This paper is part of the Transatlantic Policy Briefs series published by the Slovak Atlantic Commission (SAC) and its think-tank, the Central European Policy Institute (CEPI). The briefs bring together experts from Central Europe to propose solutions to the most pressing issues on the transatlantic security agenda. SAC and CEPI are grateful to NATO’s Public Diplomacy Division for their financial support.
The Central European Policy Institute is a new regional think-tank established in Bratislava in 2012 by the Slovak Atlantic Commission. It links the top research institutions and experts from across Central Europe. CEPI is devoted to improving the quality of the region’s contributions to the EU and NATO debates on the main challenges of today. We believe that Central Europe should take on more responsibility in the EU and NATO for issues ranging from the economic crisis to energy and security.
● The alliance has agreed to strengthen its defences against cyber-attacks. Member-states are centralising control over the security of NATO’s internet systems, and creating rapid response teams to help allies in case of future cyber-attacks.
● The steps have yet to be fully implemented but in theory they make good sense. The rapid response teams in particular could become very important; many of the smaller allies will welcome additional help against cyber-threats.
● To improve their defences further, NATO countries should agree under what circumstances, if any, they envision threatening or using conventional military force in response to cyber-attacks, and whether such strikes should trigger the alliance’s ‘Article V’ clause, which obligates all allies to respond to an attack on one. NATO had suffered its first publicised cyber-attacks in 1999, when hackers blocked access to the organisation’s websites and e-mail servers to protest the air strikes against Serbia. The alliance vowed to be better prepared next time, yet in 2007 it failed to prevent attackers from shutting down virtually all of Estonia’s
internet-based services for several days. Even though the most powerful military organisation in the world had had eight years to prepare, it could do little to assist its member-state. Worse, neither its security strategy nor its military doctrine had anticipated such an attack – the alliance’s very understanding of the gravity of the problem was out of date.
In its 2010 ‘Strategic Concept’, NATO set out to make things right by expanding its capacity in cyber-security. In the most significant development since, the member-states agreed a revised policy on cyber-defence in July 2011. Although it is too early to assess if the policy works (it has not
yet been completely
implemented), the alliance seems to have at last made cyber-security one of its core competences.
The ever-changing threat
An analysis of the effectiveness of NATO’s cyber-defences must begin with a definition of the problem. Estonia-type cyber-attacks – the so-called ‘distributed-denial-of-service attacks’ (DDoS), which shut down servers by overloading it with
requests for a service – are actually just one out of many threats, and probably not the most serious one. Their real impact on Estonia was limited to preventing users from remotely accessing some services such as banking. This was unnerving, but the same services remained available locally (by going to bank branches, for example). Even more importantly, no unauthorised leaks of data occurred, no data was destroyed or modified, and no false data was injected into the systems. The attack did not undermine overall trust in the attacked systems – banks, the government and other.
Cyber-attacks of the future will be far more damaging. They will aim to compromise the data or system itself, and thus undermine the users’ faith not only in the reliability of internet access but also in the services provided via the internet. This could affect vital services such as banking or tax administration. The exact forms could vary from unauthorised destruction or modification of data and injection of false data to targeted modifications of software used to process and present data. These sorts of attacks, rather than DDoS, are the top cyber-security threat of today. A recent strike at US government and defence contractors provides a warning example. Unable to reach their target directly, the attackers have allegedly used a technique called ‘watering hole’: they broke into some legitimate websites, likely to be visited by users from the targeted agencies, and dropped pieces of malware there. If a predefined user, who the malware recognised as an official or contractor, visited the website, his or her machine was infected by yet another programme. This latter malware not only granted the attackers direct access to the users’ computers, but also compromised their trust in the service from which the infection had originated. Although the web site in question was safe for a number of ‘regular’ users, it constituted a threat for a specified group of them.i
Cyber-attacks aimed at public key infrastructure which creates and manages digital ‘certificates’ would do yet more damage to public trust. Issued by special authorities, certificates are used to verify authenticity of the communicating partner ― for example authenticity of a website ― and
thereby establish elementary confidence in the internet. There are hundreds of certificate authorities, trusted by default by web browsers and operating systems around the world. When one of them is successfully attacked, as was the case of the Dutch DigiNotar in July 2011, attackers can obtain hundreds of rogue digital certificates, and use them to impersonate high-profile domains. Since certificates are used worldwide by standardised software (such as internet browsers), the number of affected users could reach into hundreds of millions.
A particular way of undermining trust in systems and their operators lies in disseminating sensitive or false information. A good illustration is the December 2011 attack on the servers of Stratfor, a corporate intelligence company. The attackers posted complete credit card records of its subscribers and over 28,000 e-mail addresses of its high-profile collaborators, dealing the credibility of the company a serious blow.ii Another form of information-manipulating attack makes use of social networks such as Facebook, LinkedIn or MySpace. In one such recent case, a fictional person, Robin Sage, created on popular portals, won the trust of many in the U.S. military, and various agencies in just a month. ‘She’ was invited to conferences, asked to review sensitive documents and offered jobs.iii
Increasingly, single cyber-attacks are only one element in a bigger plan, aiming for instance to gain access to highly classified data. A recent strike on RSA, a company selling cyber-security hardware to various US agencies, is a good example. Allegedly, the attackers who penetrated its systems were seeking sensitive information on some feature of RSA-made devices, which would have allowed them to gain unauthorised access to other systems protected by this particular hardware. One relatively limited cyber-attack would thus have opened floodgates to a much broader and dangerous one.
Perhaps the most damaging form of information-distorting attack is a potential Wikileaks-like massive release of sensitive data, intentionally mixed with false information. Carefully designed to affect credibility of selected political or military leaders, if could stir popular anger and undermine
governments; such false information could be a powerful weapon against both states and individuals.
Growing complexity and cost of such attacks suggest that the actors responsible for them are states rather than individuals or groups of criminals. The key indication here is cost-effectiveness: complex attacks require not only technical expertise but also money, time and organisational skills. They do not bring quick results, and therefore hold less appeal for individual hackers or criminal groups (who can organise a lucrative online fraud for less money and in less time). However, for states, and particularly for special services, prolonged and complex actions are the usual way of gaining information advantage over their foes. The most visible example of such complicated, costly attack is the infamous ‘Stuxnet’ worm, which appears to have caused many Iranian centrifuges used to enrich uranium to spin out of control and destroy themselves. Stuxnet was expensive to assemble, required considerable inside information to be deployed successfully, and yielded no monetary benefit, which strongly suggests government involvement (the New Yorker magazine has linked it to US and Israeli intelligence agencies).iv By all appearances, governments are quickly displacing individual hackers and criminal groups as the possessors of the most superior cyber-attacking capability, even if they often act through proxies to avoid identification.
Is NATO ready for this new, rough cyberworld? The alliance’s new cyber-defence policy envisions a two-pronged approach for NATO: first, to protect its own assets in cyber-space, and second, to assist member-states in responding to cyber-attacks and improving resilience of their national networks, both civilian and military. With regard to the first task, the key element of the updated policy is centralisation. Until recently, responsibility for the protection of NATO’s electronic systems was fragmented. No single body oversaw the safety of the various civilian and military systems of the many NATO agencies and its missions abroad. No unified security standard existed, nor the capacity to monitor the
standard’s observance or to gather data about incidents and specific threats.
This is changing with the creation of a single body co-ordinating cyber-defence: NATO ‘Cyber Defence Management Board’ (CDMB), comprising of those representatives of different NATO structures, who are responsible for cyber security. Further, NATO established a ‘Computer Incident Response Capability’ (NCIRC) to act as an in-house emergency response team. It has been tasked with evaluating security of NATO’s networks and disseminating information on incidents and threats to individual systems’ administrators. Most importantly, it will provide expertise and technical services in case of attacks against NATO’s networks. NCIRC experts are meant to help system administrators to block attacks, limit the damage and repair software errors (so-called vulnerabilities), which make attacks possible.
Centralisation of responsibility for protecting NATO’s own networks is a step in the right direction. The alternative – that each NATO agency, command or division polices its own networks and sets its own standards for safety – is far inferior. Overtime, the NCIRC could become the central depository of NATO’s knowledge in cyber security. It will be the only body with the overall sense of the level and types of threats to NATO networks. And if it does its job well, it will have acquired technical expertise in cyber-defence and cyber-threats unrivalled within NATO, as well as a network of contacts with the allies’ ‘Computer Emergency Response Teams’ (CERTs, which the countries have established to act in cases of attack on national networks). With regard to NATO’s second key task – assistance to allies – the alliance aims to do three things: create and enforce a security standard for those national cyber-systems, which are vital for the effective functioning of the whole alliance; create a mechanism to exchange information about incidents and newly identified threats; and, finally, establish ‘Rapid Reaction Teams’ (RRTs) to be dispatched to a member-state asking for assistance in case of cyber-attacks.v The RRTs will presumably reinforce national CERTs of the NATO member-states and of other institutions tasked to
protect cyber-space, such as police or special services. This approach is in keeping with the alliance’s overall defence philosophy: while the member-states are required to operate capabilities sufficient for their strategic needs, the alliance guarantees that their national forces will be reinforced in times of a conflict. NATO does not assume responsibility for protecting national networks, neither civilian nor military (an option suggested by some after Estonia case), but it acts as a provider of expertise and technical assistance.
The member-assistance element of the alliance’s cyber-defence policy is likely to become the most visible part of its effort in cyber-security. The smaller countries in particular will be keen to make use of it; they tend to have a harder time building national CERTs manned with a sufficient number of highly qualified and skilled professionals (though, as Estonia’s case proves, even smaller NATO countries can become a powerhouse in cyber-security, providing they concentrate enough resources on the task). For those countries the alliance’s ‘reinforcements’ may play a crucial role in containing cyber-attacks, particularly a large-scale action against a number of networks. But countries that have large cyber-security programmes are likely to benefit too, because NCIRC could become a source of additional expertise and data to them. Finally, the RRTs will have important symbolic value: their deployment in times of crises will send a signal of allied solidarity with the afflicted state. As such, the RRTs may come to play a role similar to some traditional high-demand military assets such as the Dutch or German Patriot missile defence batteries, which are deployed from time to time to countries that worry about missile threats to their territories. In another sign of how central cyber-defences have become to warfighting, the allies have tasked the North Atlantic Council, NATO’s highest decision-making body, with responsibility for overseeing the overall NATO cyber-defense policy. Just as importantly, NATO’s defence planners will now include cyber-capabilities in the process of reviewing, planning and developing NATO’s overall force structure, along with traditional military assets. This means that allies will be expected to produce a certain minimum level
of national cyber-defence capability, with defence planners from NATO headquarters monitoring whether countries are fulfilling their commitments.
As their next step, the allies should agree whether and which kinds of cyber-incidents count as ‘Article V’ events, meaning that they ought to trigger an automatic collective response from NATO. Cyber-attacks have become so sophisticated and potentially devastating that allies now think of them as an existential threat. And if NATO were to limit itself to disseminating information, exchanging best practices, raising threat awareness or creating cyber-security standards, it would fail at its primary mission: to reassure the allies that they will not be abandoned — both politically and operationally — in case of some of the most dangerous attacks imaginable. Clearly, not every cyber-attack will qualify as Article V. But those that deliberately cause accidents in large industrial facilities (such as nuclear power plants, or chemical factories) or severely damage the country’s banking system may need to be given consideration, along with other cyber-threats with comparable impact. Instead of conclusions
At least three more cyber-tasks lie ahead of the allies. On the more technical end of the scale, NATO should develop a coherent terminology for defining cyber-concepts. The alliance has no agreed definition of cyber-security, and over the last few years, its documents have used terms such as security, terrorism, warfare, defence, crime, cyber-attacks, cyber-threats nearly interchangeably. The confusion of terms makes it difficult to build a solid policy against cyber-threats. NATO ought to use its dedicated Co-operative Cyber Defence Centre of Excellence in Tallinn to clarify the terminology, thus making it easier for allies to understand each other and co-operate.
The second task is more political. The allies ought to explore whether NATO should resort to traditional diplomacy and military force in response to cyber-attacks. NATO’s present strategy is, essentially, ‘deterrence by denial’: it assumes that potential attackers will not care to
hit NATO, because they know that the alliance will be well defended, and that their actions will have limited effect. While this approach may work against individual hackers or even groups, it is less likely to deter state-sponsored attackers, who tend to be far more technically savvy, and thus readier to overwhelm NATO’s cyber-defences. If technicians fail to contain cyber-attacks, it will be a responsibility of politicians or even militaries to make opponents stop. In many cases, NATO will not know who is responsible: on the internet, attackers can obscure their identity far more effectively than in the real world. But if the offending party is proven to be a foreign government, and should military force be the only remaining tool of stopping it, NATO countries should not be improvising; they ought to think through the scenarios and their likely responses before they become a reality. Cyber-defence and cyber-warfare should become part of NATO
military doctrine. This, as noted earlier, requires that allies also clarify what kinds of cyber-attacks qualify as Article V incidents.
However, NATO’s emphasis should be on yet another, third task: making success of its new cyber-policy. The overall approach is sound but it needs to be implemented well, and adapt to changing needs. For example, attacks on mobile devices – formerly a minor nuisance – are becoming a primary way of stealing sensitive corporate (and governmental) data. NATO needs to produce a set of benchmarks to gauge whether its policy keeps pace with changing threats. The alliance has at last recognised that the attacks on Estonia or the 1999 cyber-strikes on its networks were not isolated incidents but signs of things to come. It now needs to demonstrate that it is not only aware of the gravity of the threat but also ready to defend against it.
i
For more see ‘Espionage Hackers Target ‘Watering Hole’ Sites’, September 25th 2012,
www.krebsonsecurity.com
iiR. Stiennon, ‘Fallout from the Christmas Hack of Stratfor’, December 28th 2011, www.forbes.com
iii
D. Batty, ‘US security chiefs tricked in social networking experiment’, July 24th 2010, guardian.co.uk
iv
For more see Bruce Schneier, ‘Stuxnet’, October 7th 2010,
http://www.schneier.com/blog/archives/2010/10/stuxnet.html
v
