NATO Experience in the Cyber Domain

Since the advent of the computer era, NATO has been one among the first Collective Security Organizations experiencing cyber-attacks, already during the Cold War. Initially, these attempts were aimed at information gathering, either for espionage or for demonstrative purposes. No disruption was attempted, at least during these years.

When the Warsaw Pact was disbanded in 1991, the new Strategic Concept outlined the need to improve “Electronic Warfare” capabilities, but this was not explicitly connected to the need of countering acts of “terrorism and sabotage”^[1]: at that time, with the disappearance of the historical enemy, a change of intrusions had shown up, so that the only “Cyber Risk” was considered to derive from disruption attempts (i.e. sabotage), even if their probability of success was limited by the care taken, since the beginning, to minimize any NATO vulnerability in this domain. The prevailing concept was to build a sort of “electronic fortress” around all headquarters of the Alliance.

In fact, NATO bodies did not acquire commercial computers and were reluctant to connect them in a network; therefore, special screens, having limited emission, and hardened computing machines were used, even if their costs were high. The only network accepted was the Maritime Command and Control Information System (MCCIS), introduced in these years, when surveillance in the Mediterranean against Iraqi merchant vessels was carried on by Alliance maritime forces during the Gulf War.

MCCIS conception was very simple: inputs were provided by warships through a classified formatted message, which could be automatically inserted in the system; the content included the allied ship’s position, as well as the location of all targets of interest in her vicinity. The resulting picture was broadcasted through High Frequency transmitters to the benefit of NATO commands, national headquarters and all units, who were therefore able to know what was going on in the basin of activity.

Attempts to penetrate NATO computers, though, grew exponentially in the following years, to such an extent that in 1999, the new Strategic Concept mentioned, among the risks, the fact that “state and non-state adversaries may try to exploit the Alliance’s growing reliance on information systems through information operations designed to disrupt such systems. They may attempt to use strategies of this kind to counter NATO’s superiority in traditional weaponry”^[2]. Cyber war was therefore considered a new form of aggression, for the first time. It is worth highlighting that the Alliance already envisaged that this sort of inimical action could come both from state and non-state agents (“direct and indirect/asymmetric form of attacks”).

That same year, Kosovo war originated the need for NATO to reach consensus in real time for targeting purposes, between the capitals and NATO headquarters; due to the urgency of this requirement, a new network, named Cronos, was created in few months by the NATO C3 Agency (NC3A). Cronos relied on Internet vectors – mostly underwater cables – and used commercial computers, duly hardened, and the network was protected through a cypher system.

Since then, networks in NATO multiplied, to such an extent that now they have reached the impressive number of 31. As the attempts to penetrate or disrupt them were growing, response through a better protection was not enough, and two measures were undertaken. First, the C3 staff elements of the International Military Staff (IMS) and of the International Staff (IS) were merged into the NC3 Staff, in order to have a politico-military body able to face all challenges of the IT era, and the NATO Computer Incident Response Cell (NCIRC) was established, to quickly repair damages inflicted by external actors. Most recently, the new NATO Agency dealing with C4 (NCIA) has undertaken the effort to reduce the number of networks, in order to reach a better protection, through rationalization.

This new body was deployed in Estonia, for the first time, to help her government to recover from the massive cyber-attack suffered in 2007. Immediately thereafter, as the need to keep updated on the rapidly evolving threat to computer networks had become evident, an ad hoc Center of Excellence was established in Tallin.

This event was duly reflected in the 2010 Strategic Concept, whereby NATO outlined the growing importance of the cyber threat: “cyber-attacks are becoming more frequent, more organized and more costly in the damage that they inflict on government administrations, businesses, economies and potentially also transportation and supply networks and other critical infrastructure; they can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability. Foreign militaries and intelligence services, organized criminals, terrorist and/or extremist groups can each be the source of such attacks”^[3].

After having acknowledged the cyber threat, the Concept outlined the intended approach to be followed: “develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyber-defense capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations”^[4].

There are three key words in this statement, and they respond each to one type of action:

–         Prevent, i.e. to create conditions making attempts to penetrate too difficult;

–         Detect, i.e. to identify the offender, as soon as possible;

–         Defend, i.e. to fend off attacks.

The latter action is undergoing an extensive interpretation, even if the Tallin Manual explicitly stresses the need to apply the principle of “Proportionality”, and recommends to avoid “Indiscriminate attacks”, especially should “active defense” be considered among the possible ways/approaches. To react against an unknown entity, in fact, is at least difficult to digest at political level, as it might cause unintended consequences.

Unless the reaction takes place against a positively identified opponent, it would very much resemble the acts of a blinded Cyclops hitting everything around him with a big stick, without knowing where the target is. This explains why in NATO HQs there is a lot of prudence about the vexed issue of “active defense”.

This shows why, among the three courses of action defined by the Strategic Concept (Prevent, Detect and Defend), the key action to be undertaken will be to find the means allowing “Detection”, in order to find out who is the offender, as quickly as possible.

It is not simple, because the Cyber environment is as opaque as water. In the 1920s, a strategist, Douhet, said that locating submarines would be simple, as they would lose their advantage once the means to make water less opaque were found. Notwithstanding decades of research and development, nowadays we are still struggling with this problem, as no decisive means have been found to eliminate this opacity.

More or less, the problem is the same for Cyber defense, with the complication that actions are several, means are evolving and the initiative of the wrongdoers is without limits: on November 4, 2013, for instance, even the CoE in Tallin had to acknowledge that the Center’s e-mail address had been “Spoofed”. A serious reverse for the CoE!

NATO, though, has a unique experience in the cyber domain, and is the only body able to muster and coordinate to the best advantage all skills available in the Alliance to achieve decisive results in the “Detection” domain, if possible. This is another reason why “Smart Defense” i.e. the collective efforts to acquire new capabilities to fend off the emerging threats is most relevant for our future.

Address at the Rome Atlantic Forum, 2 December 2013.