With the fourth NATO Conference on Cyber-Conflict (CyCon) still in progress, it seems almost churlish to ask whether a military alliance from the Cold War – created to prevent Soviet tanks from rolling over Europe – is really the right organisation to be hosting these discussions.
The conference is taking place in the mediaeval old-town section of Estonia’s capital, Tallinn – a country many people will know for suffering (and surviving) a massive and politically motivated DDoS attack in 2007. It’s also home to NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE).
The question of NATO’s suitability as a focus for cyberwar activities was one raised by one of its most senior officers. Maj-Gen Jaap Willemse, one-time fighter pilot in the Dutch air force and now Assistant Chief of Staff at NATO and commander of a C4I unit, was the conference’s keynote speaker. After his presentation, I bearded Gen Willemse and asked for a little clarification.
‘Deterrence’ is a word that is cropping up frequently at the conference. Willemse touched on it briefly in his presentation, though not everyone was impressed with the idea. Security researcher Florian Walther, in his own presentation, said of deterrence, “Will it work in cyberspace? Not a chance. We need to get those Cold War ideas out of our heads.”
NATO’s ability to create any kind of deterrence also seems unlikely following Willemse’s rather bold assertion that the organisation does not need an offensive cyber capability. Rather, NATO’s role is one of intelligence sharing and co-ordination. This isn’t so different to its role in the world of kinetic warfare (shooting people and blowing stuff up). After all, NATO has no troops – it’s up to member nations to actually provide warfighters.
Deterrence in a cyber context is an interesting notion when the military is directly involved. Cyber operations are not viewed as an entirely separate domain: they are a component in a NATO country’s military doctrine. So, if you DDoS the critical infrastructure of a member nation, they’re going to come after your Command & Control servers with something more serious than a court order.
But, of course, deterrence has no meaning unless you have an offensive capability.
“I think you need to keep all options open,” said Willemse. “If we look at what’s happening now with taking out of individuals of terrorist networks, that’s a kinetic action. If that same organisation had a cyber capability you could respond in a kinetic way or in a cyber way.”
However, drone attacks and the way that Stuxnet leaked out on to the Internet and infected innocent parties are both controversial issues. “I know, so that’s never going to happen, I think, ‘at 28’,” said Willemse, using the term to mean agreement or action involving all 28 NATO countries. “It will be individual nations who will respond.”
So, if NATO doesn’t develop an offensive cyber capability, what does it do?
“Information sharing doesn’t hurt,” said Willemse. “What we need in NATO is what you could call cyber situational awareness, or a common cyber picture. [In the military world] We have an expression, a Common Operational Picture [COP], so that we all have a common view of what is happening outside. I think we should have something like that on cyber as well.”
To achieve an effective COP you need data fusion from a lot of sources. In the cyber realm, these can’t be confined to military and intelligence sources: you need data from the commercial and civil sectors too. And civilian organisations are not known for being keen to share their information.
“The data needs to be provided primarily by the nations,” Willemse told me. “I think you can work your way around, in that you use the nation as the fusion point. It’s what we do in the intelligence world as well, and I see a lot of similarities in cyber and in the intelligence world, because NATO depends on the nations to get its intelligence. And the intelligence world is very much a bi- and multi-lateral world. And I think cyber is similar.”
Shared intel underpins what Willemse calls ‘active defence’ – being informed and ready, and also being able to provide intelligence to member states so they can mount a (hopefully) informed and appropriate response. “I think that intelligence is something that’s really important to be able to defend yourself in a better way,” he said. “And I think that’s less controversial as well. It’s stupid just to sit and wait and react, react, react.”
There’s also the somewhat poorly understood significance of Article 5 – the part of the NATO treaty that roughly translates as ‘all for one and one for all’. As an attacker, you could face more than one nation laser-designating your laptop. Or not.
“When one nation gets attacked, will the other sit by and watch?” asks Willemse. “I don’t know.”
The other problem with NATO is that it changes at a glacial pace. It’s hard enough to get things done in the well-understood (if not clear-cut) ethical, legal and political realm of military operations. How difficult is it going to be with cyber?
“It’s tougher,” said Willemse. “If I fire a round, you can see it, I’m aiming at somebody and you can agree with that or not. It might be a crime or not. But at least it’s very clear. All this talk around laws about conflict is very well targeted, it’s a very military environment. This [cyber world] is totally different.”
Is Stuxnet an example of how easily it can go wrong? “Sadly. And how easily you can cross a line, maybe even before you know it.”