ATLANTIC TREATY ASSOCIATION
Volume 5 - Issue 4 April 2015
NATO’s Cyber Strategies and Wireless Warfare in the Information Age The space was once the stake of international competition as the one who has the ability to launch missiles far enough had the power to destroy their enemy. This discovery was followed by technological development, causing more and more uncertainty. Today, concerns have moved to the cyberspace. This virtual arena is the source of a new type of conflict where war is not declared, attackers are hardly identifiable and where skilled individuals can remotely disable a country’s infrastructures. Cyber attacks have raised new types of concerns that demand appropriate answers. Although using the cyber space to weaken an opponent is not a new practice, no appropriate answers have yet been found while government infrastructures remain especially vulnerable. Combined with other means, cyber attacks contribute to the development of a new sort of war, a hybrid combat where states are no longer the only protagonists. Power is now at the hand of any individuals with sufficient motivation and computer skills. - Flora Pidoux Atlantic Voices, Volume 5, Issue 4
Threats to the Cyberspace (Photo: Symantec ISTR)
Contents: NATO’s Cyber Strategies and Wireless Warfare in the Information Age Mr. Alexandru Moldovan analyzes NATO’s cyber security policy by underlining the major events that contributed to the current state of affairs.
Challenges To NATO’s Cyber Security And Where They Originate From Mr. Mikk Raud ‘s article focuses on the challenges that arise from cyber attacks which are more and more and difficult to deter or counteract.
What Cyber Changes: Using Ethics To Inform Mr. Henri Collis explores cyber attacks from an ethical perspective in an effort to analyse how attacks of this new kind should be answered to. 1
NATO’s Cyber Strategies and Wireless Warfare in the Information Age By Alexandru Moldovan
O
in September 2014. The Wales Summit Declaration
ur daily routines are becoming in-
contains explicit references to the increased importance
creasingly dependent on the ad-
that NATO gives to the cyber security domain together
vancements in information tech-
with a detailed plan for the future.
nology. Virtual reality already influences major as-
The Tallinn Manual, an international cyber law re-
pects of our lives, such as the economy, health and
search and education standard, defines a cyber attack as
education and it seems that it will not be long until
a “cyber operation, whether offensive or defensive, that
its influence will expand into our personal and na-
is reasonably expected to cause injury or death to per-
tional security. In the last years, we’ve witnessed a
sons or damage or destruction to objects.” Reinforcing
major increase in cyber attacks which have forced
the major damage that a cyber-attack can lead to, article
governments to make space on their agendas to en-
72 of the Wales Summit Declaration states that: “Their
sure the security of their public and private cyber
[ed. cyber-attacks] impact could be as harmful to mod-
networks.
ern societies as a conventional attack. We affirm there-
The first documented cyber war was fought during the Kosovo War. Between March 24, 1999 and
fore that cyber defence is part of NATO's core task of collective defence”.
June 10, 1999 operation Allied Force, a conventional
Allies need to clarify what potential cyber attack sce-
military operation, was conducted by NATO on the
narios would cross the Article 5 threshold, and specify
territory of Yugoslavia in order to stop the human
the member states’ duties in the case of a cyber attack.
rights abuses in Kosovo. During NATO’s military
Even though the moment when a cyber attack will lead
operations against Serbia, numerous pro-Serbian
to significant loss of human lives may seem a distant
hacker groups attacked NATO’s internet infrastruc-
future, it is clear that the risk must not be treated light-
ture. The hackers were aided in their goal of disrupt-
ly. As Professor Michael Schmitt, the Tallinn manual's
ing NATO’s war-fighting capabilities by Russian and
editor, stated, "I think just as a century ago we were
Chinese hackers. Their victims were, among others,
trying to understand how aviation would impact the
NATO’s server and NATO’s public affairs website
laws of war, today we are in great need of sorting
dedicated to the war in Kosovo. Containing briefings
through these issues in the cyber world today".
and news, the latter was inoperable for several days due to Distributed Denial of Service attacks. As a result, small but consistent steps were taken
This article details the strategic importance of having a cyber-strategy in place, and highlights the recent events that caused NATO’s concern.
by NATO to strengthen their digital defence, start-
Strategic Importance Of Cyber Strategies in
ing with the establishment of the Cyber Defence
Modern Warfare
Programme in 2002. The latest confirmation of these
In order to face the new emerging threats caused by
continuous efforts came at the NATO Wales Summit
the aggressive behaviour of Russia, the government of
Atlantic Voices, Volume 5, Issue 4
2
Lithuania decided in February 2015 to reintroduce com-
was made by Wittaker who differentiates between
pulsory military service. Despite this measure, new threats
cyber attacks and cyber crimes. While cyber crimes
were signalled by the President of Lithuania Dalia
are directed against individuals and companies, cyber
Grybauskaite in a public intervention in March 2015: “The
attacks are targeting public institutions and infrastruc-
first stage of confrontation is taking place - I mean infor-
ture.
mation war, propaganda and cyber attacks. So we are al-
A more in-depth classification is made by Schreier who distinguishes between cyber vandalism or “cyber
ready under attack.” Far from being singular, this type of unconventional
hacktivism”, cyber crime or internet crime, and cyber
attack was also recorded in 2007 when hackers attacked
espionage. The most dangerous one for governments
official state and bank websites in Estonia and in the 2008
is cyber crime which usually affects the banking sec-
Georgian War. The Estonian attack was attributed to
tor, financial institutions, and the corporate sector.
groups of Russian hackers even though the Russian author-
Government networks which hold classified data are
ities denied any involvement.
also affected, but less often.
According to James Sherr from
Cyber attacks can be clas-
Britain's Royal Institute of Interna-
sified as a form of international
tional Affairs, this new type of conflict
terrorism, and as a consequence
called hybrid warfare is “designed to
there is a need for a coordinated
cripple a state before that state even
international approach to address
realizes the conflict has begun”. Elabo-
such treats. Special characteris-
rating on the topic, Sherr adds that hybrid warfare “It is a model of war-
Phishing attacks are requesting you to divulge your password under false arguments (Photo: RealBusiness.co.uk)
fare designed to slip under NATO's
tics of cyber attacks which make them particularly dangerous are the difficulties that arise from
threshold of perception and reaction.” As Deputy Secre-
identifying their origin, nature and impact. It is in-
tary General Ambassador Alexander Vershbow said, we
deed easier for the cyber criminals to hide their origin
are facing a new facet of the ancient Trojan Horse tactic.
as attacks can be launched from anywhere in the
As cyber attacks usage intensifies, we need to look into
world. In these conditions, retaliation becomes prob-
the details of what constitutes a cyber attack and how
lematic because of the hardship of locating the attack-
NATO and its allies can capitalize on their experience to
er and identifying their intentions. The nature of the
ensure that accidents like these will never catch the Alli-
attack is also hard to define as attacks become more
ance on a wrong foot.
and more sophisticated. Taking into consideration the
Expending the Tallinn Manual definition of cyber at-
elaborate schemes of attack that are now developed
tacks, Wittaker defines them as “coordinated actions taken
by attackers, calculating the damage inflicted to the
against a state’s public institutions, digital infrastructure,
victim can become an intricate endeavor.
and its critical infrastructure through cyber space”. Since
Most common cyber threats can be used against a
there is no clear terminology that can be used to define
variety of information systems such as transportation,
cyber warfare, a range of different theoretical frameworks
telecommunication and power systems, and industrial
have attempted to explain this idea. A first classification
equipment. These threats can take the form of Au-
Atlantic Voices, Volume 5, Issue 4
3
thentication violations, Trojan Horses and Viruses,
Anders Fogh Rasmussen, former NATO Secretary
Malware, Spyware and Phishing, Sabotage, Fraud,
General, stated in June 2014 that the approach to
Insecure passwords, Denial of Service (DoS) and
cyber security that NATO has in place focuses on the
more modern threats such as Internet of Things. For
principle of collective defence, which does not fully
these general threats there are a number of solutions,
respond to the threat, leaving room for further im-
such as Antivirus software and firewalls, Cryptog-
provement when it comes to the details of the strate-
raphy, Risk analysis and Biometrics. However, we
gy. As Rasmussen presents the results of the discus-
need to keep in mind that every system has its own
sion held in Brussels on August 2015 with the Ameri-
hardware and software specificities that the attackers
can officials, “Our mandate is pure cyber defence,”
can exploit.
and “Our declaration is a start,” he said, “but I cannot
In order to respond to cyber crimes, cyber securi-
tell you it is a complete strategy.”
ty measures need to be put in place to ensure the
Before the Wales Summit in September 2014, ac-
“safety of the data flow in the global network system,
cording to Limnell, NATO had to face three key chal-
the protection of databases, of transac-
lenges: integrate cyber capabilities,
tions, of access to critical information,
update Article 5, and better coordinate
the protection of the integrity of the
national capabilities. Out of these chal-
national infrastructures, such as the tel-
lenges, the biggest one was: “[...] to
ecommunications and power sectors,
integrate cyber into a broader strategic
the protection of personal information
and operational concept, both in de-
of individuals, the protection of cyber
fence and offence.” This observation is
infrastructure with all its components
in line with one made by Rasmussen
etc.” as Hansen and Nissenbaum under-
who acknowledged that a global strate-
line in their analysis. Hence, cyber se-
gy is still under development.
curity should be seen as an enabler that secures our digital way of life. Everybody should take responsibility to pro-
NATO largest ever multinational cyber defence exercise is “Cyber Coalition 2014” launched on November 18, 2014. (Photo: NATO)
What led to the existing state of affairs is a series of events that continuously shaped NATO’s capabilities for
tect their private security and not treat this duty as a
fighting cyber crimes. In chronological order, the
burden.
concept of cyber security made its way on NATO’s
Historical Development of NATO’s Approach to Cyber Security The hybrid war gave the opportunity for cyber warriors and hackers to make use of their capabilities. Although many of their actions are condemnable, the end justifies the means in times of war as hackers see it. On the other hand, NATO has to deal with the problematic situation of how to make the best of its cyber capabilities while respecting international law. Atlantic Voices, Volume 5, Issue 4
agenda for the first time after the hacking incidents in the late 1990s that took place during the Kosovo War and consequently led to the start of NATO's Cyber Defence Programme. After the 2002 Prague Summit, initiatives were taken to establish the NATO Computer Incident Response Capability (NCIRC). With the New Strategic Concept developed by NATO in November 2010 at the Lisbon Summit, a cyber security objective was clearly formulated in the Summit’s 4
report. Enhancing the “ability to prevent, detect, defend
Another relevant aspect for the cyber security topic
against and recover from cyber-attacks, [...] and coordi-
is that the new cyber policy has given clarity to the
nate national cyber defence capabilities, bringing all
process the Alliance will use to invoke collective de-
NATO bodies under centralized cyber protection, and
fence while maintaining ambiguity about specific
better integrating NATO cyber awareness, warning and
thresholds as the Alliance’s ministers of defence
response with member nations” were the guidelines fol-
stressed. For reconstructing the process, firstly, the
lowed by NATO at the time. In 2011 a revised NATO
incident is analyzed at a technical level. If the incident
Policy on Cyber Defence was approved and by the end of
has political implications, the dossier if passed on to the
2012, the NATO Computer Incident Response Capability
Cyber Defence Management Board and from the De-
(NCIRC) was in place. The organisation is now under the
fence Policy and Planning Committee through to the
NATO Communications and Information Agency (NCI
North Atlantic Council, the principal political decision-
Agency), which monitors the IT infrastructure and re-
making body of the North Atlantic Treaty Organiza-
sponds to cyber threats and attacks. Other important
tion.
milestones for the organization are the creation of the
At the moment, it is very unlikely that the North
NATO Cooperative Cyber Defence
Atlantic Council would invoke
Centre of Excellence (CCDCOE) in
collective defence unless there
Tallinn, Estonia and the establish-
were significant damage and
ment of NATO Cyber-Defence
deaths, equivalent to kinetic mili-
Management Authority (CDMA) in
tary force. The criteria for deter-
2008.
mining whether an attack should
At this point it is important to
be viewed as an "armed attack”
underline that NATO’s cyber strat-
are not very clear but several indi-
egy is purely defensive. NATO’ members are still responsible for
The CCDCOE, NATO’s International Military Organisation to enhance the capability, cooperation and information sharing on cyber security (Photo: Valentina Pop )
cations can the traced through the literature.
developing their own national cyber defence capabilities
Jeffrey Carr, cyber security analyst and expert,
and must protect their own networks. At this level,
suggests six criteria for determining whether an attack
NATO’s role is to share expertise and information, pro-
should be viewed as an "armed attack”. These criteria
mote coordination and cooperation and facilitate the de-
are: severity, immediacy, directness, invasiveness,
velopment of national capabilities.
measurability and presumptive legitimacy. We can
Admittedly, the principle of collective defence and the
therefore treat a cyber attack as an armed attack if it
enshrined Article 5 still apply in the case of cyber attacks.
produces a great damage for a long duration and with
As a consequence, the question that can be asked is:
multiple effects, while crossing multiple physical or
“Would NATO go to war over a cyber attack invocation
digital borders and having an illegal nature. It is neces-
of Article 5”? To elucidate this matter, a decision as to
sary that the victims can quantify its harmful effects in
when a cyber attack would lead to the invocation of Arti-
order for the cyber attack to be considered an “armed
cle 5 would be taken by the North Atlantic Council based
attack”.
on a political decision taken on a case-by-case basis. Atlantic Voices, Volume 5, Issue 4
5
Future Development Possibilities in the Area of Cyber Security
case of cyber attacks. However, space for improvement still exists.
By analyzing the private sector, we can reveal the
There is a need for a revised legislation, like in the
positive impact that international standards for infor-
case of Article 5; transparent communication between
mation security like ISO/IEC 27001 and 27002 can
members and international needs to be improved;
have. Thanks to the best practices recommendations
global standards for information security should be
that are included in these standards it becomes easier
put in place. By solving all these issues, the process of
to manage the security efforts. A future development
integrating a standalone cyber strategy, the Alliance’s
could be the adaptation of such a standard by NATO.
global military strategy will be much easier.
Another aspect that needs to be taken into consideration is the lack of transparency from the members
About the author
of the Alliance when it comes to the offensive cyber
Alexandru Moldovan is currently an IT and Busi-
capabilities that they have at their disposal. Coupled
ness Process Management MSc student with a multi-
with the lack of any cyber offensive plans made by
disciplinary background in IT, Communication, Pub-
NATO this impediment can negatively influence the
lic Relations and Human Resource Management. He
overall cyber capabilities of the Alliance.
is currently interested in IT, cyber security, sustaina-
One more area that can be improved is the legisla-
bility, and has previously explored coaching solutions
tion. NATO hinges to a large extent on legislation
for human resource professionals. His professional
and any gap in it could potentially be dangerous for
background includes rich participation in non-
the proper functioning of the organization. A good
governmental organizations that delivered non-formal
starting point for improvement would be a better def-
educational projects to youth.
inition of the concept “armed attack” in the context of cyber conflicts. Further developments could be an increased number of common exercises, strengthening of the partnership with the private sector or an increased budget for research and development. Conclusion NATO’s cyber capabilities have evolved continuously since the Kosovo War. While the current tactics describe a defensive thinking, we cannot talk at the moment about a complete cyber security strategy at the Alliance level. Nevertheless, NATO made some important steps by acknowledging the role of cyber security, founding NCIRC and similar dedicated institutions, and setting up a clear chain of command in Atlantic Voices, Volume 5, Issue 4
Bibliography Andra, A. (2012). Cyber Security: An Important Dimension of Romania’s National Security | Center for European Policy Evaluation on WordPress.com. Retrieved March 29, 2015, from http:// cepeoffice.com/2012/08/20/cyber-security-animportant-dimension-of-romanias-national-security/ Carr, J. (2010). Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly. Collier, M., & Sibierski, M. (2015). NATO allies come to grips with Russia’s “hybrid warfare” - Yahoo News. Retrieved March 30, 2015, from http:// news.yahoo.com/nato-allies-come-grips-russiashybrid-warfare-182821895.html Cyber Attacks Against NATO, Then and Now. (n.d.). Retrieved March 29, 2015, from http:// www.atlanticcouncil.org/blogs/new-atlanticist/ cyber-attacks-against-nato-then-and-now Hansen, L., & Nissenbaum, H. (2009). Digital Disaster, Cyber Security, and the Copenhagen School. International Studies Quarterly 53, 1156. Healey, J., & van Bochoven, L. (2011). Issue 6
Brief, 1–12. Holly, E. (2015). Top 5 cybersecurity risks for 2015. Retrieved March 30, 2015, from http:// www.cnbc.com/id/102283615 Ilves Hendrik, T. (2013). Cybersecurity: A View From the Front - NYTimes.com. Retrieved March 29, 2015, from http://www.nytimes.com/2013/04/12/ opinion/global/cybersecurity-a-view-from-thefront.html?pagewanted=all Jordan Tothova, K. (2014). Would NATO Go to War Over a Cyberattack? | The National Interest. Retrieved March 29, 2015, from http:// nationalinterest.org/feature/would-nato-go-war-overcyberattack-11199 Libicki, M. C. (2012). Cyberspace Is Not a Warfighting Domain. Journal of Law and Policy, 8, 325–336. Limnell, J. (2014). The Three Cyber-Security Challenges Facing Nato. Retrieved April 2, 2015, from http://www.ibtimes.co.uk/three-cyber-securitychallenges-facing-nato-1460995 NATO. (2010). Strategic Concept For the Defence and Security of The Members of the North Atlantic Treaty Organisation, 5. NATO - News: Preparing for tomorrow: cyber defence and the New Strategic Concept, 10-Oct.-2011. (n.d.). Retrieved March 29, 2015, from http:// www.nato.int/cps/en/natohq/news_77515.htm? selectedLocale=en NATO - Official text: The North Atlantic Treaty, 04Apr.-1949. (n.d.). Retrieved March 29, 2015, from http://www.nato.int/cps/en/natolive/ official_texts_17120.htm NATO - Official text: Wales Summit Declaration issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales , 05-Sep.-2014. (n.d.). Retrieved March 29, 2015, from http://www.nato.int/cps/en/natohq/ official_texts_112964.htm NATO - Opinion: Press Conference by NATO Secretary General Anders Fogh Rasmussen following the meeting of the North Atlantic Council at the level of Heads of State and Government during the NATO Wales Summit, 05-Sep.-2014. (n.d.). Retrieved March 29, 2015, from http://www.nato.int/cps/en/natohq/ opinions_112871.htm NATO - Topic: The consultation process and Article 4. (n.d.). Retrieved March 29, 2015, from http:// www.nato.int/cps/ro/natolive/topics_49187.htm NATO Topics - NATO and the Scourge of Terrorism. (n.d.). Retrieved March 29, 2015, from http:// www.nato.int/terrorism/five.htm Risen, T. (2014). Cybersecurity Remains a Gray Area for NATO - US News. Retrieved March 29, 2015, from http://www.usnews.com/news/articles/2014/08/14/ cybersecurity-remains-a-gray-area-for-nato Atlantic Voices, Volume 5, Issue 4
Sanger, D. E. (n.d.). NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack - NYTimes.com. Retrieved March 29, 2015, from http:// www.nytimes.com/2014/09/01/world/europe/nato -set-to-ratify-pledge-on-joint-defense-in-case-of-major -cyberattack.html?_r=0 Schreier, F. (2012). On Cyberwarfare, (7), 1–133. Section, P. diplomacy division (PDD)-press and media. (2013). NATO Cyber Defence, (October). Tallinn Manual Process | CCDCOE. (n.d.). Retrieved March 29, 2015, from https://ccdcoe.org/ tallinn-manual.html The statement recently: the real THREAT from Russia. Lithuania has already appealed" - News Round. (n.d.). Retrieved March 29, 2015, from http://newsround.com/the-statement-recently-the-real-threatfrom-russia-lithuania-has-already-appealed/ Vipin, K., Lazarevnic, A., & Srivastava, J. (2005). Managing Cyber Threats. Issues, Approaches, and Challenges. New York: Springer. Wittaker, J. (2004). Cyberspace Handbook. New York: Routledge. Woudsma, P. (2012). Cyber Defence: A Major Topic in NATO’s Transformation. Retrieved March 30, 2015, from https://www.act.nato.int/article2013-1-15 Yost, D. S. (2013). Nato Review. Retrieved March 29, 2015, from http://www.nato.int/docu/ review/2003/issue4/english/art4.html
7
Challenges to NATO’s Cyber Security and Where They Originate From By Mikk Raud
“
It is serious. If a business gets attacked, it can go under. If our systems at NATO fail, people may die.” This is how Ian West, head of the NATO
Communications and Information Agency (NCIA) Cyber Security Service Line describes his everyday job of responding to cyber attacks launched against the Alliance. Numerical data is somewhat intimidating, as NATO’s computer servers identify 200 million suspicious cyber activities per day and counter on average five major malicious attempts per week. Luckily, such endeavours have been ineffective and thus hardly reach the news.
Nature Of Cyber Attacks Determines NATO’s Focus Whereas the Tallinn Manual’s definition of a “cyber attack” assumes it to cause injury or death to persons or damage or destruction to objects, NATO has adopted a lower threshold by describing cyber attack as “action taken to disrupt, deny, degrade or destroy information resident in a computer and/or computer network, or the computer and/or computer network itself”. This seems reasonable for addressing more realistic everyday threats, as even though many analysts have continuously anticipated a “Cyber Armageddon” where massive disruptions of
Next to NCIA, which plans and implements all administrative activities for the Alliance’s cyber security and responds to cyber attacks, one needs to appreciate the NATO
Computer
Incident
Response
Capability
(NCIRC), which provides general defence to NATO’s networks. Having managed to absorb the attempts of infringing its own networks so far, the Alliance has shown that cyber defence is clearly a priority. Yet, technology develops on a daily basis, providing the malicious actors a chance to deploy growingly sophisticated attacks. In order not to fall behind in the increasingly evident cyber race, NATO needs to clarify its role in different types of cyber attacks and determine who and for which motives poses the biggest cyber threat to the Alliance. This paper anal-
critical infrastructure result in chaos and shake the world’s stability, nothing comparable has ever occurred. Though never beyond doubt, even NATO’s possible enemies mostly adhere to proportionality, distinction and other principles of just war, making it unlikely to see a state-actor carrying out such an attack even during physical warfare, let alone in peacetime. Hardly anyone would benefit from a complete breakdown of the society, except for extremely backward movements, which fortunately possess little adequate capabilities. Therefore, one can rather expect to continue seeing specifically targeted attacks with a narrow focus of imposing political influence, obtaining financial benefits or committing industrial espionage.
yses both issues and argues that threats to NATO’s cyber safety, which mostly originate from state-actors, can be
Starting with Estonia in 2007, several member states
best countered through efficient information sharing and
have experienced violations of their computer networks,
equalizing member states’ cyber capabilities.
initiating a debate on what type of attacks exactly belong to NATO’s responsibility. The Wales Summit Declaration provides that “the fundamental cyber defence responsibility of NATO is to defend its own networks.” Thus, it
Atlantic Voices, Volume 5, Issue 4
8
is necessary to distinguish attacks against individual
Terrorists and Criminals: Testing NATO’s Cy-
member states from those against the Alliance.
berspace?
Hence, despite affirming the validity of collective de-
Ian West has noted that more than 95% of the
fence in cyberspace, the Declaration clearly stipulates
cyber attacks NATO absorbs can be categorized as
that the Allies must develop their independent capa-
criminal activities, which do not attempt to cause
bilities for protecting national networks. For exam-
physical harm, but aim to steal sensitive data. Addi-
ple, inter-private affairs, such as industrial espionage
tionally, according to Jamie Shea, the Deputy Assis-
against a member state have already earlier been said
tant Secretary General for Emerging Security Chal-
not to belong to NATO’s respon-
lenges at NATO, the Alliance’s
sibility.
everyday challenges are emails with infected attachments, probes
For more severe cases, the
searching for vulnerabilities, or
underlying question is how and if
denial of services attacks, which
the Alliance should support its
do not differ much from the at-
members and whether Article 5 should be invoked or not. The Wales Summit Declaration rati-
tacks conducted against banks, Despite the threat of a cyber-war, NATO's focus should remain on defensive capabilities (Photo: The Times)
fied that a significant cyber attack can invoke a response through Article 5, with the final right of adjudication left to the North Atlantic Council on a caseby-case basis. It is reasonable to expect that the extent
companies, scientific laboratories
and regular citizens. Therefore, as NATO’s networks face similar threats as those of the member states, it is important to understand where the threats come from and tackle them together.
of a cyber attack triggering Article 5 must certainly
Resulting from various infamous attacks, some
involve physical damage and mass casualties – a sce-
assume that terrorists should also be most feared in
nario, which despite its intriguing nature is unlikely
cyberspace. Indeed, only irrational actors could carry
due to the incomprehensible consequences it would
out an attack against critical infrastructure, such as a
bring to each actor. Thus, even though it is important
nuclear facility to purposely cause mass casualties.
to continue developing the readiness of cyber-war,
Since most extremists’ ultimate goals justify the
NATO should primarily ensure the safety of its own
means, they are perhaps the actors dreaming of such
networks, which it has done well so far, and engage
cyber doomsday. Soon after the US started the air
into equalizing the member states’ individual capabili-
campaign against the Islamic State, the group prom-
ties through well-coordinated information and
ised to develop a “cyber caliphate” to execute large-
knowledge sharing. After all, just like in conventional
scale hackings against the West, including NATO.
battlefields, the heavyweight must be born by the
Some of their endeavours have been successful, for
member states – the Alliance is an institution to or-
example infringing the US Central Command’s Twit-
ganize cooperation between the members and offer
ter account, or thousands of French websites after the
assistance to those in need.
Charlie Hebdo attack. While these small-scale defacements and denial of service attacks give enough reasons to remain cautious, surveys show little evidence
Atlantic Voices, Volume 5, Issue 4
9
anything significantly more destructive could be execut-
the general insufficient action to limit illegal activities
ed. Whereas terrorists undoubtedly belong to the con-
in cyberspace, thus allowing terrorists and cyber crimi-
cern group, much simpler means to cause mass casualties
nals take advantage of the existing network infrastruc-
exist and therefore it is questionable how motivated such
ture. Even though the situation is better controlled
actors are to develop more sophisticated cyber skills.
inside NATO, many attacks still originate from within
Also noteworthy next to terrorists are the increasingly
the Alliance, showing that unsatisfactory regulation of
professional cyber criminals, who can cause greater harm
the internet is a universal problem. Secondly, despite
due to clear focus and more elaborate strategies. The an-
the issue of attribution, which can often be used as a
nual report of the National Cyber Security Centre of
defence, it has been proven that many malicious actors
Netherlands identifies the criminals’ ultimate motivation
are financed and employed by state entities. The coun-
as earning money through conducting attacks themselves
tries immediately coming to mind are China and Rus-
or offering services to less proficient actors. Their usual
sia, often referred to as the major threats to global
methods include financial fraud through placing malware
cyber stability, while Iran, Syria and North Korea have
to the victim’s systems, while trying to
been walking a similar path.
avoid the authorities by using border-
Although these countries do
crossing internet or host servers which
not hide their non-aligning
ensure their anonymity. Therefore, the
views towards the Western
more efficient the internal coordination
internet standards, such as free-
and information sharing between
dom of speech or the applica-
NATO members is, the more difficult it becomes for such actors to harm both
bility of international law to China's People's Liberation Army during a cyber drill (Photo: NATOSource)
cyberspace, none has ever ad-
the Alliance and member states. Assuming that the adopt-
mitted involvement in any cyber attacks. Yet, there is
ed policies in the New Enhanced Cyber Defence Frame-
evidence to connect numerous attacks with a respec-
work, including a streamlined cyber defence governance
tive state-actor. The following will shed light on some
will become a reality, the criminals will increasingly have
of the most vivid examples.
to target individuals and companies paying too little at-
To begin with, a US cyber security firm Mandiant
tention to their cyber security, rather than an alliance like
has shown that China’s military units have been direct-
NATO, which has so far managed to shield all intentions
ly involved in years of large-scale cyber espionage
of the criminals.
against the West, including NATO members. Whereas
State-Actors as the Leading Cyber Threat Despite the rather slim chance of an explicit cyber conflict between states, the analysis now turns to stateactors, which are still the largest threat to the Alliance’s cyberspace, as also noted by a Senior Fellow in the NATO Cooperative Cyber Defence Centre of Excellence, Dr Rain Ottis. Firstly, a smaller issue arises from Atlantic Voices, Volume 5, Issue 4
the most well known example is stealing America’s most expensive military investment, the F-35 stealth fighter’s designs, the Chinese government has also been heavily suspected of inducing Chinese telecom companies such as Huawei to place backdoors into their products to ease cyber attacks against countries buying the respective devices, or simplify gathering economic or military intelligence. Yet, while China has 10
obtained most of the attention, some analysts consider its
already have the necessary skills. Moreover, being able
reason to be that the others just do not get caught
to hamper someone’s network does not necessarily
enough. Indeed, a fresh US threat assessment report
improve the ability to protect one’s own. Thus, the
warns that the threat from Russia is strongly underesti-
Alliance’s focus shall remain on the defensive side,
mated, bringing examples of more sophisticated and
dominated by multi-layered cooperation between
stealthier cyber attack methods than China has ever used.
states and private institutions together with moral and
Knowingly, Russia has most likely funded the attacks
political pressure on the respective states to withdraw
against Estonia, Georgia and Ukraine, while having re-
from undesired cyber acts.
cently found a new partner named CyberBerkut – a proKremlin group of Ukrainian origin, which specifically targets NATO and its allies, most lately in this March. Besides these two players, another US cyber security firm Cylance has deemed Iran as the “new China” by disclosing the so-called Operation Cleaver that has allegedly stolen myriads of data from all over the world, following the upsurge in offensive cyber capabilities after suffering from Stuxnet a few years ago.
Conclusion While the recent policies have addressed the right concerns, there is still a degree of uncertainty in NATO’s role in organising comprehensive cyber defence. NATO’s own networks have been prioritized and thus seem well protected. However, NATO consists of 28 member states, and similarly to conventional armed forces, not every ally possesses equally advanced cyber capabilities. While the chance of a cyber-war
Whereas the state-actors might be motivated to test
between NATO and its possible adversaries is rather
the Alliance’s unity and Article 5’s threshold, one can yet
slim, acts of espionage and cyber crime are the accessi-
again observe that causing physical harm has not been the
ble methods to various state-actors not having to fear a
main purpose of the attacks. Rather, widespread cyber
unified response. While obtaining adequate cyber skills
espionage aims to gain economic advantage or access clas-
belongs to each member’s own responsibility, the mu-
sified military information, whereas disrupting the nor-
tual threats against the Alliance and the member states
mal functioning of either NATO’s or its members’ net-
create a clear incentive to further intensify collabora-
works attempts to show political or ideological protest
tion and equalize the members’ capabilities. The Alli-
against the Alliance’s actions. The latter type of attacks
ance is as strong as its weakest link, which the cyber
are often concurrent with important events, such as the
adversaries are bound to take advantage of once the
parliamentary elections in Ukraine last March, or the
chance occurs.
NATO Wales Summit, during which the strength of NATO’s networks was repeatedly tested. Such challenges to NATO’s readiness are not expected to decrease and
About the author
have raised the discussion of whether the Alliance should
Mikk Raud is a third year student at the University of
also develop offensive cyber capabilities to tackle the
Hong Kong, where he is obtaining a Bachelor’s degree
threats more effectively. However, as Dr Ottis has ex-
in Government & Laws. Prior to starting his current
plained, just like the Alliance does not have nuclear weap-
exchange semester at Tsinghua University, Mr. Raud
ons or aircraft carriers, it is also not reasonable to build
completed an internship at the Estonian Embassy in
offensive cyber capabilities, since several member states
Beijing. He is also currently involved in a research pro-
Atlantic Voices, Volume 5, Issue 4
11
ject on China’s cyber capabilities, strategies and organisation in cooperation with the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.
Indicators." Mandiant. 18 Feb. 2013. Web. 3 Apr. 2015. Morgus, Robert. "NATO Tries to Define Cyber War." Real Clear World. 20 Oct. 2014. Web. 3 Apr. 2015.
Bibliography
Nakashima, Ellen. "Confidential Report Lists U.S. Weapons System Designs Compromised by Chinese Cyberspies." Washington Post. 27 May 2013. Web. 7 Apr. 2015.
"Cyber Definitions." NATO Cooperative Cyber Defence Centre of Excellence. 2015. Web. 3 Apr. 2015.
Ottis, Rain. "Interview on Possible Cyber Attackers." E-mail interview. 25 Mar. 2015.
"Cyber Security." NATO Communications and Information Agency. 2014. Web. 3 Apr. 2015.
Pinto, Delwyn. "Sandworm : Russia Backed Cyber Criminals Targeted EU, NATO." TechWorm. 14 Oct. 2014. Web. 3 Apr. 2015. Schmitt, Michael N. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge UP, 2013. p. 92. The World in 2020 – Can NATO Protect Us? The Challenges to Critical Infrastructure. Rep: NATO Emerging Security Challenges Division. 10 Dec. 2012. Web. 3 Apr. 2015.
"Cyber Security." NATO. 19 Jan. 2015. Web. 3 Apr. 2015. "NATO Websites Targeted in Attack Claimed by Ukrainian Hacker Group Cyber Berkut." ABC News. 16 Mar. 2014. Web. 3 Apr. 2015. "Wales Summit Declaration." NATO. 5 Sept. 2014. Web. 3 Apr. 2015. Ames, Paul. "NATO Faces About Ten Serious Cyber Incidents Each Month." Atlantic Council. 23 May 2014. Web. 3 Apr. 2015. Cendrowicz, Leo. "Nato Frontline in Life-or-death War on Cyber-terrorists." The Guardian. 30 Oct. 2014. Web. 3 Apr. 2015. Charlton, Corey. "Islamic State Jihadists Planning Encryption-protected 'cyber Caliphate' so They Can Carry out Hacking Attacks on West." Daily Mail. 11 Sept. 2014. Web. 3 Apr. 2015. Clapper, James R. Worldwide Threat Assessment of the US Intelligence Community. Rep: Senate Armed Services Committee, 2015. Web. 7 Apr. 2015. Cyber Security Assessment Netherlands 2014, Na onal Cyber Security Centre. 2014. Gady, Franz-Stefan. "Russia Tops China as Principal Cyber Threat to US." The Diplomat. 3 Mar. 2015. Web. 7 Apr. 2015. Jones, Sam. "Nato Summit on ‘high Alert’ for Cyber Attack." Financial Times. 3 Sept. 2014. Web. 3 Apr. 2015. Krause, Hannes. "NATO on its way towards a comfort zone in cyber defence." The Tallinn Papers (2014). Limnell, Jarno. "NATO’s September Summit Must Confront Cyber Threats." Breaking Defense. 11 Aug. 2014. Web. 3 Apr. 2015. Mcwhorter, Dan. "Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Atlantic Voices, Volume 5, Issue 4
12
What Cyber Changes: Using Ethics to Inform By Henri Collis
W
ith cyber security making head-
definition of an act of force entails that the attack must
lines with stories that features
cause physical or personal damage. When considering
rogue states, Hollywood and
the potential impact of a cyber attack, this definition
the US Federal Government, it has never been more
would appear to exclude an attack on the financial sec-
high profile. This is symptomatic of the fact that, as
tor; but such an attack might have the potential to
the world becomes more connected, the type and
cause immeasurable economic damage to a nation, sup-
volume of information stored and transmitted is ex-
porting the strategic aims of their adversary in a conflict
panding in a way that introduces new risks and a fresh
but still not crossing a legal threshold that allows for a
set of considerations for defence and security. Under-
response.
standing how the game has changed is, however, frag-
NATO's own Cooperative Cyber Defence Centre of
mented and addressing these risks requires grasping
Excellence in Tallinn convened a group of experts in
not only the implications of cyber war in an opera-
2013, producing a 300-page tome to help doctrine-
tional sense, but also its complex relationship with the
writers, advisors and decision makers understand this
evolving nature of conflict.
complex domain. The discussions about the nature of
As the ways and means for cyber offence and de-
conflict have examined the interplay of law and ethics,
fence have multiplied, there has been realization for a
looking at concepts such as aggression, discrimination,
need to consider the ethical implications of its use.
proportionality and attribution – the bread and butter
Indeed, extensive debates have taken place about how
of the law of armed conflict.
conflict may proceed in cyberspace. Examining this through an ethical lens seeks to understand how considerations of what is just and fair can be incorporated in the debate on cyber security. Implications at the Operational Level
Beyond the Cyber Domain: Hybrid Warfare Analysis of how ethics applies to cyber operations is focused on the technical application of cyber means themselves, but in reality the cyber domain is considered as one tool among others for affecting an adver-
Understanding whether there are direct legal cor-
sary. In this sense, the emergence of new technology is
ollaries between conventional and cyber conflicts is,
not the only driver of change; the first decade and a half
fraught with difficulty. Some discussions are straight-
of the 21st century has seen new ways of integrating
forward, e.g. a cyber attack that uses network infra-
different domains of interstate competition and influ-
structure in a neutral country as a proxy is akin to
ence to project power, challenging the way military
using their airspace for unauthorised overflight, which
strength is considered and used.
would be illegal under international law. Other legal
While cyber attack is only one among multiple ele-
definitions are harder to transpose. For example, the Atlantic Voices, Volume 5, Issue 4
13
ments in this new, blended or ‘hybrid’ approach, its flexi-
tion between state and non-state adversaries now sees
bility and ubiquity means it can be employed in various
military, informational, and electronic means being
ways throughout this type of campaign - using proxies to
directly used to create political outcomes. This differs
manipulate opinion through cyber-enabled information
from a traditional concept of war whereby states seek
operations or denying communications infrastructure to
to set military or security conditions for a political re-
inhibit decision making. The key point when examining
sult.
the ethics of using cyber means to project power in this
This shift in the nature of conflict, described by Em-
way, is that any response does not necessarily have to be
ile Simpson in War From the Ground Up, has been
via cyber means.
brought to light by understanding the complexity of
Retaliation can however take different forms, from
counterinsurgency over the last 15 years. This was ob-
the projection of soft power, or political leverage through
viated by NATO’s experience in Afghanistan where the
international fora, to conventional kinetic operations. A
simple and traditional 'bi-polar' model of two states
response through other means, however, is still governed
confronting each other no longer applied. The conflict
by the Law of Armed Conflict so principles such as dis-
can be viewed as highly fragmented and exploited by
crimination and proportionality must be carefully consid-
actors at multiple levels for various political and eco-
ered. But determining what is proportional when trans-
nomic goals. In some cases these actors opportunisti-
posing actions from the cyber domain to political or ki-
cally adopted the language and activity of insurgency,
netic actions again raises a set of complex legal questions.
as if it were a franchise that they could buy into. Exter-
Moreover, the principle of attribution is particularly fraught with difficulty in cyber space and the problem of correctly identifying the perpetrator of an attack has already inhibited the actions of nations suffering a cyber attack, this is compounded by the use of proxies as well
nally this had the effect of making the insurgency appear more coherent and unified than it really was, when in fact many of the groups conducting operations at a local level were not motivated or controlled by a centrally administered Taliban.
as the spontaneous actions of motivated citizens. The re-
This analysis of what was a relatively low-tech con-
sult is a diminished ability to quickly and accurately at-
flict might seem a long way from cyber warfare, but
tribute cyber attacks, meaning the ethical basis and legali-
assuming that states are currently unlikely to engage
ty of any response is undermined. This challenges the
overtly in activity that crosses thresholds for armed
principles of what good conduct looks like in a reconsti-
attack, which provoke a stronger response, then the
tuted form of conflict that crosses different domains, and
issue of attribution elevates the role of cyber warfare as
demands reconsideration of the ethical and underlying
an integral part of how they compete - utilizing a dif-
legal questions. .
fuse, unattributable set of actors for its execution akin to the franchisees in an insurgency.
An Evolved and Perennial Competition At a further level of abstraction these questions of attribution are key to understanding how concepts of cyber defence are part of a more fundamental evolution in the nature of conflict and interstate competition. CompetiAtlantic Voices, Volume 5, Issue 4
The shift from something recognizable as bi-polar interstate warfare to fragmented and lower level struggles in this way describes a type of conflict that blends violence or the threat of violence, with other domains 14
such as cyber attack and challenges where the bounda-
tion the better.
ry for something recognisable as war now lies. It
In the short term this calls for alliance members to
brings a new level of uncertainty and raises the likeli-
engage in national and international exercises with both
hood of a new type of security challenge for NATO to
military and civilian agencies to simulate the kind of
address, i.e. a conflict that is protracted and perennial
practical complexities and ethical dilemmas that might
but falling short of open hostilities that would clearly
arise. There is also a need to test readiness of cyber
be subject to the law of armed conflict.
defences and drive coordination between allies to build
Conclusion This shifting of traditional boundaries and reconsideration of conflict highlights the ethical questions
a more resilient cyberspace that further enhances deterrence by denying the potential benefits of aggression or interference.
around the use of cyber means; uncertainty around
If the Alliance challenges itself in this way it can help
ethical use becomes amplified in this context. In this
identify where and how systems can be improved, de-
mix, it is essential for policy makers to grasp these
fine the interplay between different elements and do-
debates, to understand how and why the boundaries
mains of conflict, but also obviate where skills need to
around where a conflict begins and what it looks like
be developed to support long term improvement.
are changing, and to see cyber in as wide a context as
These are big questions and the debates around them
possible to understand the full spectrum of its impact.
have a long way to go.
Despite the complexity around the use of cyber in
Understanding the nature of how conflict has
this type of conflict, the simple answer is to improve
changed will not only inform those debates on an ethi-
the cyber security and information assurance of states
cal and institutional level, but will also inform what is
and their allies to deny adversaries benefits in the
needed for an effective policy response on a practical
cyber domain. NATO members, however, have dif-
level.
ferent levels of ability in this regard. The creation of pan-Alliance standards through the NATO Defence Planning Process and the sharing of best practice from technology to policy have begun and these must be followed-through to ensure all members reach a secure baseline of protective and defensive measures. Nonetheless, policy makers need to prepare for the complex ethical dilemmas raised by the potential need to respond to a cyber attack as part of a more ephemeral but enduring conflict. When this emerges decisions will need to be made quickly, meaning there can be little time for lengthy debate - the more thinking and preparation can be done ahead of a real situaAtlantic Voices, Volume 5, Issue 4
About the author Henry Collis works at the UK Cabinet Office. His previous experience includes spending three years at HQ ISAF in Kabul as an assessment analyst and seven years working across the middle east as an analyst and consultant. He was a UK Delegate to the NATO Future Leaders Summit in Wales in 2014.
Bibliography Emile Simpson, War From The Ground Up, Columbia University Press, 2012. Tallinn Manual on the International Law applicable to Cyber Warfare, Cambridge University Press, 2013: https://ccdcoe.org/tallinn-manual.html
15
Atlantic Voices is the monthly publication of the Atlantic Treaty Associa-
ATA Programs On April 28th the NATO Council of Canada will host a conference on Women,Peace and Security in cooperation with the Royal Canadian Military Institute. Speakers include: NATO’s Special Representative for Women,Peace and Security, Amb Marriet Schuurman; Hon. Mobina Jeffer, US Senator; and Almas Jiwani, President at the UN Women Canada National Committee.
tion. It aims to inform the debate on key issues that affect the North Atlantic Treaty Organization, its goals and its future. The work published in Atlantic Voices is written by young professionals and researchers. The Atlantic Treaty Association (ATA) is an international nongovernmental organization based in Brussels working to facilitate global networks and the sharing of knowledge on transatlantic cooperation and security. By convening political, diplomatic and military leaders with academics, media representatives and young professionals, the ATA promotes
The Bulgarian Euro-Atlantic Youth Club has the pleasure of invit-
the values set forth in the North Atlantic Treaty: Democracy, Freedom,
ing participants to the Second NATO Summer School 2015, which is a
Liberty, Peace, Security and Rule of Law. The ATA membership extends to 37
one-week international seminar focusing on some of the most important
countries from North America to the Caucasus throughout Europe. In 1996,
security aspects for NATO in the period after 2014. The seminar will
the Youth Atlantic Treaty Association (YATA) was created to specifially
take place on the 30th May -7th June 2015 in Smolyan, Bulgaria.
include to the successor generation in our work.
This year’s seminar will focus on key topics such as preparing for
Since 1954, the ATA has advanced the public’s knowledge and
threats in emergent spaces, including cyber space and maritime security,
understanding of the importance of joint efforts to transatlantic security
Smart Defence and planning for the future in times of austerity, NATO's
through its international programs, such as the Central and South Eastern
role as a global security actor, NATO-Ukraine cooperation for 2015,
European Security Forum, the Ukraine Dialogue and its Educational Platform.
NATO-Russia relations, women’s role in peace and security, war against terrorism, and NATO transparency and reforms. Topics like these we would like to shed light on through discussions, panel debates and group activities. The seminar will go through a direct contact between young
In 2011, the ATA adopted a new set of strategic goals that reflects the constantly evolving dynamics of international cooperation. These goals include:
◊
security issues.
people, representatives of NGOs, media, representatives of governments, panel discussions, workshops and debates, presented by experts,
◊
professors and competitive speakers. Atlantic Voices is always seeking new material. If you are a young researcher, subject expert or professional and feel you have a valuable contribution to make to the debate, then please get in touch. We are looking for papers, essays, and book reviews on issues of importance to the NATO Alliance. For details of how to submit your work please see our website. Further enquiries can also be directed to the ATA Secretariat at the address listed below. Editor: Flora Pidoux
Images should not be reproduced without permission from sources listed, and remain the sole property of those sources. Unless otherwise stated, all images are the property of NATO.
the establishment of new and competitive programs on international
the development of research initiatives and security-related events for its members.
◊
the expansion of ATA’s international network of experts to countries in Northern Africa and Asia. The ATA is realizing these goals through new programs, more policy
activism and greater emphasis on joint research initiatives. These programs will also aid in the establishment of a network of international policy experts and professionals engaged in a dialogue with NATO.
The views expressed in this article are entirely those of the authors. They do not necessarily represent the views of the Atlantic Treaty Association, its members, affiliates or staff.
This publication is co co--sponsored by the North Atlantic Treaty Organization