Norwegian soldiers of the NATO enhanced forward presence battalion attend a German President Frank-Walter Steinmeier welcome ceremony at the Rukla military base some 130 kms (80 miles) west of the capital Vilnius, Lithuania, Friday, Aug. 25, 2017.

Norwegian soldiers of the NATO enhanced forward presence battalion attend a German President Frank-Walter Steinmeier welcome ceremony at the Rukla military base some 130 kms (80 miles) west of the capital Vilnius, Lithuania, Friday, Aug. 25, 2017. AP / Mindaugas Kulbis

Science & Tech

How NATO Is Preparing to Fight Tomorrow’s Cyber Wars

As members fight off cyber attacks from Russia, here’s a deep dive into spending goals, partnerships, and policy debates about going on the offensive.

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

MONS, Belgium — NATO officials are boosting funding and forging new partnerships to strengthen their members’ network defenses. But some friends of NATO say bureaucratic obstacles and policy disputes are hindering the effort. All of that is occurring against a backdrop of daily low-level cyber attacks — and occasionally much more serious ones — from an increasingly aggressive Russia.

Example: despite last year’s declaration that an cyber attack might allow a collective military response dubbed an Article V, alliance officials have not publicly defined what such an attack would look like (except that it would have to be ‘severe’) nor what kinds of response might be involved.

“NATO still has a long way to go in terms of operationalizing that domain. We need to clear the first hurdles” by aligning old policies with modern capabilities, said Erki Kodar, the undersecretary for legal and administrative affairs for the Estonian Ministry of Defense, at the annual meeting of NATO’s Communication and Information agency, NCI.

Alliance officials expect the frequency and severity of attacks to grow.  

“We saw a lot of activity during Zapad 17,” said Rose Gottemoeller, the alliance’s Deputy General Secretary, referring to the massive military exercise Russia recently concluded in Belarus. She was answering a question about reports that Russian cyber attacks targeted NATO members Norway and Latvia. “What has been new in Russian doctrine and strategy, emerging really since 2014 very strongly, is called hybrid techniques. So what we saw in terms of interference with cyber networks was very much in line with the doctrine that they have been really emphasizing since the seizure of Crimea. It’s part and parcel of the way Russians are approaching warfare these days.”

For evidence of how brutish and bold Russian attacks have gotten, just ask NATO’s newest member. As Montenegro prepared for elections last October, the Kremlin launched a coup attempt that included DDOS attacks to knock out government websites just when the public most needed accurate information. The coup failed, but the attacks picked up again in February, as the country approached its formal entrance into the alliance.

“During the first half of this year and particularly before the NATO summit in which Montenegro officially joined NATO, the government infrastructure was under heavy, large attacks and this was a real challenge for our team,” said Milica Jankovic, the government’s general director for electronic management and information security.

The alliance responded by sending help from its best information warriors: Britain’s GCHQ, which teamed with some private cyber defense companies to help the government stop the attacks, keep running, and calm the populace.

GCHQ, perhaps the world’s top signals intelligence agency, offers this support to other alliance members as well. During an attack, the agency can help NATO members figure out what’s happening, who’s causing it, and how to counter it. (They helped the U.S. intelligence community attribute to Russia the 2016 influence campaign that targeted the United States election.) The UK agency also helps alliance members build stronger network defenses in the first place.

“A big part of what we do is help people design and build systems securely,” said Paul Chichester, who directs operations at GCHQ’s National Cyber Security Center, or NCSC.  “Everything we do is founded on that intelligence knowledge so we have some assurance that the advice that we’re giving is based on real, hard facts about what the adversary is trying to do.”

He cited phishing, a common type of attack made famous by Russia’s 2016 theft of messages from the Democratic National Committee. The center recommends that organizations implement an email authentication protocol such as the Domain-based Message Authentication, Reporting & Conformance, or DMARC. It’s a simple step that can help prevent the sorts of tricks that befell John Podesta and others. The UK happened upon it while trying to stop people from phishing the tax office.

Chichester said it’s critical that alliance members trade this kind of information.

“One of the reasons we signed the [2016] NATO Cyber Defense Pledge was to share with NATO colleagues a lot of the details of what we do,” he said. “European and global colleagues have had different events we can learn from.”

Chichester cited the 2015 attack on France’s TV5Monde, which for several hours displaced its programming with jihadist video. The culprits turned out not to be ISIS, but Fancy Bear, the  Kremlin-backed group that would attack the DNC a year later.

“How would the UK handle a TV5 incident? How would we respond to that?” he said. Chichester said he advises other countries to think strategically about network defense, and to have arrangements in place to share critical cyber intelligence immediately.

Even NATO’s smaller members have ideas to offer. As part of its annual Spring Storm wargame, Estonia confronts graduating conscripts with the kind of cyber-warfare tactics that Russian troops have used against Ukrainians.

If you talk to the Ukrainians, they will say that, if you emit, you die. It’s what you learn from places like Donetsk.
Erki Kodar, the undersecretary for legal and administrative affairs for the Estonian Ministry of Defense

“We might send them fake SMSs to see if they will emit certain radio signals to reveal their positions,” said Estonia’s Kodar. “We usually only do it during their final exercise before graduating, when they are training with their brigade and their battalions, to see if someone one gives away their location in the forest. It’s the reality of what will happen, anyway. If you talk to the Ukrainians, they will say that, if you emit, you die. It’s what you learn from places like Donetsk.”

The NATO umbrella of protection includes access to an enormous real-time window of threats, bugs, and vulnerabilities, visible as soon as they emerge.

One such arrangement is with Microsoft, whose Windows operating systems powers most of the world’s government computers.

“NATO has access to all of our threats,” said Ann Johnson, vice president of Microsoft’s Enterprise Security Group. “We have an early warning system that we’ve established where we share threats from an early basis.”

The firm also has a transparency center in Brussels where NATO organizations can test Microsoft code. That may not sound significant, but it is. U.S. technology companies in search of revenue growth are looking abroad to China and even Russia, whose governments use any excuse to make life difficult for Western tech companies. Thus there is some incentive for such companies to try to appear somewhat neutral.

We need a real tech refresh.
Ian West, chief of cybersecurity, NCI

Why form an intelligence-sharing partnership with a military alliance when doing so may make it harder to do business in non-NATO-aligned countries? “It’s the only way that an organization of cyber security professionals can stay ahead of these threats,” said Johnson.

NATO is also ready to spend big on cyber defenses as well as the new hacking tools euphemistically called “capabilities.”

“We need a real tech refresh,” said Ian West, NCI’s chief of cybersecurity.

That’s the goal of the 70-million-euro CP120 (CP for “capability package), which aims by 2024 to fund everything from encryption for tactical radios to cloud-integrated storage for the millions of suspicious cyber events NATO partners see each day. Eventually, said West, NATO will move to the public cloud for virtually everything that NATO does as an alliance.

That will allow “centralized patch management,” a streamlined way to fix bugs and vulnerabilities throughout the alliance. It’s “something that, in our current [local area network, wide area network] environment, is a huge challenge” said West.

The spending push also funds research in next-generation AI to analyze the enormous amount of threat intelligence that NATO partners generate.

Armed Up But Bogged Down By Policy

In fact, our policy is quite limiting. It really does not allow us to consider offensive operatives as an alliance in cyber.
Philip Breedlove, former NATO commander

But funding and technology are just part of the problem. Another is various policies by NATO and its members that make it difficult to act collectively in the face of a network attack.

“We in NATO have incredible cyber capability. But we in NATO do not have an incredible cyber policy,” former NATO commander Philip Breedlove noted in May. “In fact, our policy is quite limiting. It really does not allow us to consider offensive operatives as an alliance in cyber.”

Estonia, for one, is willing to strike back when attacked online. But Estonian officials want to know whether other NATO members will support them, and how alliance membership may constrain them. “I do not see NATO, as an organization, having its own offensive measures. But we do need a mechanism integrating national responses into what NATO’s response is,” said Kodar.

NATO Deputy General Secretary Gottmoeller called Breedlove “instrumental” in leading alliance thought toward cyber as a domain. “I agree with his critique,” she said, adding that the cyber pledge and the 2016 decision to allow collective response to cyber attacks under the NATO Charter’s Article 5 have “focused the mind of the alliance over all on what we need to do to make a more coherent approach to this set of problems.”

But she did not address the question of whether NATO needs a cyber offensive policy or strategy.  

One person who will be advising NATO on that approach is Gregory Edwards, NCI’s director of infrastructure services. A former U.S. Air Force officer, Edwards stuck out among the sea of Europeans at the recent NATO conference.

NATO needs a modular policy that might let specific countries or NATO-aligned military use specific cyber attacks under specific circumstances, he said. This would give more discretion to individual states, but without subverting NATO’s ultimate command and control.

You need to have a policy that says, ‘if our operation is disturbed, we will take a specific action.’ The action will be listed.
Gregory Edwards, NCI’s director of infrastructure services.

“You could make a case-by-case decision” about responding to attacks, he said. “It’s something I want to push myself in the committees that are deliberating about what should we do in cyber as a domain. If we want to conduct operations in that domain, that’s different than just defending yourself. You need to have a policy that says, ‘if our operation is disturbed, we will take a specific action.’ The action will be listed. It will be listed what things the commander is allowed to do in that regard. It will be a specific action.”

It’s something he wants to see in future NATO exercises, he said.

All of that means that world is no closer to understanding what an Article 5 response in cyber will look like, but that’s as it should be, said Gottmoeller. “You can never define a particular Article 5 response...That’s part of the strength of the alliance.”

NEXT STORY: The Video Game That Could Shape the Future of War

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.