This week I attended the #NATOtalk16 conference held at the (infamous) Hotel Adlon, along with a pre-session discussion with the youth arm of the German Atlantic Association (YATA). This was a great few days with a dedicated ‘cyber security’ group which was great. There are recommendations which were written by all participants (available here), where my short paper on the future of NATO and deterring digital ‘warriors’ (one which I don’t like, but worked with) is. This is also shown below.
It was interesting to see NATO respond to the election of Trump and the future of Germany within Europe in the context of Brexit. The event was in partnership with the British Embassy, Berlin and it was clear there was an emphasis that Brexit does not damage the relationship with NATO. However, with Germany’s new security doctrine published in the Weißbuch (White Book) German/English which gives a more assertive stance to Germany’s positioning, with a growth in spending and in particular citing Russia as a core concern. This has provided me with some interesting background and context for my thesis project in malware ecology, and how this is being thought of in more international relations circles.
Fluid Operations: NATO and Cyberdeterrence
Multiple actors, lack of attribution, and hybrid action are all part of modern warfare. The growth of the internet and other digital systems has rapidly led to cyber security becoming a serious concern, from
individual users to (inter)national security. This short piece examines NATO and its ability to deter actors who attempt to subvert its collective security. This follows an analysis of current difficulties in deterrence, namely difficulties with attribution, low engagement barriers, and multiple actors. These concerns are then folded into avenues for further exploration in defence and offensive operations, and what blended or hybrid responses may entail. An exploration of these issues concludes that the distinction between defensive and offensive operations in cyberspace are fluid, where ‘active defence’ utilising situational awareness provides the best deterrence for most actors.
Alertness to cyber security sharpened with attacks against Estonia in 2007. Although never fully attributed to Russia, it exposed the potential vulnerabilities that existed among allies as dependence on assets in cyberspace has grown. Additional events in Georgia in 2008 and more recently in Ukraine have demonstrated how cyberattacks can be blended in forms of hybrid attacks that aim to destabilise states before more conventional incursions occur. NATO has responded through developing a coordinated cyber security apparatus and the formalisation of doctrine that declares that international norms of engagement apply to cyberspace.
Yet, in comparison to previous decades, there has been considerable difficulty in engaging in forms of deterrence. I identify three of the most pressing:
- Attribution: Due to the ability to mask location and to lay decoys to the origin of an attack, conventional forms of deterrence are often not applicable.
- Low Engagement Barrier: The pervasiveness of digital systems across allied and non-allied states increases the vectors and opportunities for low-skilled actors to engage.
- Multiple Actors: Due to the low engagement barrier, it is not only states that have interest in subverting NATO, but also criminals, terrorists, and hired mercenaries that may sell their services to the highest bidder.
Current policy options
We often divide defensive and offensive capacity, which enables clear doctrinal policy, but is of little use to cyber security strategy. NATO is responsible only for its own internal systems and ensuring that these integrate with allied systems. Yet, it currently has no offensive capacity of its own apart from those developed by allies.
Defensive: In all scenarios, defence of critical systems provides the best deterrence from actors in cyberspace. This includes everyday management of critical national infrastructure, ensuring good education, and the monitoring of networks along with other recognised good cyber security ‘hygiene’. My PhD research on malware ecology demonstrates that maintaining good cyber security posture often prevents many subversions at entry points to the system. Yet due to interdependencies between systems, between governments and business, there will always be deficiencies in cyber security, including the opening up of previously unknown vulnerabilities such as zero-day exploits.
Offensive: Discussions of offensive capacity in NATO often focus on the trigger for Article 5, and what an armed cyberattack may constitute. This often descends into theoretical discussions over ‘cyber weapons’, and one which I will not go into. If we disregard the latter, the options remain either symmetric or asymmetric with conventional response. The former is often difficult due to time dependencies in developing a sophisticated response after an attack. The latter could be considered disproportionate, but is an essential arsenal for deterrence.
There is a false dichotomy between defence and offence in cyberspace. Ensuring security often requires scanning for threats a priori an attack or subversion. This means maintaining a high sense of situational awareness, and one that espionage traditionally provides. Therefore, developing potential offensive operations to be deployed in case of attack provide the most appropriate avenue for deterrence. Publicly disclosing an arsenal of non-specific advanced defensive preparation may deter some attacks. This addresses proportionality, enhances situational awareness and allows for preparedness. In addition, it aids with attribution as situational awareness of an array of actors can be pinpointed with greater accuracy whilst also enabling responses that do not wrongly attribute a state for non-state actors.
- Furtherenhancedefensivecapacitythroughgoodpracticesofcybersecuritythatharmonise across allied states.
- Developanoffensivearsenalthatcanberapidlydeployedintheeventofanattackthrough ‘active defence’.
- Maintain conventional asymmetrical response.