NATO Strengthens Its Cyber Stance
Committed to a collective defense, the alliance and its members face myriad digital threats.
Amid stunning digital attacks that have not only rocked countries around the globe but also targeted alliance forces, NATO is sharpening its resolve to serve as a cyber protector. A forthcoming Cyber Operations Center will incorporate cyber warfare into NATO’s defense operations. In addition, NATO’s Cooperative Cyber Defence Centre of Excellence is boosting the organization’s cybersecurity-related research, exercises and instruction to meet the seemingly unending threats.
The effort to create the new Cyber Operations Center reflects NATO’s focus on making cybersecurity a top priority, according to NATO Secretary-General Jens Stoltenberg. The Cyber Operations Center would integrate NATO members’ growing cyber warfare capabilities within NATO’s traditional military response for both offensive and defensive operations. “[Defense] ministers will decide on ways to integrate cyber into all NATO planning and operations so we can be just as effective in the cyber domain as we are in air, on land and at sea,” said the secretary-general after the November decision to form the center.
The alliance also is adding two new joint force commands, one for the Atlantic and the other to support military mobility in Europe. The command for the Atlantic, which the United States will head, will help protect the ever-important undersea lines of communication between North America and Europe. NATO’s defense ministers approved the command expansion February 14. Stoltenberg stressed that these steps were necessary to ensure that the alliance is fit for the challenges it faces.
“The threat emanating from Russia, out-of-area operations and concerns about the alliance’s southern flank mean NATO must respond,” Stoltenberg said. “We will have an increased focus on maritime, logistics and movement, situational awareness and cyber defense so that our forces can be in the right place, at the right time, with the right equipment. These decisions will make NATO stronger and more agile to protect our almost 1 billion citizens.”
The new cyber center will be an operational complement to NATO’s Tallinn, Estonia-based Cooperative Cyber Defence Centre of Excellence (CCDCOE), which has been a hub for NATO’s cyber defense—in addition to the alliance’s network operations center and computer emergency response teams (CERTs). The CCDCOE combines cyber technology, strategy, operations and law expertise to provide “a 360-degree look at cyber defense,” according to the agency.
However, the CCDCOE was designed only as a research facility or think tank, outside of NATO’s military command structure, explains Kenneth Geers, a senior research scientist at Comodo and a CCDCOE ambassador. Geers, who specializes in NATO cybersecurity, helped form the CCDCOE in 2007. “NATO has always made it clear that CCDCOE was not operational so the Russians wouldn’t bomb it or target it with propaganda,” he shares.
But that has not stopped Russia’s interference with CCDCOE efforts. Threat intelligence firm Cisco Talos reported that the well-known Russian cyber espionage group APT28, aka Group 74, had targeted the agency’s CyCon U.S. conference website last November. The group used information from the website as a decoy in a malicious campaign to deliver malware. The CCDCOE, which organized CyCon U.S. with the Army Cyber Institute at West Point, said Group 74’s actions were “clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cybersecurity.”
Since then, the CCDCOE carried out—for the first time—several simultaneous kinetic and cyber operations as part of its February Crossed Swords exercise. Held in Latvia in conjunction with that country’s CERT, the exercise focused on improving cooperation and information sharing among civilian organizations, critical information infrastructure providers and military units.
The simulation used mobile network technologies to identify targets and conduct drone surveillance, along with fifth-generation (5G) wireless network sensors to acquire location and other data. When a target was not reachable through cyberspace, military units deployed kinetic weapons. The exercise included about 80 participants from 15 countries and focused on enemy, or red team, posturing to have a “complete inside-out understanding of the most current cyber threats,” according to the agency. The exercise is a complement to the CCDCOE’s Locked Shields, a more extensive advanced live-fire cyber defense exercise.
The CCDCOE also is expanding the reach of its cyber education. In January, NATO’s supreme allied commander appointed the agency to coordinate all cyber education and training for cyber defense operations within NATO. The agency will work closely with NATO’s Allied Command Transformation in Norfolk, Virginia, to ensure the availability of such activities across the alliance.
These steps are important, Geers says, as NATO enhances its cyber posture. The alliance’s 2016 Warsaw summit—and the previous 2014 Wales summit—paved the way for a stronger cyber defense, he notes. At that time, NATO confirmed that international law applied to activities in cyberspace. And NATO determined that cyber defense should be one of its core tasks. “The big thing from the 2016 Warsaw summit was that the allies declared cyberspace to be a military domain of operations, like the land, air and sea, and that it would be protected as such,” Geers says. “Now NATO has a whole group of soldiers that protect cyberspace, which is really pretty interesting because the geographical space of NATO is enormous.”
Likewise, each ally pledged to protect cyberspace and make its defenses interoperable with NATO, coordinate investigations with the European Union (EU) and collaborate with companies within the alliance, Geers says. “That is important because of the supply chain threat as well,” he adds, warning of the cyber threats to less-secure networks that link industry.
The details of NATO’s treaty do present a challenge, Geers also points out. NATO’s efforts rely on the voluntary commitment of forces by each nation. “It’s in the fine print that nations don’t have to participate. While it’s ‘one for all and all for one,’ it’s not required to participate in a NATO military campaign,” he says. Another concern is internal espionage. “If I am in place to read [or protect] your emails, I can also change them. Cyber espionage is the evil twin of cyber attack.”
The members are going to have to “seriously limit espionage within the alliance,” he stresses. “Because of that uncertainty and the real desire to strengthen NATO to work nationally and to have a greater sphere of security within cyberspace, we must see either a voluntary or formal agreement to limit cyber espionage within the alliance.”
The relationship with the EU also could be improved, Geers suggests. “There is proactive intelligence sharing and reactive intelligence sharing and collaboration with the EU that needs to happen,” he says. “With NATO being primarily a military body and the EU being a political body, you really need both, given the nature of cyberspace.”
To be stronger, NATO needs to contend with deconflicting or competing priorities across nations. “It is important that with all of the uncertainty about cyber operations that there is deconfliction,” Geers recommends. “The CCDCOE is one organization that can help bring parties together to deal with the various bureaucracies that have different cyber interests.”
He asserts that NATO should address what is happening within the Shanghai Cooperation Organization, whose members include China, Russia, Pakistan, India and former Soviet republics Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan. “The Shanghai group, they have their own priorities,” Geers cautions. “It is important that NATO nations and NATO itself be aware of what is happening in relation to this group and others and be ready to defend democracy and cybersecurity.”
He also identifies increasing risks from malware and the reweaponization of code. “All coders are using the same libraries of code, and hackers do the same,” Geers states. “So you can steal another nation’s code and replace its command and control infrastructure or replace the payload. The payload will do something, such as steal data, block data or modify data. And if you have a malware sample that has an exploit paired with a vulnerability, you can replace the command and control infrastructure, and essentially you have reweaponized it.”
Examining the relationship between network traffic and geopolitical events may be important, he observes. In data Geers reviewed recently, he saw a huge spike in Japanese malware activity last summer, roughly at the end of August, which dovetails with North Korea firing a missile over Japan. “I don’t know that they are directly related, but some of the data are eerily hard to explain away,” he says. Interestingly, while Japan is not one of NATO’s 29 member countries, it recently joined the CCDCOE, a sign, according to Merle Maigre, the CCDCOE’s director, of “the commitment in cyber defense cooperation between like-minded nations.”
In Geers’ opinion, social media still remains “really quite vulnerable,” and again, Russia’s footprints have been spotted. In the United States, “We don’t have a lot of experience with heavy state propaganda,” he says. “Russia has been active in this kind of game much longer than we have. Their influence operations are ‘providing information’ or ‘evidence’ to people already inclined to believe what they see on social media. And all Russia has to do is feed them what they want to see or read. And although we are now more aware of it, it could happen again, easily, unless we do something.”
He quips that “the Russians, of course, would say there is no proof of hacking.”
Geers adds that it is wise for the United States to continue to invest in NATO. “First, it gets a lot out of it,” he says. “I think that the EU and NATO have largely been successful in keeping peace in Western Europe since World War II. The problem now is that Russia wants to chip away at that.”
NATO’s stance on Russia is a dual-track approach pursuing defense and dialogue, according to Stoltenberg. “We see a more assertive Russia,” the secretary-general said in February. “We have seen, especially since 2014 with the illegal annexation of Crimea, with Russia being responsible for destabilizing eastern Ukraine, we’ve seen a pattern where Russia is more assertive and where Russia has been responsible for violating international law. We are responding in a defensive, proportionate way. The purpose of having a strong NATO is not to provoke a conflict, but it is to prevent a conflict.”