pixel_dreams - Fotolia
Cyber threats are one of the most pressing priorities for Nato, according to Sorin Ducaru, the organisation’s assistant secretary general for emerging security challenges.
Although cyber threats had been on Nato’s radar since 2002, Ducaru said it was only after the cyber attacks against Estonia in 2007 that the political, strategic debate on cyber security was taken up by Nato’s political decision-making body, the North Atlantic Council.
“As the only member of the council with a background in computer science and political science, I immediately understood the need to translate digital language into policy and strategic language,” Ducaru told the CyberSec European Cybersecurity Forum in Krakow.
The need for Nato to address cyber defence in policy terms resulted in the publication of Nato’s first policy on cyber defence in 2008.
“The policy established some clear benchmarks for the protection of Nato systems and guidelines for the protection of national systems,” said Ducaru.
The first update to the cyber defence policy in 2011 introduced the concept of centralised protection for Nato networks across more than 50 sites at the time, and benchmarks for national cyber security.
Cyber defence capability targets became, for the first time, part of Nato’s defence planning process, said Ducaru.
But it was only in 2014 that cyber was linked to Nato’s mission of collective defence, he said, due to the “cyber manifestations of the hybrid campaign of Russia before, during and after the illegal annexation of Crimea and destabilising actions in eastern Ukraine”.
Nato realised that cyber attacks can reach a threshold where they are as harmful as conventional attacks, he said.
Read more about Nato and cyber attacks
In the 2014 update to the cyber defence policy, Nato made an explicit link between cyber attacks at a certain threshold and the invocation of a Nato article 5 collective defence as part of the treaty.
Article 5 of the North Atlantic treaty requires member states to come to the aid of any member state subject to an armed attack, which has included cyber attack since 2014.
“It was also the first time that Nato recognised the applicability of international law in cyber space and the need to support the development of norms and measures to consolidate the preventive factors of cyber development,” said Ducaru.
The year 2014 also saw the establishment of Nato’s industry cyber partnership with the EU and UN, and with industry and academia, which he said continues to be an “extremely useful vehicle” in generating information exchange, situational awareness, and analysis.
The next step forward, said Ducaru, came in 2016 with the adoption of an investment promise in the field of cyber defence at the level of heads of state and government, inspired by the promise of investment in defence, but without attaching a specific number, in recognition of the need to raise cyber discussion to the strategic level and prioritise investment in cyber defence, information exchange, and training exercises.
“Nato also recognised cyber space as a domain of operations alongside air, land and sea, and the need to reinforce its partnerships,” he said.
According to Ducaru, one of the biggest drivers of this evolution was the recognition of the developing cyber threat and the closing of the “cognitive gap” in understanding at the political and strategic level.
In 2016, a structured partnership was established with the EU that includes a technical arrangement for the exchange of information.
Today, said Ducaru, the centralised network includes more than 60 different locations, more than 100,000 users, and a range of services, including threat assessment, intrusion prevention, malware detection and rapid response teams, which can be deployed wherever necessary, including allies under attack.
One of the biggest challenges is bringing innovation faster in Nato’s approach to cyber defence, he said. “This is one of the objectives where we still need to push a little harder,” he added.
Ducaru said recognising cyber space as an operational domain requires a change of assumption. Previously, Nato worked under the assumption that it could rely on its systems and the integrity of the information, he said.
“We concluded that this assumption was no longer valid, and that we needed to change our training, education and planning with the assumption that systems will be disrupted, that we will constantly be under cyber attack, and that we will need to achieve missions under these conditions,” he said.
As a result, Nato has switched its focus from “information assurance” to “mission assurance” to support essential operations.
“This requires a change in mindset so that mission assurance is not seen as an IT problem, but as a wider challenge that goes beyond cyber security protection and prevention to ensure that the mission can be carried out even if some systems have failed,” said Ducaru.
Despite the recognition of the cyber domain, Ducaro said Nato’s defensive mandate remains unchanged, and, like the other domains, everything it does remains in line with international law.
“Nato will not develop or acquire any other capabilities other than purely defensive, but like the other domains, it can rely on voluntary contributions of a range of capabilities from allies to support operations and missions,” he said.
Looking ahead, Ducaru said there is a strong focus on getting the feedback from self-assessments from each nation on how they deliver on the cyber defence pledge and enhancing engagements with Nato’s partners around cyber security.
“Because in cyber, no one can do it alone and no one can be as prepared, as aware or as strong as all of us together,” he said, and for this reason, the Nato’s focus in the coming months will be on fast-tracking innovation on the defenders’ side in areas such as advanced analytics and machine learning.
Finally, said Ducaru, Nato must continue to update the way it thinks. “We need to constantly update our skills to translate technical language into political language and digital into strategic, and understand that we are living world where battlefield is more and more digital,” he said.