When NATO Secretary General Jens Stoltenberg announced the alliance’s decision to designate cyberspace an ‘operational domain’ for war alongside the more traditional arenas of land, sea and air, he could hardly have suspected just how swiftly events would bear him out. On that very same day in June 2016, as if to underline the point, the first reports began to emerge of the now infamous hack of US Democratic National Committee’s computers.
“Last year’s US elections brought this issue into sharp focus,” says Ian Goslin, managing director of Airbus Defence and Space Cyber Security in the UK, “but this was really just the latest in a long line of nation state attacks.”
And it seems they are happening more and more. While outright criminal activity, such as the recent massive WannaCry ransomware incident in May, which affected more than 200,000 users in over 150 countries worldwide, including the UK’s National Health Service, obviously represents a huge cyber threat, it is the growing spectre of nationally motivated, and state sanctioned, attacks which is arguably the more worrying trend.
According to the 2016 Secretary General’s Annual Report, NATO cyber defenders dealt with an average of 500 incidents per month throughout the year, an increase of some 60% over 2015, with the majority of the attacks against NATO networks said to come from state actors.
Just how significant an effect a major event of this kind can be already became evident in 2007, when Estonia fell victim to a series of intrusions that disrupted a swathe of both state and commercial websites and effectively took the whole country offline. Goslin says that Estonian government agencies and banks were targeted in a coordinated attack using hundreds of thousands of computers which had consequences far beyond Estonia itself.
“Estonian government agencies and banks were targeted in a coordinated attack using hundreds of thousands of computers.”
Although the Estonian authorities eventually traced the origin of most of the attacks back to computer servers run by the Russian state, Moscow denied all knowledge and involvement, highlighting one of the major problems of this new kind of warfare. As Goslin puts it, “the Internet allows attackers to hide in the shadows. Knowing your attacker can be a complex and challenging task.”
The events in Estonia were to prove a definite wake-up call, prompting NATO to beef up its cyber warfare capabilities, and resulting in seven NATO nations signing up to the establishment of the Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn just over a year after the attack. Since then a range of collective research projects, exercise and initiatives have followed, culminating in the recent announcement of a three-year investment of £61m to protect the alliance’s 32 main locations from cyber-attacks, and an additional £155m to give soldiers in the field more secure mobile communications.
Goslin says that compared with the conventional domains, the internet poses some unique challenges, not least because of its massive territorial scope and vulnerability to attack from any one of the already huge, and still burgeoning, number of routinely accessible, connected devices in everyday use. It means, he says, that you cannot always guarantee that you will be able to see the enemy coming and since these attacks can be launched quickly and without warning, it can make your adversaries almost impossible to identify.
As attacks c be launched more easily than on a traditional battlefield, and the obvious conventional dividing lines between the two warring sides, and even between combatants and non-combatants, are often blurred to the point of uselessness, cyber battles are likely to be far ranging in their scope. The threats are likely to be diverse in nature, too.
There has been speculation over how hacking or spoofing of GPS systems, and the manipulation of security holes in the automatic identification system (AIS) and electronic chart display and information systems (ECDIS) used by shipping, could be used against NATO forces, but there are broader, and arguably softer, potential targets that could be hit.
Already the banking industry, commerce, political organisations and, allegedly, democratic elections, from Estonia to the US have been interfered with by a range of foreign agents and non-state hackers, but Goslin believes that much worse is possible, especially for nationally sanctioned cyber warriors with the full resources of the state to call on. Instead of simply setting out to ruffle the stock market, influence public opinion or embarrass individuals, he says that complex cyber attacks aimed at critical national infrastructure could effectively cripple a country’s entire economy.
At the mercy of hackers
Unless key infrastructure elements such as energy and transport networks are adequately monitored, protected and defended against hostile intrusion, they are, as Goslin says, “at the mercy of hackers”, who could potentially bring a country to its knees without a single missile being launched or a shot being fired. Moreover, as Russia’s action in Ukraine in 2015 shows, there is also the possibility of combining a cyber attack on infrastructure components – in this case Ukraine’s power grid – with a larger, conventional military operation.
NATO has not been slow to appreciate the dangers. Beginning with the adoption of a formal policy on cyber defence at the Bucharest Summit 2008 in response to the Estonian attacks, the organisation has continued to stay abreast of the fast evolving threat landscape to maintain a robust cyber defence.
“NATO has not been slow to appreciate the dangers.”
Today, NATO boasts impressive cyber defences, centred on the NATO Computer Incident Response Capability (NCIRC) which is based at its Strategic Headquarters Supreme Headquarters Allied Powers Europe in Mons. Staffed by a 200-strong team, the NCIRC provides round-the-clock cyber defence, dealing with incidents as they arise and generating up-to-date intelligence and analysis of the changing threats faced. The alliance also has its own rapid reaction team that can be sent in to help member states handle problems as they arise, and in addition cooperates very closely with the EU and promotes strong partnerships between countries, international organisations, industry and academia to address cyber challenges.
Making the investment
Cyber defence, however, does not come cheap. Alongside the £216m allocated on secure mobile communication and defending its main centres, over the next three years NATO plans to spend £2.5bn to upgrade satellite and computer technology to adapt to the new threat environment. Around £1.4bn of that will be invested in enhancing satellite communications to help support deployed troops, ships and drone missions.
As many members have already been criticised for failing to meet their 2% obligations, looking to fund an expensive project such as this might seem badly timed, but cyber defence can prove an easier sell than most. The increasing importance of the online world to personal, commercial and state life makes secure connectivity vital, and anything which could threaten that is as much a concern for tax payers themselves as it is for national governments. Neil Robinson of the Emerging Security Challenges division at NATO Headquarters makes the point very simply. “Only if a nation does not use communications and information technology is there an argument that there is no need to spend anything.”
It is also true that, in some circumstances, a dollar invested in cyber defence can buy more actual defence than a dollar invested in other conventional forms of military capability, and guard against a wider range of possible threats and potential losses. Wisely targeted spending can mean that a little goes a long way. That has its own unique appeal at a time of budgetary constraint, but there is perhaps a more important reason why NATO member-states should be ready to reach for their chequebooks.
As Stoltenberg’s predecessor as NATO Secretary General, Anders Fogh Rasmussen, said in 2013: “Cyber attacks do not stop at national borders; our defences should not, either.”