As tomorrow’s NATO Summit in Vilnius, Lithuania
approaches, SecurityWeek questions what NATO should do
about cybersecurity.
The Russia/Ukraine conflict offers an historic opportunity to
NATO in strengthening and enlarging the military alliance. Finland
has joined NATO, Sweden has applied to join NATO, and Ukraine
wishes to join NATO. Such discussions will likely provide the main
headlines coming from the 2023 NATO Summit taking place
July 11-12.
But NATO has another opportunity to benefit from the war in
Ukraine — a closer and more integrated cybersecurity program.
The problem for NATO is it is dominated by European countries —
some rich and sophisticated, and others not so – and is politically
diverse (many members are within the EU, some of them fractious)
and other members are outside of the EU. Europe is historically
tribal by nature. Each country clings to its own tribal nature,
which makes NATO fundamentally fragmented. The severity of the
perceived Russian military threat, as shown in the war in Ukraine,
has brought NATO unity closer than it has possibly ever been,
militarily.
Now it is time to do something similar in the cyber domain. This
doesn’t imply that NATO does nothing (it has its own Special
Operations Center in Belgium), but NATO could and should do more.
SecurityWeek discussed this topic with cybersecurity
experts.
There are several additional difficulties in a fully unified
NATO Cybersecurity program. The first is one of definition. NATO is
primarily a military alliance formed for kinetic defense. There is
no easy correlation between kinetic warfare and cyberwarfare
(discussed in detail here: What is Cyberwar?). From the outset, it is
difficult to define the purpose of NATO Cybersecurity since it is
primarily a kinetic defense alliance.
The second is the difference in the physical size and cyber
sophistication of the NATO members, and the residual suspicion of
fundamentally tribal national attitudes. Given the global nature of
cyber – attribution is very difficult, and misdirection is easy –
it would be no surprise to discover that NATO members undertake
cyberespionage against other members.
The third is that it would be politically unrealistic to expect
the cyber giants of NATO (US, UK, Netherlands, France etcetera) to
fully share their cyber capabilities with countries such as Hungary
and Turkey.
Nevertheless, the cyber world would be safer if there were a
NATO cybersecurity alliance as strong as the NATO military
alliance.
Ross Brewer, chief revenue officer (CRO) at SimSpace, offers a
two-pronged approach to NATO Cybersecurity. The first is to
refocus. “Countries need to stop looking out the window at the Big
Bad Wolf, and look over their shoulder. The problem is not
external, it’s internal – and that applies to every country,
industry sector or company.”
He doesn’t suggest there is no threat from adversarial nation
states – such as Russia – but the cyber battle is waged locally,
not on some foreign battlefield. It’s the same local battle that
must be fought against cybercriminals and state actors – so while
the military alliance can benefit from looking outward at physical
foes, NATO Cybersecurity should focus on helping entities,
especially those belonging to national critical infrastructures, at
the local level.
Brewer’s second suggestion offers an approach to achieving this.
Here he is less concerned with the shiny new security widgets of
defense than with the capabilities of the people using them. This
can be both assessed and improved through regular use of cyber
range stress testing.
For this, he suggests that NATO should be guided by the
experience of the US Cyber Command (USCYBERCOM). This has three
primary missions: defending DOD networks and systems, conducting
offensive cyber operations, and building cyber
partnerships.
It uses cyber range personnel stress testing as part of its own
training process. Here, the argument stems from the successful
Navy, Marine Corps and Air Force Top Gun training program
established in 1969.
During the Vietnam War, the US lost one aircraft to every 2.8
lost by the enemy. This loss rate was considered too high — and Top
Gun was established to teach pilots advanced maneuvering
techniques. Its success can be measured by the Gulf War — 37 Iraqi
fighters shot down without losing a single US aircraft.
Cyber ranges can be seen as a cyber version of Top Gun, teaching security defenders how to
defend networks under simulated battle conditions. Brewer believes
that a NATO Cybersecurity alliance could help the critical
industries of member states become more resilient to both criminal
and nation state attacks.
The suggestion from Brewer implies that a NATO Cyber Command
would help secure the critical industries of all NATO members in
the same way that US Cyber Command helps secure the US. This does
not imply that USCYBERCOM does not already assist its allies (it
has teams that will, as required and requested, help its allies to
clear intruders from their networks). But a NATO Cyber Command
would be more effective in imposing the trickle-down security
effect upon NATO national infrastructures.
In terms of cybersecurity, the big bad wolf is already here
among us – not over there in Russia or China.
Assuming NATO can play a greater part in the cybersecurity of
its members, possibly through a more formal NATO Cyber Command, the
question then becomes ‘what should we hope for?’
A common hope is that NATO should become more proactive – as a
bloc – against cyber threats. “Practically, this would require
allies to openly share attack information, threats, and as
importantly, partner with the private sector to build resilient
environments to attacks,” suggests Dave Gerry, CEO at Bugcrowd.
“Threats from countries like Russia, China and Iran have never been
higher and NATO members must actively respond accordingly.”
A more assertive and active role by NATO would underline that
this defense has teeth. “NATO has made it clear that an intense
cyberattack on a member nation could be tantamount to an act of
war, potentially invoking Article 5 of the North Atlantic Treaty,”
comments Callie Guenther, cyber threat research senior manager at
Critical Start. “It signifies that the international community is
starting to view cyberattacks not just as criminal or disruptive
activities but as potential acts of aggression that may warrant
collective defense.”
Coming from a military alliance, a NATO Cyber Command would
alter the perception of Locked Shields (NATO’s annual
international cyber defense exercise organized by the NATO
Cooperative Cyber Defense Centre of Excellence, CCDCOE, in Tallinn,
Estonia) to Shields with Spear. Cyber should perhaps be more openly
considered a deterrence option.
At the same time, Craig Jones, VP of security operations at
Ontinue, would like to see more cyber diplomacy from NATO.
“Establish a NATO Cyber Ambassador role, someone who can advocate
for cybersecurity norms and practices on a global stage,” he says.
“This individual could negotiate cyber treaties with other
countries, including the likes of Russia, China, Iran, and North
Korea. That office could also work to de-escalate tensions and
prevent cyber conflicts.”
Outwardly, a NATO Cyber Command would show a velvet fist – we
mean no harm to anyone, but do not test us.
This said, almost all cybersecurity experts agree that NATO
should spend greater effort in improving the security of nations’
critical industries – and that much of this can be done through
testing and training. NATO’s defense cannot simply rely on
deterring nation state aggression. The same harm could be done to
national economies through criminal extortion against the critical
industries as through nation state aggression.
“It is always essential to put 100% effort into protecting
critical infrastructure,” warns John Anthony Smith, CEO at
Conversant Group. “Threat actors probe and make attack attempts
virtually continuously and the consequences of complacency could be
catastrophic (including but not limited to war). We often find time
and effort is not being spent in the right places to properly
defend against actual attacks. Since there is no overseeing
authority over critical infrastructure bodies, we recommend each
entity undergo regular assessments to understand and prioritize
existing weaknesses.”
A NATO Cyber Command, with specific oversight of critical
industries, would go some way to solving this.
Jones lists some of his hopes, including national cybersecurity
scorecards, similar to individual company scorecards but on a
national scale. “This would evaluate each country’s cybersecurity
efforts, infrastructure, readiness, and response capabilities. The
scorecards could be used to identify weaknesses, enhance
accountability, and drive improvement,” he suggests.
Stress testing would simulate worst-case scenarios, such as
simultaneous cyberattacks from multiple adversaries, to assess how
well the alliance can respond and recover. A citizen training
campaign should be implemented. “It could cover online hygiene,
recognizing phishing attempts, and securing personal data. An
informed public can be the first line of defense against cyber
threats,” he adds.
On innovation, he would like to see a NATO innovation challenge.
“This could speed up innovation, uncover novel solutions, and
attract fresh talent to the field. Invest in advanced technologies
like artificial intelligence (AI) and machine learning (ML) to
predict and detect cyber threats in real-time. These tools can
process vast amounts of data to identify patterns and anomalies
that could signify an impending cyberattack.”
Improved threat and intelligence sharing could be promoted
through an international cybersecurity exchange program, where
cybersecurity professionals from one country spend time in another.
“This would encourage the sharing of knowledge, foster stronger
relationships, and promote a unified approach to cyber defense,” he
adds.
In short, a more unified and aligned cybersecurity posture
should be promoted by NATO.
“Cybersecurity is both national and international security and
must be prioritized as such. Protecting the critical infrastructure
of NATO nations and the services that people rely on from
cyberattacks is as important as protecting it from physical
attacks, because the consequences have the potential to be equally
devastating,” summarizes Darren Guccione, CEO and co-founder at
Keeper Security.
A formal NATO Cyber Command could do as much for the
cybersecurity of individual members of NATO as USCYBERCOM already
does for the US.
Related: 4 Countries Join NATO Cyber Defense Center
Related: Cisco Working on Patch for Vulnerability Reported
by NATO Pentester
Related: 38 Countries Take Part in NATO’s 2023 Locked
Shields Cyber Exercise
Related: Pro-Russian Group DDoS-ing Governments, Critical
Infrastructure in Ukraine, NATO Countries
