As members fight off cyber attacks from Russia, here’s a deep dive into spending goals, partnerships, and policy debates about going on the offensive.
MONS, Belgium — NATO officials are boosting funding and forging new partnerships to strengthen their members’ network defenses. But some friends of NATO say bureaucratic obstacles and policy disputes are hindering the effort. All of that is occurring against a backdrop of daily low-level cyber attacks — and occasionally much more serious ones — from an increasingly aggressive Russia.
Example: despite last year’s declaration that an cyber attack might allow a collective military response dubbed an Article V, alliance officials have not publicly defined what such an attack would look like (except that it would have to be ‘severe’) nor what kinds of response might be involved.
“NATO still has a long way to go in terms of operationalizing that domain. We need to clear the first hurdles” by aligning old policies with modern capabilities, said Erki Kodar, the undersecretary for legal and administrative affairs for the Estonian Ministry of Defense, at the annual meeting of NATO’s Communication and Information agency, NCI.
Alliance officials expect the frequency and severity of attacks to grow.
“We saw a lot of activity during Zapad 17,” said Rose Gottemoeller, the alliance’s Deputy General Secretary, referring to the massive military exercise Russia recently concluded in Belarus. She was answering a question about reports that Russian cyber attacks targeted NATO members Norway and Latvia. “What has been new in Russian doctrine and strategy, emerging really since 2014 very strongly, is called hybrid techniques. So what we saw in terms of interference with cyber networks was very much in line with the doctrine that they have been really emphasizing since the seizure of Crimea. It’s part and parcel of the way Russians are approaching warfare these days.”
For evidence of how brutish and bold Russian attacks have gotten, just ask NATO’s newest member. As Montenegro prepared for elections last October, the Kremlin launched a coup attempt that included DDOS attacks to knock out government websites just when the public most needed accurate information. The coup failed, but the attacks picked up again in February, as the country approached its formal entrance into the alliance.
“During the first half of this year and particularly before the NATO summit in which Montenegro officially joined NATO, the government infrastructure was under heavy, large attacks and this was a real challenge for our team,” said Milica Jankovic, the government’s general director for electronic management and information security.
The alliance responded by sending help from its best information warriors: Britain’s GCHQ, which teamed with some private cyber defense companies to help the government stop the attacks, keep running, and calm the populace.
GCHQ, perhaps the world’s top signals intelligence agency, offers this support to other alliance members as well. During an attack, the agency can help NATO members figure out what’s happening, who’s causing it, and how to counter it. (They helped the U.S. intelligence community attribute to Russia the 2016 influence campaign that targeted the United States election.) The UK agency also helps alliance members build stronger network defenses in the first place.
“A big part of what we do is help people design and build systems securely,” said Paul Chichester, who directs operations at GCHQ’s National Cyber Security Center, or NCSC. “Everything we do is founded on that intelligence knowledge so we have some assurance that the advice that we’re giving is based on real, hard facts about what the adversary is trying to do.”
He cited phishing, a common type of attack made famous by Russia’s 2016 theft of messages from the Democratic National Committee. The center recommends that organizations implement an email authentication protocol such as the Domain-based Message Authentication, Reporting & Conformance, or DMARC. It’s a simple step that can help prevent the sorts of tricks that befell John Podesta and others. The UK happened upon it while trying to stop people from phishing the tax office.
Chichester said it’s critical that alliance members trade this kind of information.
“One of the reasons we signed the  NATO Cyber Defense Pledge was to share with NATO colleagues a lot of the details of what we do,” he said. “European and global colleagues have had different events we can learn from.”
Chichester cited the 2015 attack on France’s TV5Monde, which for several hours displaced its programming with jihadist video. The culprits turned out not to be ISIS, but Fancy Bear, the Kremlin-backed group that would attack the DNC a year later.
“How would the UK handle a TV5 incident? How would we respond to that?” he said. Chichester said he advises other countries to think strategically about network defense, and to have arrangements in place to share critical cyber intelligence immediately.
Even NATO’s smaller members have ideas to offer. As part of its annual Spring Storm wargame, Estonia confronts graduating conscripts with the kind of cyber-warfare tactics that Russian troops have used against Ukrainians.
“We might send them fake SMSs to see if they will emit certain radio signals to reveal their positions,” said Estonia’s Kodar. “We usually only do it during their final exercise before graduating, when they are training with their brigade and their battalions, to see if someone one gives away their location in the forest. It’s the reality of what will happen, anyway. If you talk to the Ukrainians, they will say that, if you emit, you die. It’s what you learn from places like Donetsk.”
The NATO umbrella of protection includes access to an enormous real-time window of threats, bugs, and vulnerabilities, visible as soon as they emerge.
One such arrangement is with Microsoft, whose Windows operating systems powers most of the world’s government computers.
“NATO has access to all of our threats,” said Ann Johnson, vice president of Microsoft’s Enterprise Security Group. “We have an early warning system that we’ve established where we share threats from an early basis.”
The firm also has a transparency center in Brussels where NATO organizations can test Microsoft code. That may not sound significant, but it is. U.S. technology companies in search of revenue growth are looking abroad to China and even Russia, whose governments use any excuse to make life difficult for Western tech companies. Thus there is some incentive for such companies to try to appear somewhat neutral.
Why form an intelligence-sharing partnership with a military alliance when doing so may make it harder to do business in non-NATO-aligned countries? “It’s the only way that an organization of cyber security professionals can stay ahead of these threats,” said Johnson.
NATO is also ready to spend big on cyber defenses as well as the new hacking tools euphemistically called “capabilities.”
“We need a real tech refresh,” said Ian West, NCI’s chief of cybersecurity.
That’s the goal of the 70-million-euro CP120 (CP for “capability package), which aims by 2024 to fund everything from encryption for tactical radios to cloud-integrated storage for the millions of suspicious cyber events NATO partners see each day. Eventually, said West, NATO will move to the public cloud for virtually everything that NATO does as an alliance.
That will allow “centralized patch management,” a streamlined way to fix bugs and vulnerabilities throughout the alliance. It’s “something that, in our current [local area network, wide area network] environment, is a huge challenge” said West.
The spending push also funds research in next-generation AI to analyze the enormous amount of threat intelligence that NATO partners generate.
Armed Up But Bogged Down By Policy
But funding and technology are just part of the problem. Another is various policies by NATO and its members that make it difficult to act collectively in the face of a network attack.
“We in NATO have incredible cyber capability. But we in NATO do not have an incredible cyber policy,” former NATO commander Philip Breedlove noted in May. “In fact, our policy is quite limiting. It really does not allow us to consider offensive operatives as an alliance in cyber.”
Estonia, for one, is willing to strike back when attacked online. But Estonian officials want to know whether other NATO members will support them, and how alliance membership may constrain them. “I do not see NATO, as an organization, having its own offensive measures. But we do need a mechanism integrating national responses into what NATO’s response is,” said Kodar.
NATO Deputy General Secretary Gottmoeller called Breedlove “instrumental” in leading alliance thought toward cyber as a domain. “I agree with his critique,” she said, adding that the cyber pledge and the 2016 decision to allow collective response to cyber attacks under the NATO Charter’s Article 5 have “focused the mind of the alliance over all on what we need to do to make a more coherent approach to this set of problems.”
But she did not address the question of whether NATO needs a cyber offensive policy or strategy.
One person who will be advising NATO on that approach is Gregory Edwards, NCI’s director of infrastructure services. A former U.S. Air Force officer, Edwards stuck out among the sea of Europeans at the recent NATO conference.
NATO needs a modular policy that might let specific countries or NATO-aligned military use specific cyber attacks under specific circumstances, he said. This would give more discretion to individual states, but without subverting NATO’s ultimate command and control.
“You could make a case-by-case decision” about responding to attacks, he said. “It’s something I want to push myself in the committees that are deliberating about what should we do in cyber as a domain. If we want to conduct operations in that domain, that’s different than just defending yourself. You need to have a policy that says, ‘if our operation is disturbed, we will take a specific action.’ The action will be listed. It will be listed what things the commander is allowed to do in that regard. It will be a specific action.”
It’s something he wants to see in future NATO exercises, he said.
All of that means that world is no closer to understanding what an Article 5 response in cyber will look like, but that’s as it should be, said Gottmoeller. “You can never define a particular Article 5 response...That’s part of the strength of the alliance.”