As tomorrow’s NATO Summit in Vilnius, Lithuania approaches, SecurityWeek questions what NATO should do about cybersecurity.
The Russia/Ukraine conflict offers an historic opportunity to NATO in strengthening and enlarging the military alliance. Finland has joined NATO, Sweden has applied to join NATO, and Ukraine wishes to join NATO. Such discussions will likely provide the main headlines coming from the 2023 NATO Summit taking place July 11-12.
But NATO has another opportunity to benefit from the war in Ukraine — a closer and more integrated cybersecurity program.
The problem for NATO is it is dominated by European countries — some rich and sophisticated, and others not so – and is politically diverse (many members are within the EU, some of them fractious) and other members are outside of the EU. Europe is historically tribal by nature. Each country clings to its own tribal nature, which makes NATO fundamentally fragmented. The severity of the perceived Russian military threat, as shown in the war in Ukraine, has brought NATO unity closer than it has possibly ever been, militarily.
Now it is time to do something similar in the cyber domain. This doesn’t imply that NATO does nothing (it has its own Special Operations Center in Belgium), but NATO could and should do more. SecurityWeek discussed this topic with cybersecurity experts.
There are several additional difficulties in a fully unified NATO Cybersecurity program. The first is one of definition. NATO is primarily a military alliance formed for kinetic defense. There is no easy correlation between kinetic warfare and cyberwarfare (discussed in detail here: What is Cyberwar?). From the outset, it is difficult to define the purpose of NATO Cybersecurity since it is primarily a kinetic defense alliance.
The second is the difference in the physical size and cyber sophistication of the NATO members, and the residual suspicion of fundamentally tribal national attitudes. Given the global nature of cyber – attribution is very difficult, and misdirection is easy – it would be no surprise to discover that NATO members undertake cyberespionage against other members.
The third is that it would be politically unrealistic to expect the cyber giants of NATO (US, UK, Netherlands, France etcetera) to fully share their cyber capabilities with countries such as Hungary and Turkey.
Nevertheless, the cyber world would be safer if there were a NATO cybersecurity alliance as strong as the NATO military alliance.
Ross Brewer, chief revenue officer (CRO) at SimSpace, offers a two-pronged approach to NATO Cybersecurity. The first is to refocus. “Countries need to stop looking out the window at the Big Bad Wolf, and look over their shoulder. The problem is not external, it’s internal – and that applies to every country, industry sector or company.”
He doesn’t suggest there is no threat from adversarial nation states – such as Russia – but the cyber battle is waged locally, not on some foreign battlefield. It’s the same local battle that must be fought against cybercriminals and state actors – so while the military alliance can benefit from looking outward at physical foes, NATO Cybersecurity should focus on helping entities, especially those belonging to national critical infrastructures, at the local level.
Brewer’s second suggestion offers an approach to achieving this. Here he is less concerned with the shiny new security widgets of defense than with the capabilities of the people using them. This can be both assessed and improved through regular use of cyber range stress testing.
For this, he suggests that NATO should be guided by the experience of the US Cyber Command (USCYBERCOM). This has three primary missions: defending DOD networks and systems, conducting offensive cyber operations, and building cyber partnerships.
It uses cyber range personnel stress testing as part of its own training process. Here, the argument stems from the successful Navy, Marine Corps and Air Force Top Gun training program established in 1969.
During the Vietnam War, the US lost one aircraft to every 2.8 lost by the enemy. This loss rate was considered too high — and Top Gun was established to teach pilots advanced maneuvering techniques. Its success can be measured by the Gulf War — 37 Iraqi fighters shot down without losing a single US aircraft.
Cyber ranges can be seen as a cyber version of Top Gun, teaching security defenders how to defend networks under simulated battle conditions. Brewer believes that a NATO Cybersecurity alliance could help the critical industries of member states become more resilient to both criminal and nation state attacks.
The suggestion from Brewer implies that a NATO Cyber Command would help secure the critical industries of all NATO members in the same way that US Cyber Command helps secure the US. This does not imply that USCYBERCOM does not already assist its allies (it has teams that will, as required and requested, help its allies to clear intruders from their networks). But a NATO Cyber Command would be more effective in imposing the trickle-down security effect upon NATO national infrastructures.
In terms of cybersecurity, the big bad wolf is already here among us – not over there in Russia or China.
Assuming NATO can play a greater part in the cybersecurity of its members, possibly through a more formal NATO Cyber Command, the question then becomes ‘what should we hope for?’
A common hope is that NATO should become more proactive – as a bloc – against cyber threats. “Practically, this would require allies to openly share attack information, threats, and as importantly, partner with the private sector to build resilient environments to attacks,” suggests Dave Gerry, CEO at Bugcrowd. “Threats from countries like Russia, China and Iran have never been higher and NATO members must actively respond accordingly.”
A more assertive and active role by NATO would underline that this defense has teeth. “NATO has made it clear that an intense cyberattack on a member nation could be tantamount to an act of war, potentially invoking Article 5 of the North Atlantic Treaty,” comments Callie Guenther, cyber threat research senior manager at Critical Start. “It signifies that the international community is starting to view cyberattacks not just as criminal or disruptive activities but as potential acts of aggression that may warrant collective defense.”
Coming from a military alliance, a NATO Cyber Command would alter the perception of Locked Shields (NATO’s annual international cyber defense exercise organized by the NATO Cooperative Cyber Defense Centre of Excellence, CCDCOE, in Tallinn, Estonia) to Shields with Spear. Cyber should perhaps be more openly considered a deterrence option.
At the same time, Craig Jones, VP of security operations at Ontinue, would like to see more cyber diplomacy from NATO. “Establish a NATO Cyber Ambassador role, someone who can advocate for cybersecurity norms and practices on a global stage,” he says. “This individual could negotiate cyber treaties with other countries, including the likes of Russia, China, Iran, and North Korea. That office could also work to de-escalate tensions and prevent cyber conflicts.”
Outwardly, a NATO Cyber Command would show a velvet fist – we mean no harm to anyone, but do not test us.
This said, almost all cybersecurity experts agree that NATO should spend greater effort in improving the security of nations’ critical industries – and that much of this can be done through testing and training. NATO’s defense cannot simply rely on deterring nation state aggression. The same harm could be done to national economies through criminal extortion against the critical industries as through nation state aggression.
“It is always essential to put 100% effort into protecting critical infrastructure,” warns John Anthony Smith, CEO at Conversant Group. “Threat actors probe and make attack attempts virtually continuously and the consequences of complacency could be catastrophic (including but not limited to war). We often find time and effort is not being spent in the right places to properly defend against actual attacks. Since there is no overseeing authority over critical infrastructure bodies, we recommend each entity undergo regular assessments to understand and prioritize existing weaknesses.”
A NATO Cyber Command, with specific oversight of critical industries, would go some way to solving this.
Jones lists some of his hopes, including national cybersecurity scorecards, similar to individual company scorecards but on a national scale. “This would evaluate each country’s cybersecurity efforts, infrastructure, readiness, and response capabilities. The scorecards could be used to identify weaknesses, enhance accountability, and drive improvement,” he suggests.
Stress testing would simulate worst-case scenarios, such as simultaneous cyberattacks from multiple adversaries, to assess how well the alliance can respond and recover. A citizen training campaign should be implemented. “It could cover online hygiene, recognizing phishing attempts, and securing personal data. An informed public can be the first line of defense against cyber threats,” he adds.
On innovation, he would like to see a NATO innovation challenge. “This could speed up innovation, uncover novel solutions, and attract fresh talent to the field. Invest in advanced technologies like artificial intelligence (AI) and machine learning (ML) to predict and detect cyber threats in real-time. These tools can process vast amounts of data to identify patterns and anomalies that could signify an impending cyberattack.”
Improved threat and intelligence sharing could be promoted through an international cybersecurity exchange program, where cybersecurity professionals from one country spend time in another. “This would encourage the sharing of knowledge, foster stronger relationships, and promote a unified approach to cyber defense,” he adds.
In short, a more unified and aligned cybersecurity posture should be promoted by NATO.
“Cybersecurity is both national and international security and must be prioritized as such. Protecting the critical infrastructure of NATO nations and the services that people rely on from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating,” summarizes Darren Guccione, CEO and co-founder at Keeper Security.
A formal NATO Cyber Command could do as much for the cybersecurity of individual members of NATO as USCYBERCOM already does for the US.
Related: 4 Countries Join NATO Cyber Defense Center
Related: Cisco Working on Patch for Vulnerability Reported by NATO Pentester
Related: 38 Countries Take Part in NATO’s 2023 Locked Shields Cyber Exercise
Related: Pro-Russian Group DDoS-ing Governments, Critical Infrastructure in Ukraine, NATO Countries