Story

Cyberwarfare: NATO Doesn’t Yet Know How To Protect Its Networks

BRUSSELS, Belgium — America’s top generals and intelligence officers openly admit that they’ve got no way of keeping up with the onslaught of attacks on U.S. networks. But a visit to NATO Headquarters makes the American brass look totally l33t.

Officials with the transatlantic military alliance say they totally get that they need to protect their networks from online infiltration and assault. They’ve embedded the concept of cybersecurity firmly into their planning for “emerging threats.”
They just don’t really know what it means. Nor do they know what to do about a major online attack. “We need to think these things through,” concedes Jamie Shea, NATO’s chief for confronting what it calls Emerging Security Challenges, who lists cybersecurity as one of his top priorities.
 
Here at NATO Headquarters, the 2007 denial-of-service attack that took websites of member nation Estonia offline forms something of a template for worry. But there’s also a dawning recognition that online threats are more persistent than episodic, like with the digital economic espionage into western networks coming from Russia and China. But they don’t yet know what kind of malicious online action would trigger a NATO response.
They also don’t know what exactly is up to the alliance to protect. The U.S. military, for instance, has (sorta) promised to (mostlystay away from defending the civilian internet.
 
Keeping out of the civilians’ lane is a two-layered problem for the alliance: most of the information infrastructure in the U.S. is privately owned; in some European countries, the state is involved. But even in the cases where the military might protect it, when does such protection pass from a national issue to one where a multinational organization ought to intervene?
 
It’s also unclear how big of a threat would prompt NATO to invoke Article 5, the section of its charter that calls the transatlantic posse together to ride out. Low-level data monitoring or exfiltration clearly hasn’t met the standard.
 
Would an attempt to mess with a power grid or a military network? The murkiness is the result of the fact that there isn’t yet an actual threshold to meet. And if you ask NATO officials what a NATO-wide cyber response would look like and you’ll get blank stares — and forthright concessions of ignorance.
 
Part of the problem: NATO’s an organization consisting of diplomats and military officers with deep experience in traditional geopolitics and defense — who don’t really know how the internet works, just that they should be amorphously wary of its vulnerabilities.
Add another obstacle: NATO’s primary mission for its 63 year history is to deter attacks on its members — especially a nuclear attack. The language of traditional military deterrence is everywhere here. But how can you really speak of deterring people whom you fear are already, persistently pwning you? And how can you say for sure who’s sitting at the keyboard of the computer that’s directing those online attacks?
 
Right now, NATO’s in education mode — and building new social networks to get its head around the problem. Most countries’ civilian CIOs haven’t ever interacted with the alliance. Nor have the executives and bureaucrats who’ve built the online and data infrastructures for NATO’s member countries. So NATO’s hosting more meetings with unfamiliar faces over calorie-rich Belgian lunches.
 
It’s also thinking through what kind of cyber-mitigation it can lend to an ally that gets hit with a DDOS or other cyberattack. Additional server space? Analytic sleuthing to track down the malefactors? Still TBD. And that’s before an actual response to the attack would kick in.
Much of this unfamiliarity is totally understandable. Cybersecurity is a new challenge to militaries across the world.
 
The U.S. military command established to protect defense networks is barely a year old, and it’s still getting its head around the difficulties inherent to its mission. And at least no one here talks about unlikely scenarios like a Cyber Pearl Harbor.
But one thing appears to be off the table. “I don’t see NATO developing offensive cyber doctrine for the time being,” Shea says. They’re too busy trying to figure out how to play defense