NATO working out how to conduct operations in cyberspace TALLINN, Estonia – NATO reinforced its position as a leader in the cyber-threat battle space when it officially recognized cyberspace as a domain of war in July 2016. In a similarly significant action, the Western Alliance adopted the position that international law, as has been the case in conventional warfare, also applies in cyberspace. A fundamental challenge faced by NATO, particularly in the development and deployment of effective defensive and offensive cyber weaponry tools, is how to optimize collaboration with the cyber intelligence infrastructures of member nations in responding to attacks in an ever-changing cyber battle theater. On the strategic-response side of NATO’s cyber warfare operations, the organization must grapple with the omnipresent operational concern about whether it is better to have a good defense or a strong offense. The Alliance’s evolving strategic direction to counter threats against critical military and civilian network infrastructure in cyber space was outlined by NATO chiefs at the four-day Cyber Conflict (CyCon) conference in Tallinn, Estonia that ended June 2. The development of the Alliance’s defensive and offensive cyber weaponry is tasked to a dedicated cyber unit within the Supreme Headquarters Allied Powers Europe (SHAPE), NATO’s strategic operational military command. “There are open questions when we talk about cyberspace and treating it as a domain for conflict in the context of joint military operations,” said Brad Bigelow, the chief technical advisor to the CIS/Cyber Defense (Communications Information Systems/CD) staff at SHAPE. “In NATO, we need to figure out what cyber operations are before we decide what the organizational construct is. We need to decide what precisely cyberspace is as a domain for operations. Additionally, we need to set-down what the rules of engagement are because cyberspace is a different and unique domain for operations,” Bigelow said. SHAPE directs, monitors and coordinates all CIS and Cyber Defense functional area activities and staff functions across Allied Command Operations (ACO). The emphasis is on providing direction and support to NATO’s CIS Group while contributing to the capability management process for NATO’s C2/C3 and Information Assurance capabilities throughout their lifecycle. The ACO operates as a high-level command platform for the planning and execution of combined, joint, effects-based operations. SHAPE has a direct mission-related role in the preparation, planning and conducting of military operations that meet NATO’s military operational needs and political objectives. “NATO’s recognition of cyberspace as a domain of operations in which it must defend itself as effectively as it does in the air, on land and at sea was a very important development in expanding our role,” said Brig. Gen. Christos Athanasiadis, assistant chief of staff cyber at SHAPE. The status of cyber defense as an operational priority within NATO was substantially elevated in the wake of the Warsaw Summit in July 2016, said Athanasiadis. “The procedures we use continue to improve. Our defensive mechanisms are strong and we are doing more to raise the level of skill sharing. It is important that we have top-class capabilities in all core areas, and that we continually test and prove our capabilities,” he said. The Estonia-based Cooperative Cyber Defense Center of Excellence (CCDCE) is a major incubator for developing NATO’s next-generation defensive and offensive weaponry. Located in Tallinn, the CCDCE operates as the Alliance’s foremost accredited research and training facility dealing with cyber defense, testing and R&D. The new and emerging threats in cyberspace are being launched not only by state actors, but also by “non-state actors and individuals,” said Bigelow. “As we go down that list, we are getting into an area that becomes much more problematic for us to measure in the context of traditional military assessment and responses. We need to make sure that whatever cyberspace operational capabilities we have are focused to ensure that our ability to react is not impeded. We need to understand the capabilities that we have, and when and how to use them,” Bigelow said. The task-based infrastructure being developed at SHAPE means that when NATO and command elements are deployed, with Alliance nation forces in support, each one of these elements may not be operating in an autonomous deployed network. “In some case we are augmenting military satellite communications systems with commercial satellite communications systems. These systems and arrangements are not exclusively under the control of NATO command elements, and not exclusively in the control of the individual national military commanders involved in the operations,” said Bigelow. NATO’s deepening operational role in the cyber battle theater requires the organization to constantly pursue improvements to strengthen its capabilities in key areas, said Athanasiadis. “We must be able to develop enhanced processes to detect, evaluate and respond to threats at all levels, including below crisis threats,” Athanasiadis said. To enhance its own operational capability, NATO is looking to promote a more significant degree of information sharing between member states’ intelligence agencies, said Athanasiadis. “There is a need to combat cyber-threats against military sites and critical civilian targets such as telecom networks and power grids. We must look at how we can share intelligence in a better way. Information sharing between member nations is the most challenging issue within NATO at present,” Athanasiadis said. The cyberspace battle theater presents a markedly different operational challenge for military organizations like NATO, said Max Smeets, a cybersecurity expert and Research Affiliate of the Oxford University’s Cyber Studies Program. “While more is known about defensive capabilities, the whole area of offensive cyber weaponry is shrouded in secrecy for obvious reasons. For NATO, it will be important to define the benefits of defensive and offensive weapons in the use of its capabilities and response. A better understanding of benefits and risks of capabilities and threats is also important,” said Smeets. With cybersecurity now firmly embedded as part of NATO’s core task of collective defense, the Alliance can be expected to build stronger and more resilient cyber defenses in order to achieve its core objectives of collective defense, crisis management and greater collaboration on security matters. One of NATO’s goals is to create an improved information sharing infrastructure between SHAPE and the cyber commands and national forces of member nations, said Bigelow. “One lesson that we have learned from many other areas of collective defense is that if you wait for a crisis to happen, it may be too late to organize and respond. We need to start operating in a collective way now, and not just when we are faced with a broad crisis or threat,” Bigelow said. The obstacles impeding NATO’s path to establishing a broader information sharing infrastructure are many, Bigelow concedes. The intelligence agencies of member nations, due to “their own national interests” are sometimes reluctant to share specific intel with NATO regarding current threats, he admits. “It would be advantageous to have a better intel infrastructure in place between NATO’s cyber command and national forces. The chances are very high that if we are seeing affects in the NATO enterprise it is probably being seen by one or more NATO nations too. Collective action and information sharing is better to protect the Alliance and prepare a NATO response,” said Bigelow. The task of protecting NATO’s own networks falls to the NATO Computer Incident Response Capability unit. This unit provides centralized 24/7 cyber defense support to the various NATO sites. Cyber defense is also becoming more deeply integrated into NATO’s Smart Defense initiative. This initiative enables member nations to partner and develop capabilities that might otherwise be beyond their procurement and affordability reach. NATO’s current portfolio of Smart Defense projects in cyber includes the Malware Information Sharing Platform, the Smart Defense Multinational Cyber Defense Capability Development project and the Multinational Cyber Defense Education and Training project.