This interview appeared in The Cyber Issue in Winter 2016.
Cyber issues are rapidly growing in importance to defense alliances. The Journal of International Affairs talked to Ambassador Sorin Ducaru, NATO’s assistant secretary general for emerging security challenges, about NATO’s efforts to improve its cyber defenses against emerging threats.
NATO officially recognized cyberspace as a military operational domain this year. Is this a significant shift for NATO?
The recognition of cyberspace as a domain of operations represents an evolutionary rather than revolutionary change in NATO’s approach to tackling current and emerging cyber threats. Having said that, we should not underestimate the significance of this decision, especially in regard to the implications of our core NATO business.
By treating cyberspace as an operational domain, NATO aims to better protect its missions and operations. It will assist in the management of resources, skills, and capabilities, and also ensure that cyber defense is better reflected in military planning, in exercises, in training, and in the way NATO responds to crises. This recognition of cyberspace as a domain may be seen as part of a strengthened response to the evolving landscape of cyber threats.
NATO will now be able to develop training, policy, and doctrine and innovate according to a more comprehensive framework that better recognizes the important role that cyberspace plays in modern operations and missions, and hence the need to be continually vigilant in protecting these digital systems from cyber risks.
This decision is also a crucial step in enabling NATO to treat cyber defense not only as a static protective discipline but as a means for mission assurance. Operational commanders will consider, in an integrated fashion, cyber defense as a mission or operation rather than a support function, analogous to the traditional domains of air, land, and sea.
Nonetheless, it is worth noting that the step of recognizing cyberspace as a domain does not change NATO’s defensive mandate. NATO will continue to act in accordance with international law and following the principle of restraint. This decision is entirely within NATO’s approach of supporting confidence building measures and norms of responsible state behavior in cyberspace.
When would Article 5 be triggered in the case of a cyber attack on a member country?
At the Wales Summit, allied heads of state and government affirmed that cyber defense is part of NATO’s core task of collective defense. As in the traditional domains of air, land, and sea, a decision as to when a cyber attack would lead to the invocation of Article 5 will be taken by the North Atlantic Council on a case-by-case basis.
Our policy also recognizes that international law, including international humanitarian law and the UN Charter, applies in cyberspace. It’s reasonable to expect the severity and impact of such an attack to be considered, within the context of the broader geopolitical situation, during consultations by allies in advance of any North Atlantic Council decision.
To sum up, Article 5 was not meant to be triggered with automaticity. It will always be a result of political consultation in a specific security context. The response itself will also be a consequence of these political consultations. What is important to note, however, is that a response to a cyber attack would not automatically imply only the use of cyber means. It could consist in diplomatic, political, economic, cyber, military, or indeed any other response that allies deem as the most appropriate in specific circumstances.
Is this extended definition both defensive and offensive?
It is important to make clear that NATO has a defensive mandate. NATO’s main aim has always been to deter and prevent major conflict or war and it was quite successful in doing this during the Cold War. This is why NATO has also affirmed that international law applies in cyberspace. In Warsaw, NATO reaffirmed its defensive mandate and commitment to act in accordance with international law.
This means the application of the well-known principles of self-defense, necessity, proportionality, and discrimination in NATO’s conduct. At the Warsaw Summit, allies recognized “cyberspace as a domain in which NATO must defend itself as effectively as it does in air, on land or at sea.”i This recognition places the contribution cyber defense can make to the success of a mission on equal footing to those operations on land, in air, and at sea. Now, as is patently obvious, there are some very important challenges around applying these definitions to the cyber domain, but the point is we are not getting rid of these well-established principles just because cyberspace is now recognized as a new domain of operations.
It is important to see what we can take from the other domains in terms of refining how we operate in cyberspace. For example, cyber is often called a “global commons” and its characteristics have a lot in common with the high seas, especially in the way both cyberspace and the high seas are critical for international trade. Just as the protection of freedom of navigation is a key strategic goal in many navies, there is a need to work on protecting the unfettered nature of cyberspace. It is precisely these issues that will need to be developed as we continue our work in implementing the decisions in Warsaw.
Does NATO have a cyber deterrent? Is it even possible to build one?
As reflected in the Warsaw Summit communiqué, “cyber defense supports NATO’s broader deterrence and defense.”ii In general, NATO has a wide range of instruments that it may bring to play in an incident or crisis, from diplomacy to military means. NATO does not stipulate a priori how it will respond to a cyber attack, or limit itself to any specific instrument. This flexibility in approach, along with the allied sense of unity and resolve, brings an important contribution to NATO’s deterrence and defense posture.
A more theoretical answer to this question depends on how you define and understand deterrence and what makes a deterrent. If, for example, you understand deterrence as being about denial of any possible gains that an adversary might get through attacking you, then I would have to say NATO already has a cyber deterrent. The investment we have put into our cyber defense capabilities through the centralized protection offered by NATO’s Computer Incident Response Capability (NCIRC) is testament to this. The fact that we constantly upgrade our approach and cyber defense capabilities commensurate with the threat, as shown by the decisions in Warsaw, is also evidence of how we strive to better support our deterrence and defense.
NATO also benefits from deterrence by entanglement. NATO benefits from the globalized, interconnected, and interdependent nature of cyberspace because the potential for cyber attacks rebounding upon the attacker is ever more clear.
Finally, although NATO is not a norms setting organization, it benefits from deterrence by norms. NATO has stated its support for the process of international norms and rules of the road for responsible state behavior pursued by the UN Group of Governmental Experts and the second generation of the OSCE’s Cyber Confidence Building Measures released in March 2016.
NATO has adopted and later improved its policy after cyber attacks on Estonia in 2007 and following the war in Ukraine in 2014. How do you answer critics who say this approach is insufficiently proactive?
I would respond that NATO’s approach has been aimed to balance the dynamics of the threat landscape with the need to be always responsible and measured in its policies and actions. Considering the landscape of international organizations, NATO has been quite active and comprehensive in bringing cyber to the core of its agenda and will continue to do so in a proactive and responsible manner.
NATO has been actively supporting efforts by allies to address the challenge of cyber attacks for some years. The history of NATO cyber defense goes back to its recognition in the Prague Summit in 2002 with the decision to create NCIRC. Since then, we have made a sizable investment into the full operational capability of NCIRC and expanded it to the chain of new small headquarters established in the east of the alliance. We have integrated cyber defense into the air command and control system, alliance ground surveillance, and ballistic missile defense capabilities. We have also integrated cyber defense into defense and operational planning, crisis management process, and our broad offerings across training, education, and exercises.
Recognizing that to succeed in cyber defense it is necessary to work together, we have also been systemically strengthening our partnerships, including with non-NATO nations and with international organizations. We follow and welcome the OECD’s work and our cyber defense partnership with the EU continues. In February 2016, NCIRC signed a technical arrangement with the EU’s Computer Emergency Response Team and cyber was mentioned as one of the areas of cooperation under the joint NATO–EU declaration announced at the Warsaw Summit.
It is worth bearing in mind that the evolution of NATO’s approach to cyber defense is not just driven by events. Although the cyber attacks in Estonia and the cyber incidents that occurred more recently in the context of the crisis in Ukraine provide the backdrop for how our policy has developed over the years, this evolution has always been with an eye on keeping NATO resilient in the face of a range of threats. This is exactly what has happened with the recognition of cyberspace as a domain of operations.
More and more we see that cyber operations are regarded by the military as just another option to deliver mission success. Furthermore, an increasing number of allies have already taken or are in the advanced stages of taking the step of recognizing cyberspace as a domain or environment of operations. Finally, we see a marked uptick in the seriousness of cyber attacks with increasingly tangible implications, including damage to infrastructure and property and exfiltration of data relevant to the national security of allies and partners.
At the same time, NATO supports the process of norms and cyber rules of the road regarding responsible state behavior for an open cyberspace, which has been such a tremendous engine for economic and social growth. So, as is obvious, we have achieved quite a lot but there is always more to be done. For example, nurturing trust between different players through partnership and cooperation activities is something that demands constant attention.
All systems will not work 100 percent of the time in cyber conflicts. How does this reality compare with previous philosophies of defense?
Indeed, this is the case. In NATO, like many organizations, we have a mature process of risk assessment and management whereby we have to consider our vulnerabilities against the likely threats and the impacts of different types of cyber attacks. This helps us prioritize and focus our efforts to those risks that are most likely and have the potential to do the most damage. NATO is a defensive alliance, so this risk management mindset is ingrained in our culture, especially when it comes to planning for the resilience of our missions and operations.
This question also brings us back nicely to the recognition of cyberspace as a domain. This decision can be thought of as a major implication of accepting that there is no such thing as 100 percent security. In recognizing cyberspace as a domain, we have to shift the focus of the purpose of cyber defense from merely providing for the confidentiality, availability, and integrity of information—what we refer to as “information assurance”—to instead focusing on operational outcomes and the role that cyber defense can play in providing for the success of a mission—in other words, “mission assurance.”
There are no places we might consider wholly free of insecurity in cyberspace. Instead, we have to learn to work according to the theory of “assumption of breach.” That is to say, we assume that the systems are insecure and plan accordingly. This means in practice putting a focus on defense in depth (which again contributes to the ideal of deterrence by denial), making sure that we have the systems in place to identify, monitor, and address insider threats, and compartmentalizing our critical systems and making sure we have suitable contingency arrangements in place.
Essentially, this means we need to be resilient, ensuring that no matter what the scale or seriousness of a cyber attack, we can always succeed.
When does cyber espionage become a cyber attack?
The short answer is that, again, it depends on context. Considering the cyber incidents against NATO networks, every day our sensors detect around 240 million suspicious events—most of which are handled automatically. Out of those, around 4,000 per year are handled by our experts.
This shows that NATO (which is by no means the biggest organization in the world) needs to be able to distinguish the “signal” of something real from the “noise” of continued background activity. Again, as we have seen with the discussion on the invocation of Article 5, much will depend upon context.
In 2013 a group of independent experts published the Tallinn Manual, under the auspices of the NATO accredited Cooperative Cyber Defense Centre of Excellence.iii While it is not official NATO policy, it details 95 rules about the applicability of international law in the case of cyber attacks, including analysis on cyber intelligence operations as they relate to use of force and armed attack. Later in 2016, an updated version of this scholarly work, known as Tallinn Manual 2.0, will be published and is intended to cover attacks falling under the threshold of “armed attack.”
Several NATO members have experienced what they believe are cyber attacks coming from Russia, but NATO has never publicly attributed those incidents to Russia. Why?
Attribution of cyber attacks is a thorny question. First, there is the issue of technical attribution. This is challenging to accomplish for various reasons, not least the technical nature of cyberspace where anonymity is built into the protocols and infrastructure. It is important, however, to acknowledge that modern tools regarding cyber analytics and forensics have significantly increased the potential for cyber attack attribution.
Another important aspect to emphasize is the fact that information and analysis exchange among allies and with partner entities (including industry) has significantly increased our situational awareness, including with regard to the sources of attacks. Furthermore, if technical analysis and forensics is corroborated with human intelligence, attribution of cyber attacks can be addressed with a high degree of confidence.
Since NATO does not have intelligence assets of its own (but relies on member states), it is understandable why such public attribution of attacks is performed by nations who own the relevant intelligence.
NATO accepted a Cyber Defense Pledge. What does it mean in terms of meeting the alliance’s 2 percent spending goal?
The 2 percent spending goal comes from the Wales Summit, where allies committed to dedicate 2 percent of their GDP to defense spending. The Cyber Defense Pledge is a separate initiative. In a similar vein, it represents a political commitment by allies to strengthen the cyber defenses of national systems and networks, as a matter of priority.
This commitment is important. Understanding the return on security investment is difficult enough in industry, but with national cyber defense spending it is orders of magnitude harder due to the difficulty of understanding just what constitutes spending on cyber defense.
Understanding how much “bang for your buck” you get with cyber defense spending is a relatively new discipline, even in the private sector. You might spend the same amount of money on different things and get widely different results. For example, you spend all your budget on the latest and greatest cyber defense technology, leaving little for the human resources that are key assets in cyber defense. Or, you dedicate all your resources to training and exercising, but your technical experts are stuck with second-generation technology meaning they are working with one hand tied behind their back.
To a certain extent this dynamic is true of defense spending more generally, but the rapidity of the threat landscape, corresponding pace of technical innovation, and cost of recruiting and retaining top-notch talent make understanding this question of resourcing all the more complex. We are currently developing some detailed metrics related to the Cyber Defense Pledge and will report at next year’s summit how each nation will deliver on its cyber commitments based on these metrics.