Private Sector Plays Bigger Role in NATO Cyber Strategy
Photo: Defense Dept.As NATO allies train for possible clashes with Russian forces on land, at sea or in the air, the organization’s information technology arm is beefing up its cyber capabilities to defend against potential attacks from state and non-state actors in the digital realm.
With the U.S. military similarly making its network defense a battlefield priority, NATO is investing billions of dollars to refresh its cyber network design and continue training efforts across the alliance, while reinforcing its partnerships with the cybersecurity industry, according to current and former officials.
The organization — which is made up of 28 member nations including the United States, Canada and many European countries — has been investing in cyber defense since the early 2000s, but has made concerted efforts to work with the private sector on the matter only in the last two years, said Koen Gijsbers, general manager of the NATO Communications and Information Agency.
Prior to the 2014 Wales Summit, cyber defense was seen as “a technical solution,” Gijsbers said. But as the threat became more severe, “it was clear that we needed to speed up the relationship with industry” and develop a higher level of cyber defense, both at the NATO level and among individual nations, he added.
NCI Agency — headquartered in Brussels with locations all over Europe and in Norfolk, Virginia — is the information technology, communications and cyber defense arm of NATO, and serves as the acquisition office for those technologies, according to Gijsbers. It is also responsible for managing and operating the organization’s air and missile defense capabilities, and develops technical standards for cyber defense for its members.
Many of those nations have been investing heavily in defense capabilities — including cyber — as Russia boosts its offensive posture with more aggressive tactics. NATO last year announced business opportunities in cyber, air and missile defense worth nearly $4 billion through 2019.
The opportunities include: a major satellite communications contract worth about $1.6 billion and procurement for advanced software, according to the agency.
The capability refresher includes training for the agency’s staff, as well as larger nation-inclusive training events, Gijsbers said. For the first time, NATO held a major cyber exercise in Estonia in 2016 with members of industry and partner nations participating.
“It’s important to have those trainings, because this is how you prepare yourself for things you have not yet seen, you want to be prepared for the worst,” he said.
Training is a key component of any cybersecurity capability, said Cynthia Dion-Schwarz, senior scientist and cyber and data science program manager at the RAND Corp. “Current data shows that the human being remains the weak link in any cybersecurity posture,” she said.
“A big part of what NATO is doing and indeed, the DoD, and indeed any cyber-aware organization, is train their workforce to be aware of things like phishing, of not putting random USBs into their computer, all those sorts of bad habits that people have with their cyber activity,” she continued.
The investments are not only to defend against potential Russian attacks, Gijsbers said.
“In general terms, we are attacked on all sides,” he said. “Normal hackers like to see if they can come into NATO’s IT structure, so we know that the threat is increasing.”
Similar attacks are happening in the banking world and other defense industries, he added.
“NATO is very much dependent on what we call command and control ... we guide nations, we guide operations and we do it in a digital way, and therefore we need to safeguard that the command and control has enough resilience in order to be effective in all circumstances,” he said.
NCI Agency delivered its first full cyber capability package in the 2006-2007 timeframe, but a series of attacks from alleged Russian state actors — first upon Estonian networks in 2007 and then targeting Georgia’s networks in 2008 — served as a “wake up call” for the organization to pay more attention to such activities, Dion-Schwarz said. Though Russian actors remain the most plausible culprits, the state government has denied involvement in the attacks, she said.
A decade later at the NATO Warsaw Summit in 2016, the alliance’s commanders officially declared cyber to be an operational domain akin to air, land or sea, and leaders enacted a cyber defense pledge for each nation to boost its own capabilities, Gijsbers said. “There was good understanding that in the NATO environment, you’re only as strong as the weakest link, so therefore you need to invest in all areas, and make sure that all works together properly.”
NATO is only responsible for protecting its networks, he noted. Member nations are responsible for funding their own network capabilities and defenses, while NCI Agency is responsible for all NATO headquarters in Europe and the United States, as well as operating the networks for deployed missions such as in Afghanistan.
NATO’s role in assisting alliance members in response to a cyber attack can differ, said Henry Rõigas, policy researcher for NATO Cooperative Cyber Defence Centre of Excellence, an international military organization based in Tallinn, Estonia, that provides cyber defense research and analysis for NATO and other members.
“NATO is a military organization that aims to ensure peace and security, i.e., avoid war by deterrence,” he said in an emailed response. “A simple [distributed denial of service] attack during peacetime would be definitely mainly countered with national capabilities,” and most cyber attacks that nations deal with “fall into this category.”
But NATO’s role could change should the cyber attack reach the threshold of an armed or traditional military attack, meeting the requirements set in Article 5 of the North Atlantic Treaty, he continued. In that case, the North Atlantic Council could decide by consensus to exercise collective defense.
“If this decision is made, the type of response to such an attack by NATO members will be also decided on a case-by-case basis; it does not have to be a response via cyberspace,” he said, adding that most, if not all cyber attacks at the moment do not reach this high threshold.
“The main issue at the moment for individual nations and NATO is to devise effective deterrence and responses to the so-called ‘below the threshold’ attacks,” such as the recent hacking of the U.S. Democratic National Committee networks, or cyber espionage, he said.
The organization or members acting on their own can also decide to assist allies that are under significant cyber attack, he noted. “How this would exactly happen is up to the nations and NATO to decide.”
NCI Agency can employ rapid reaction teams of cyber defense experts to assist with an attack, Gijsbers said.
The agency would not come to the aid of a non-NATO ally without specific agreement from the North Atlantic Council, he added. For example, the alliance is currently assisting Ukraine, a non-NATO ally, in boosting its cyber defense capabilities among other support as a result of the 2014 Wales Summit.
The agency also shares some information with close partners, such as Finland, Gijsbers said.
Similarly, NCI Agency would typically not assist with an attack on a commercial enterprise within a member-state. “That’s typically either [up to] the nation, or the commercial entities have their own responsibilities there,” he said.
The NATO industry cyber partnership has been key to helping the alliance better prepare for attacks, Gijsbers said.
Dion-Schwarz said that NATO has “gone a long ways — in some ways, better than the U.S. — in terms of collaborating with industry and building industry partnerships.”
Through the partnership, NATO has information-sharing agreements with U.S. and European industry, where the two sides share threat analysis “to develop a relationship so that when an attack happens, we can work with cyber teams in those industries in order to mitigate the attack,” Gijsbers said.
The agency recently signed an agreement with FireEye Inc. — a Milpitas, California-based cybersecurity company — to share non-classified technical information on cyber threats and vulnerabilities. This was the ninth-such industry partner agreement NATO has made, according to NCI Agency.
“In forming an information-sharing partnership with NATO, we add additional visibility ... that helps protect our customers and offer high-fidelity intelligence that enables better threat detection and faster response on NATO’s networks and systems,” said Tony Cole, FireEye vice president and global chief technology officer, in a press release. FireEye did not respond to interview requests.
NATO also holds threat vector analysis workshops with its industry partners, and runs an annual conference, which brings member nation leaders, industry heads and defense experts together to discuss innovation trends and learn about business opportunities, Gijsbers said.
Another focus area for NATO cyber defense will be rapid innovation, Gijsbers said.
“Government processes are often quite slow when it comes to implementing new capability and we all know we need to get better in the cyber domain.”
There’s a challenge to divide contracts with American and European industries of different nations to get a fair share of the work, while maintaining speed and efficiency, Gijsbers said.
“Innovation is not just happening in the U.S.; there is a lot of good stuff happening in Europe,” he said. “We want to make sure that the solutions that we bring into the NATO environment ... can be interoperable ... because we really need to work in a collaborative environment, and that is where we play an important role in bringing those two cultures together.”
As the threat of a cyber attack becomes more prevalent, NATO’s cyber defense policies could change.
A viable option for deterring Russian-sponsored hackers and other adversaries would be going “tit for tat,” or taking a more active defensive cyber stance rather than the more passive methods used currently, said Ambassador Alexander Vershbow, who retired last year as NATO deputy secretary general.
“[Defensive cyber] is something that NATO has not fully stepped up to, but is debating now,” he said. “As an institution, it needs to at least have the option of defensive cyber operations in addition to defending its networks.”
Whether the alliance chooses to acquire that capability itself or work more closely with larger allies who already possess the capability are issues to be decided in the next year or two, he said.
“My own view is, given the evolving nature of warfare, NATO would be tying one hand behind its back if it deprived itself of at least the option of cyber offense,” he added. “Knowing that NATO has that capability could itself be a deterrent.”
NATO remains a defensive collective for its member nations, and Gijsbers emphasized that its cyber and other investments were purely meant for defense.
“What nations do is their national responsibility,” he said. “There are nations that are looking in that direction, but NATO’s focus is purely on the defensive side of the house.”