I would love to have a conference – I don’t think to – we’ve had this conference – that uses something like our national responsibility model to look at Estonia and Georgia and try and really point fingers. I’m not sure we’ve ever had a conference that said, if Estonia happened again in 2012, what we’re going to do differently this time.
So rather than our getting involved in low-level aggression that is mostly criminal, I would rather let’s – remember when we used Dan Prieto’s line – let’s unpack this? Let’s unpack aggression, and let’s look at the large-scale things that have happened and how we’re going to deal with those again, rather than opening up the aperture to worrying about things that probably we need cops for, not NATO.
MR. PAVEL: In the front row, if we can get a microphone to Arnaud de Borchgrave.
Q: Thank you. Arnaud de Borchgrave, CSIS. Russia inherited a readymade cyber command from the Soviet Union known as FAPSEE. China was flexing its electronic muscles in the early ’90s. Think tanks in this city were putting out reports on cybercrime, cyberterrorism and cyberwarfare in the mid-90s. But we didn’t set up our cyber command until a little over a year ago. And my question is, to what degree do you think that two major wars delayed our setting up this cyber command?
MR. PAVEL: And then I’d also like to take a question from the – right over there.
Q: Hi. Andrea Shalal-Esa with Reuters. I wanted to ask you about – and particularly, Ms. Pearson, I wanted to ask you about this nexus or this hard point where, you know, corporations are increasingly seeing advanced persistent threat. To what extent are you now going to the government and saying, look, there’s a limit to what, you know, we can do as corporations?
And to what extent – like, when does the government’s responsibility kick in – from the point of view of the, you know, sort of big corporations – of defending the U.S. if there is – if there are these sort of attacks that clearly, you know, can be traced back to whatever, you know – where you’ve pointed out that you don’t necessarily have the forensics, but it’s apparent and clear?
MR. PAVEL: And then I wanted to take a third question, right from this gentleman right here. And then we’ll hear from the panel.
Q: Lloyd Hand, King & Spalding. I have two related questions – related only that they both relate to cyber. The first relates a little bit to what Arnaud said. Given what we understand could be the destructive nature of a cyberattack, I understand the reason for focusing today on NATO’s cyber strategy and response, and the utility of that.
But given its destructive nature, has there any thought been given to broadening the scope, of you will – if you will, of nonproliferation of cyber? I presume at the moment that none of the nations know for sure the extent of the capability of the other. And therefore it seems to me that there may be some thought given, at that – if that’s true, to broaden the scope within the U.N. to start a – develop a nonproliferation – that’s kind of part one.
The second one is somewhat more mundane. But I happened to listen last week to Secretary Napolitano testifying before the Budget Committee. And you got a question that implied that the failure so far of her to perfect a cyberstrategy was because of the lack of cooperation from the private sector. Maybe someone could conjecture or expound on what may be the basis of that comment by a senior appropriator.
MR. HEALEY (?): Oh, I love talking about that.
MR. PAVEL: Thanks. Well, first, I think – (laughter) – we’ll turn to Jay (sp) – hold your horses – we’ll turn to Jay (sp) for the cyber command. We’ll turn to Harriet for the question of threshold for corporations, Harriet and Leendert. And then the last set of questions I’ll put it – put it up for grabs.
MR. HEALEY: Great. Thank you for the – for the – for the question. And if Russia inherited the Soviet FAPSEE we certainly have our same old NSA. So we’ve – we have had a lead in that. The United States has had the first cyber commands and the first cyber units, and no one has been – has been stealing anything from us on that. What’s not well-known in the U.S., even amongst our cyber commanders and cyber warriors, is exactly how far back that goes.
Nineteen ninety-five, the United States Air Force set up the first real cyber unit that we can find, the 609th Information Warfare Squadron. 1998, December 31st, we stood up the first cyber command – Joint Task Force-Computer Network Defense, Air Force Major General Campbell commanding, reporting directly to the secretary of defense. We’re actually going to be having both of those first two commanders – along with Dave Bryan (sp), the first commander of JTF-CNO – next week, at the same time and on the same stage, to talk about the lessons from those early days and how they might apply.
And that’s part of a – I’ve got a grant to write the first cyberconflict history book. So what are the early commands? What are the early operations? And what are those lessons for today? Because it’s not well-known. When I was in the Air Force, we had – we were all taught about the early battles and the early leaders so that we could get air-mindedness, so that we could understand this. And we’re not teaching cyber-mindedness to the new generations. They’re coming in as if this were all new, rather than a problem that we’ve had for 20 years. Thank you.
MR. PAVEL: Harriet, what about the question of the threshold for corporations to deal with some of these more advanced cyber activities?
MS. PEARSON: I – my sense is that we are, as a society – and I’ll just speak U.S.-specific, because that’s where we are and that’s what I know best – I think we’re starting to see that threshold be defined. And I think it will take some additional years to get crisper as to what that threshold looks like. Clearly there is a role for government, a pure and crisp role for government, in defending a nation – defending a sovereign area. And there’s clearly a role for business and a number of incentives for businesses to protect themselves.
And the intersection, and where one stops and when one starts, I would defer to historians with, you know, better knowledge than mine as to how that threshold was defined in other areas. But I don’t know what it is in this area. And I think part of the debate in this town and in probably others as to what those – that area looks like, that’s the – that’s discussion we’re having now. And I think there are some human values, some cultural values, some practical realities that have to go into that mix. And I know it’s a sensitive area, and I think that’s where I’m going to kind of end that discussion – because I think there’s room for more of that to be had.
MR. PAVEL: And then how about on – if the panel would like to address the question of, sort of – is it time for nonproliferation discussions, at least of some of the more disturbing cyber capabilities that we’re seeing in evidence? Is the U.N. the forum? What’s NATO’s role? Should NATO even be discussing this in a consultative fashion, even if it’s not Article 5?
MR. HEALEY: Yeah, nonpro is difficult in this area, just because it’s relatively easy for nonstates to get a relatively significant capability. So now they may not – they may only have a handful of capabilities, whereas nation-states will have many, many, many capabilities. Nonstates are unlikely to be able to keep going a sophisticated attack over a long period of time in the face – disruptive attack over a long period of time in the face of determined defenders, compared to how a nation-state can do that. You know, the – you know, if the U.S. wants to solve a problem, we can throw billions and have lots of bureaucrats working at it for years at a time, and that’s fine. Nation-states aren’t going to have that capability. But it becomes very difficult for nonpro regime, because so much of this is in the – is in the private hands.
Now we could unpack it, and we could look at, what are some reasonable ways that we might approach that? What, for example, are the U.S. government policies for U.S. companies that are going out and offering turnkey capabilities for other countries to have their own cyber commands? I know that there – you know, countries in the Middle East and other – elsewhere are going and saying, please set us up a defensive cyber command. On the side, they may be asking for more than defense.
So individual capabilities are difficult to put a nonpro regime around. But we can be doing more to say, like I – my first comments, that part is probably unsolvable. But what are parts that may be solvable? And I think coming up with some government policies to look at – to look at what companies do – and then I would go, and I would, you know – with a partner like U.S.-CREST, for example – go to the Brits and the French and try and make sure that the companies in all three nations are following similar policies, so that they’re not trying to stab each other in the back to get deals. You know, we’ll always be competing with the Israelis and the Russians, but we can at least get a U.S. strategy and then try and coordinate that with our allies that also have companies that would be getting involved.
MR. PAVEL: Thanks. We had two questions in the back. One, Grace – I mean, one in the last row, I believe, and then one in the second-to-last row.
Q: Just to follow up on this issue, I’m curious, over the next five or six years, whether NATO is going to be more useful as an actual technological resource versus a legal framework for response. Looking ahead, do you believe that NATO is going to be more useful as a lawfare, laundering vehicle for cyberdefense and cyberattack, or as providing technical capabilities and people and resources to thwart, deter, dissuade and counter.
MR. PAVEL: Let’s take the second-to-last row too. We have a question here.
Q: Hello. Hi, I’m Eric Lui (sp) at American University, and my question addresses a point that Ms. Pearson mentioned in the panel. And that is, how do large organizations stay flexible and stay as up to date as possible in the face of increasingly rapid technological change and increasingly – increasing flexibility on the part, in particular, of nonstate actors?
How do we build institutions that can anticipate and stay – we may always be one step behind, but how do we make sure that we’re no more than one step behind, and not two or three or 20 steps behind?
MR. PAVEL: Great question. Then the last one we’ll pick up is in the front row, from Rich Jaskot of Booz Allen Hamilton.
Q: Thank you. Last fall, Admiral Stavridis called a meeting co-hosted with deputy secretary of defense, a meeting of – with key members of the NATO staff in the cyber world and a number of industry partners. IBM was represented there – (inaudible) – and he kind of set the stage and made a call for the public-private partnerships that, Harriet, you were talking about before. That really hasn’t gained a lot of traction yet.
And what my question to you is, what do you see as the real stumbling blocks to pulling together a public-private partnership when we’re talking about 28-plus nations – because you’re caused to have MAP nations and PfP nations involved also – and the large array of industry partners in this marketplace, in the cyber world? Because you really could set up an area, when you’re talking about protecting critical infrastructure – haves and have-nots, and be setting who’s going to be successful and who’s not.
MR. PAVEL: Right.
MS. PEARSON: Good questions.
MR. PAVEL: Panelists, why don’t we take the first question first?
MR. HEALEY: Yeah. I’d be interested – I’d be interested in seeing if Leendert wanted a first stab at that, at the question of whether it’s going to be more usual technical or as a legal framework. I mean, again, I can jump in, but I’d be very curious. You’re on the ground there.
MR. VAN BOCHOVEN: Yeah, and I think NATO will be more relevant. I mean, it certainly should be their ambition, I think, to be relevant also from a technical perspective. Because one of the things that they’re stepping up as well is a response force – I mean, so if there is an incident or so on, they have deployable capabilities that they want to send into – for some help in those countries.
So I think, as such, they will have a more capable technical response, I think, to cyberattacks. And so, I mean, yeah, they’re stepping it up at this point in time.
MR. HEALEY: And I think it’s – five years might be too narrow a window because capability and credibility take a while. And if I’m looking at – let me do the math, 2017 –
MS. PEARSON: That’s the Goldman Sachs thing. (Laughs.)
MR. HEALEY: Exactly. Five years is going to be tight. I mean, then again, I’m coming from a high bar of technical capability – I mean, I coming from cyber commands and NSA and things like that.
Q: Nothing will happen in the next five years, of course.
MR. HEALEY: I think there’s – again, yeah, I think there’s going to be some things. But for example – I think where it’s going to be interesting, Michael, is in the mix between the two, where right now, for the kinds of things that came up in the earlier question about, right now, if you’re a Baltic or you’re, you know, some Eastern European nation and you’re looking for help right now, I’m not sure that there’s going to be that much.
But if we have a large-scale event, regardless of whether it passes an Article 5 – you know, it hits an Article 5 kind of threshold or not – even if it’s below, it’s not going to be a NATO capability, you know, out of Brussels that might be coming in. But – though – although you will see that with the rapid reaction teams, but the rapid reaction teams, I think, are going to be part of the legal framework. You know, they’re going to be a tripwire on the ground and a political sentiment that we care about what’s happening in this country – where the real technical help and the advantage for these countries in coming into NATO is alliance members saying, country X, wherever it is, is getting – you know, the Poles are getting hit and we’re going to send a specific NSA team to go in there, a specific FBI team to go in there. We’re going to, you know, talk to our partners at IBM and Symantec and McAfee and iDefense and see what they can do to help, and rush through some contracts so they can do things.
So it might not be NATO itself, someone within ACT or ACO framework, that’s going to be there for them. But I think the NATO countries are aware that technical stepping-up is going to – is going to occur if it’s a significant, interesting enough situation.
MR. PAVEL: On the question of public-private partnership stumbling blocks, how large organizations stay up to date, I’d turn to Harriet, then Leendert, if you have thoughts on that. The paper does call for, very specifically, an agenda for private-sector collaboration.
MS. PEARSON: Right.
MR. PAVEL: How do we handle that?
MS. PEARSON: I like the way the gentleman framed the question as well around, how do you stay up to date and agile? Because I think that’s – that is the – it’s the question of the day, I mean, it really is.
And first I’d make the assertion that it’s not only large organizations, but it’s organizations of multiple sizes. Staying agile and up to date against threat – I would turn that around a little bit as well and say something like – or say that we think about threat, and I think particularly this kind of group, given the topic, thinks about threat actors.
But the reality is that a bad consequence in a commercial structure could happen just as much out of carelessness as it could from some fancy or scary external force. And I think it is – others have said it, but I’ll say it here, that at the end of the day, if you’re trying to protect an organization, a reputation, a brand, an asset, it doesn’t really matter to me who it is or what the reason is. It’s kind of – it all manifests similarly.
And so you’re trying to put in a strategy and an approach that says I just need to manage risk, I need to protect. And attribution, to some extent, is not really that important. It’s trying to deal with the issue, the situation. So having been now in the area of data protection for, I don’t know, 16 years, I will tell you at a very practical level that it – you know, fields and disciplines change slowly, historically, right?
So, you know, a lawyer’s been a lawyer for a long time. A human resources person used to be personnel, used to be something else, and now they’re – you know, I don’t know, they’re talent leaders now or whatever the phrase is. You know, fields change slowly. I think you’ve seen, in the last 10, 15 years that I’ve been in this field, an extraordinarily rapid transformation of the roles inside organizations that have to do with protection of assets, particularly this thing called information.
And if you make the argument – and I think it’s true – that information is now an asset, you know, something one uses for creating whole business models, et cetera, et cetera, how one revolves around that and protects it – I think organizations have all the reason in the world to quickly evolve how we do it and how it’s getting done.
And a couple of – I mean, we could spend a whole conference on that subject, but a couple of key aspects of that. One is, what’s the leadership like? I went to that issue first and I’ll conclude with it because leadership really matters. Does the leadership get it? Are they putting enough emphasis behind it?
And are they selecting the right kinds of leaders and making them work together across different – either one organization or amongst, you know, members of an alliance, for example? So leadership is key so that you’re not dealing with – let me go, you know, fix a system here. That’s not the security issue. The security issue is the broader one, right? The other aspect here is skills, so you pick the right leaders but then you have to pick the right skills.
And then the other aspect is collaboration around this issue, because it is multi-disciplinary. It’s policy, legal, technical, process, culture – culture is king – if you kind of put it all together, you can become agile and deal with protecting the highest-value or highest-risk issues or assets, and then, you know, engaging more broadly.
The last point I’ll make is to Jason’s point. You don’t have to invent it all at home, every time, by yourself. And there are ways to engage with other organizations, whether it’s for money – right, so there’s a market here. Obviously a lot of big people are in this market. But there’s also opportunities for collaboration that are, you know, not for money. It’s more like contribute and then get something back.
And those are key elements as well. And in an area where there’s a lot of desire to be confidential and discreet, one has to kind of fight that and get over that to appropriately share, in order to protect ourselves. So those are some techniques, and I think somewhere in there there’s a management treatise and a management conference waiting to happen.
MR. PAVEL: Leendert, did you have anything to add to that?
MR. VAN BOCHOVEN: Yeah, well, one last point on that public-private partnership, especially from a NATO perspective. First of all, that will be a subject of – for the paper, but NATO is really looking for that. What is a sustainable platform to actually have that dialogue between industry and NATO? So they’re looking for that. They’re actively searching for it right now at this point in time.
And that’s, I think, built on trust, of course, but also, is there value? Is there value going both ways? If there’s no value going from one party to the other or vice versa, I mean, it’s going to deteriorate. You’ll have just meetings and then it will wither and die. I mean, so is – can we somehow define the value that both industry and NATO can bring together? I think that goes back to some of the principles that Harriet laid out as well in her summary.
MR. PAVEL: Jay (sp), one last –
MR. HEALEY: Yeah, and just to close on that. You know, I’ve done a lot of – I’ve been on both sides of public and private sector for over a decade. And we sometimes treat public-private partner, especially in the government, as if it were an end in itself, as if, well, we have to collaborate. My recommendation for NATO – and it would be the recommendation for DHS and for Treasury and everyone else – what is it that you want to accomplish?
And talking with the – talking with a bank or talking with IBM is not what you want to accomplish. You want better threat data to protect yourself. You want X, Y, or Z. You want to learn how to become more agile. And it’s – we’ve gotten exactly what we’ve asked for, I think, out of most of the public-private partnership because we’ve been sloppy about what it is that we want to try to achieve.
So NATO, when it – as it starts to open up this can of public-private partnership worms, it needs to say, what is it that we’re actually trying to solve here? We want threat data, we want – and partnership is one of the ways that you can get that. You can also buy it. You can also try and ask NSA for it. You can also – you know, there’s a lot of ways that you can try and accomplish whatever it is that you’re doing.
And it’s all too often that we just fetishize partnership as the thing we’ve got to be doing. We need more of that. We know we need cyber; we need partnership, so cyber partnership is going to be the best of all things. And so NATO really needs to just define their goals and what it is they want to get done. Thank you.
MR. PAVEL: Great, thank you very much. Well, I’m sensitive to the time. We have many more questions than we have time left. A brief closing set of comments: First, I wanted to thank Brett Young, Grace Carroll, Simona Kordosova, Magnus Nordenman for all their work putting this together. I wanted to thank IBM for its support and partnership.
I really wanted to thank the panelists here today. You’ve given us a very rich discussion, most of which is captured in 12 recommendations that are very specific and practical in the briefing, the issue brief that you see on your way in or your way out today. And so just a last word of applause and thank you for the panelists. (Applause.)