173 DSCFC 09 E bis - NATO and Cyber Defence
SVERRE MYRLI (NORWAY) - RAPPORTEUR
TABLE OF CONTENTS
I. DEFINING THE CYBER THREAT
II. NATIONAL AND INTERNATIONAL RESPONSES
III. NATO AND CYBER DEFENCE
IV. CYBER DEFENCE AND ARTICLE 5
I. DEFINING THE CYBER THREAT
1. NATO and Partner nations, as well as the Alliance itself, are currently at risk from cyber attacks seeking to disrupt their physical or informational assets, their actions in the international system, or their public image. Such attacks can include the spread of misinformation, electronic espionage that weakens a nation’s global competitive advantage, the clandestine modification of sensitive data on the battlefield, or the disabling of a country’s so-called critical infrastructure – power, water, fuel, communication, or commercial assets that are essential for the functioning of a society and economy. Such acts may be motivated by criminal gain, or for political advantage. They may be committed by criminals, state actors, or criminal elements with the hidden support of the state. Depending on the actors involved, and their motivation, cyber attacks can be very roughly classified as acts of cyber crime, cyber terror, or cyber warfare.
2. Information and communication technologies form an increasingly important part of our lives, and many such systems, services, and networks have now become vital to our economies and societies. Although governmental authorities have recognized the grave theoretical threat posed by cyber attacks on these infrastructures for over a decade,1 events in the last two years have underlined the potentially massive disruption cyber attacks can cause, and the urgent need to address this rapidly growing problem. In short, our digital infrastructures have become strategic national assets, and now they are at risk.
3. NATO Allies share a broad political consensus as to both the seriousness of cyber threats, and NATO’s potentially valuable role in this area. This allowed rapid agreement on a NATO Policy on Cyber Defence, which is currently being implemented by the Alliance’s relevant military and technical bodies and individual Allies.
4. This report has been prepared for the Sub-Committee on Future Security and Defence Capabilities. The Sub-Committee’s main purpose is to examine issues that will affect Allied collective security in the coming years. The intent of this report is to provide our members with reliable information on the threat posed by cyber attacks, as well as the responses of several nations and international organizations. Of course, the report will pay particular attention to NATO’s current and potential role in working with member states to address this threat. It also deals with a number of challenges specific to the problem of cyber defence, including underdeveloped and inconsistent legal frameworks at both the domestic and international levels.
5. This report has been informed by world events and the Assembly’s activities in 2009, as well as the valuable input of members of the Assembly, and thus differs somewhat from the draft version presented in Oslo at the Assembly’s May 2009 Session.
A WAKE-UP CALL
6. The importance of efforts to counter the cyber threat came into sharp focus when Estonia experienced a so-called ‘Distributed Denial-of-Service’ (DDoS) attack in April/May 2007, severing all communications to the country’s two largest banks for up to two hours and rendering international services partially unavailable for days at a time. In preparation for a DDoS attack, an attacker infects a large number of insecure computers around the world with malicious software that will later be used to target the ultimate victim. During that attack phase, the attacker sends a tiny packet of data that is difficult to trace to each of these ‘zombie’ computers, commanding them to flood the victim with tens of thousands of visits, jamming and disabling the servers running the victim’s web services. Alternatively, the attack software on the compromised machines may have a timer that triggers a co-ordinated attack on the victim.
7. Estonia was particularly vulnerable because of its highly developed electronic infrastructure. It uses a system of national ID cards for user identification and digital signature; it held the first online parliamentary elections in the world; and critical services such as e-banking and healthcare services are provided there via the Internet. Because many see this nation as a window to the future, experts have described the 2007 attacks as “a wake up call” for governments and nationally important institutions in developed nations.
8. Since the cyber attacks in Estonia, several other serious incidents involving Alliance members have come to light. German Chancellor Angela Merkel’s visit to China in August 2007 was overshadowed by reports that the Chinese Government had hacked into computers in the German chancellery and three other Berlin ministries.2 In November 2007, the head of Britain’s domestic intelligence agency, MI5, wrote to financial, legal and retail firms, warning them that the Chinese People’s Liberation Army (PLA) was conducting a concerted campaign of cyber espionage against UK businesses. May 2008 witnessed the Belgian justice minister, Jo Vandeurzen, openly claiming that hacking attacks against the Belgian Federal Government were likely to have been sanctioned by Beijing. Following its unilateral veto of discussions on an EU energy partnership deal with Russia, Lithuania faced a concerted cyber assault by pro-Russian hackers in June 2008. In November 2008, the Pentagon experienced cyber attacks so alarming that it took the unprecedented step of banning the use of external hardware devices, such as flash drives. And following President Nicolas Sarkozy’s meeting with the Dalai Lama in December 2008, cyber attacks on the website of the French Embassy in Beijing put it out of operation for several days.
9. The above-mentioned cases aside, there is a burgeoning realization that cyber attacks may pose the gravest threat to the open economies of Alliance members and other NATO partners. For example, a Chatham House report published to coincide with the 2008 NATO Summit meetings in Bucharest argued: “In a global information economy, it could be argued that keeping the Internet open for business and free from major disruption is now on par with keeping the sea and air lanes open.”3
10. Citing the potential loss of intellectual property, the disruption of services delivered through cyber space, and the threat posed to essential stores of data, the Center for Strategic and International Studies (CSIS) echoed these views, stating, “the immediate risk lies with the economy. …we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational.”4 In 2009, the CSIS joins the FBI in ranking cyber attacks as the third greatest threat to the security of the United States behind nuclear war and weapons of mass destruction. Soon after, the U.S. National Counterintelligence Executive, Joel Brenner, highlighted that a cyber attack on the U.S. banking system could be several times more damaging to the country’s economy than the Twin-Tower attack by terrorists on 11 September, 2001.
11. Much of the vulnerability to cyber attack stems from a lack of preparedness in both the governmental and private sectors. Over 50% of industry insiders and other experts from the U.S., Europe, and Canada, interviewed in November 2008 by the Secure Computing Corporation, said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping industries were not prepared for a cyber attack. In December 2008, a two-day cyber warfare simulation organized by the Booz Allen Hamilton consulting service confirmed that critical U.S. electronic infrastructure systems, such as those controlling banking, telecommunications and utilities, were susceptible to cyber attack.5
12. However, the anonymity enjoyed by cyber aggressors adds a deeply complicating dimension to the nature of the threat. Unlike the telephone system, which has an effective tracking and billing capability based on the need to charge users, the Internet was designed as an open and robust system for the sharing of information, and therefore has no standard provisions for tracking or tracing the behaviour of its users. The development of more advanced technologies, such as new Internet protocols, might add a greater degree of safety for Internet users, but some experts suggest that it may never be possible to retrofit any mechanism to completely eliminate the threat posed by the omission of tracking features in the Internet’s initial design.6
13. The difficulty of verifying the identity of cyber aggressors introduces the possibility that hostile governments undertake or sanction plausibly deniable attacks. For example, as Russian tanks rolled into Georgia in 2008, software became available on pro-Russian websites allowing anyone with an Internet connection to target the websites of the Georgian Government and the British and American Embassies in Tbilisi. Although there is no conclusive evidence that the cyber attacks in Georgia were executed or sanctioned by the Russian Government, “there is no evidence that it tried to stop them, either.”7 Indeed, the Georgian government and several independent experts pointed to a strong “Russian connection” to the attacks, such as the fact that the instructions for the attack were in Russian, the possible involvement of a shadowy St. Petersburgbased organisation called the “Russian Business Network” in the assault, and evidence of redirection of Internet traffic through Russian telecommunications firms.8 More seriously, during Estonia’s 2007 DDoS attacks, there were suggestions that one of the most active agitators on Russian-language message boards had Russian Federal Security Service (FSB) links.9
14. In response to the draft version of this report, Russian Duma member and former FSB Director Nikolai Dmitrievich Kovalev wrote to your Rapporteur to express his view that there is no evidence to confirm “mythical assertions” of a “Russian connection” to trans-border attacks on the information structures of other states or of a broader so-called “Russian cyber threat.” In Kovalev’s view, the Russian Federation “is one of the leaders of the international negotiating process on global information security” and its agencies not only inform counterparts in other countries of attacks on Russian information resources but also seek to establish co-operation in preventing such threats.
15. A twist on the above scenario could see a larger crisis precipitated by the misidentification of an alleged attacker. Whereas hackers in the West tend to be anti-establishment, countries such as China and Russia are likely to receive unsolicited support in their foreign disputes by sympathetic hackers. For example, in March 2009, an activist with the pro-Kremlin youth group, Nashi, claimed responsibility for organizing the cyber attacks on Estonia in 2007 as an act of personal protest.10 In light of this, cyber warfare experts have envisaged the accidental war scenario for a number of years.
16. Thriving online criminality is fuelling the development of expertise and individuals that might eventually pose a security threat. The cost of cyber criminality is now estimated as being between $100 billion and $1 trillion annually (although banks and other major companies are reluctant to release figures about the losses they sustain). Recent reports confirm that cyber criminality is increasing with the pressures and opportunities presented by the global economic downturn.11 Organised crime gangs are running profitable operations involving programmers writing malicious software and viruses, and computer security experts have even talked of the commercialisation of cyber crime – the creation of a marketplace where hackers openly tout their services to the highest bidder – potentially closing the gap between hackers and political actors without computer skills. For example, in August 2009, the U.S. Cyber Consequences Unit, an independent non-profit research institute, provided a lengthy technical analysis to the U.S. Government concluding that the cyber attacks against Georgia were conducted in close connection with Russian criminal gangs.12
17. Underdeveloped and inconsistent legal frameworks existing at both the domestic and international levels pose a major challenge to cyber defence. At the national level, laws for cyber space are often outdated, and in certain countries even non-existent. As such, the successful prosecution of cyber attackers, where possible, may rely on legislation not specifically written for the Internet. At the international level, there are no universal laws or agreements as to what constitutes a cyber attack, and what punishments, economic sanctions, or liability should ensue. There are no universal international agreements on the monitoring, record keeping, and cooperation necessary to track and trace attackers.13
18. These shortcomings mean that efforts to bring perpetrators to justice are often frustrated. Cyber attacks often cross multiple administrative, jurisdictional, and national boundaries. Countries with weak domestic legislation on Internet crime have become safe havens for cyber attackers, and it is unlikely that anything other than concerted international pressure to adopt and implement effective laws will be successful in countries where the government has financial ties to cyber attackers, or has a political agenda to protect them. There is now widespread recognition that legal efforts to deter future attacks must form a key aspect of any cyber defence strategy.
19. Another weak link in the regulatory chain concerns the ways in which Internet Service Providers (ISPs) handle malicious traffic. Cyber attacks are often transmitted over the networks of several ISPs before they hit their targets. There exists sufficient technology to allow ISPs to detect this traffic, trace its immediate origins, and block compromised computers, thus disrupting cyber attacks. However, the means currently in place to compel ISPs to take such actions are underdeveloped.
20. Other challenges include: the development of counteracting measures that respect the privacy and human rights of citizens; the co-ordination of cross-cutting efforts to fight cyber attacks involving multiple governmental departments at home and abroad; and the low visibility of the problem, with the corresponding lack of awareness amongst the public and key policymakers that accompanies it. There is no clear solution to the above-mentioned challenges. Cyber defence remains, in many ways, an immature discipline. Meanwhile, national security experts are now warning that they “expect disruptive cyber activities to be the norm in future political or military conflicts.”14
21. In October 2008, a year-and-a-half after the DDoS attacks against its government and commercial computer systems, Estonia released a national cyber security strategy identifying four policy fronts:
22. Estonia’s cyber security measures include the specification of the distribution of tasks and responsibilities between government agencies for combating cyber threats and securing its critical infrastructure. Comprehensive cyber security risk assessments are being developed, and a host of technical measures are being put in place, including the spread of minimum information security standards throughout both state agencies and companies whose systems are included in the Estonian critical infrastructure.16 Citing “a few discrepancies in the [Estonian key information] systems’ level of technical and information security”, measures are also being undertaken to improve the load capacity of public and private sector service servers, a prior weak-point identified by independent experts.
23. Estonia is also focused on providing high quality and accessible information security-related training to the public and private sectors. Most pressingly, Estonia has identified a growing need for qualified mid-level information security experts. Common requirements for the competence of IT staff in information security will be established, and an appropriate system of in-service training and evaluation set up to address this. Noting that scientific competence is an essential precondition to achieving its high-quality training objectives, Estonia is also committed to intensifying research and development in cyber security so as to ensure national defence. In this vein, Estonia is hosting NATO’s Co-operative Cyber Defence Centre of Excellence (CCD CoE), a research body established in 2007 to enhance the co-operative cyber defence capability of NATO and NATO nations (more detail on the CCD CoE in Section III).
24. Legal measures proposed by Estonia’s cyber security strategy include the improvement of existing legislation, and drafting new legislation to address upcoming threats. Estonia conducted an analysis of its domestic legal framework and discovered that it was “decentralised and, in fact, partly contradictory.” Measures were recommended to strengthen its coherence and effectiveness, as well as to introduce compulsory security measures and standards for all information systems, especially those of critical infrastructure companies. Estonia has also proposed international efforts to define key terms; no international legal consensus exists on what the terms “cyber war,” “cyber attack,” “cyber terrorism” or “critical information infrastructure” mean.
25. Conscious of the fact that “the international community expects a major contribution from us - and perhaps even a leadership role”, Estonia has developed an international dimension to its cyber security strategy. This revolves around:
26. Estonia has assumed a leading role in introducing cyber security-related initiatives to international organisations and through bilateral co-operation. It has been involved in consultations with the Council of Europe on combating cyber crime, and EU institutions on elaborating common principles to defend critical EU information infrastructure. It raised the issue of cyber security at the OSCE security forum during Estonia’s presidency of the OSCE in 2008, and pushed cyber security and IT initiatives in the United Nations. Estonia was also a founding player in the development of NATO’s cyber defence policy, adopted in 2008, raising the question of whether cyber attacks should be considered a military aggression against the Alliance – a point with important collective defence implications.18
27. Estonia regularly expresses concerns about Russian policies. Russia has been accused of cyber attacks since the hacking of Chechen websites was publicized during the second Chechen war (1999-2000).19 Although questions remain over the extent of direct Russian state involvement in the Estonian cyber attacks of 2007,20 the Russian Government refused to co-operate with Estonia to shut down the computers involved in the attack.21 Lithuania and Georgia have suffered similar attacks by allegedly Russian-based hackers since.22 Most recently, in November 2008, the U.S. Central Command was penetrated by hackers reportedly from Russia in a cyber attack so serious that it occasioned a briefing of the President and Defence Secretary by the Chairman of the Joint Chiefs of Staff.23
B. THE UNITED STATES
28. According to the latest McAfee Virtual Criminology report, the U.S. spends more money on cyber security than any country in the world, and has the most sophisticated technical staff and cyber researchers. For example, in 2008, the Department of Homeland Security budgeted US$ 155 million for cyber security alone.24 Other governmental agencies with cyber security competencies include the Department of Defense, and the intelligence agencies – each commanding budgets in the order of tens of billions of dollars at least.
29. This current U.S. fiscal commitment to addressing cyber security is borne of a relatively long history of cyber attacks. In 2000, U.S. officials accidentally discovered a pattern of probing of computer systems at the Pentagon, NASA, and the Energy Department, from a terminal in the former Soviet Union. Codenamed ‘Moonlight Maze’, the incident had been going on for nearly two years when exposed, and may have compromised the maps of military installations, troop configurations, as well as military hardware designs.25 In recent years, major intrusions of the computer systems of the Department of Defense, State, Homeland Security, and NASA, for example, have become more frequent, with DoD officials intimating that departmental computers are now probed hundreds of times a day.26
30. Although separate federal government regulations, put in place between 1996 and 2002, mandate the protection of the systems and information of federal agencies,27 the National Strategy to Secure Cyberspace (2003) was the first initiative to directly address the necessity of a coordinated and focused effort to tackle cyber security at the federal, state, and local governmental levels. It made the U.S. Department of Homeland Security responsible for security recommendations and researching national solutions, but emphasized that the private sector “is best equipped and structured to respond to an evolving cyber threat.”28 This reflects a division of opinion amongst U.S. experts as to whether a cyber security solution can be most effectively pursued through increased governmental regulation or greater private-sector innovation.
31. At the time of writing, the White House is in the process of enacting a new U.S. cyber security policy. Reflecting a political commitment to elevate and centralize accountability for cyber security issues within the government, President Barack Obama has created a new cyber security ‘czar’ post in the White House tasked with developing strategies to facilitate the sharing of critical information between governmental bureaucracies and companies, and co-ordinating their responses to cyber attacks. He has pledged to invest in cutting-edge research and development, and begin a national campaign to promote cyber security awareness. 29
32. Previous cyber security programmes under George W. Bush, such as the Comprehensive National Cyber security Initiative, were criticized because of the high level of secrecy surrounding their implementation, and fears of civil liberty violations.30 In light of these concerns, the Obama Administration has expressly reassured the public that it will not include the monitoring of private sector networks or internet traffic in its approach to cyber security, designating a privacy and civil liberties official to the newly created National Security Council Cyber security Directorate.31
33. Related developments in the U.S. military are also of interest: in June 2009, Defense Secretary Robert Gates ordered the military to begin setting up a new U.S. Cyber Command to be headed by the current director of the National Security Agency, Lt. Gen. Keith Alexander. CYBERCOM will bring the U.S. military’s cyber defence and attack capabilities together under the same leadership for the first time. As well as fostering the development of these capabilities, it will support the Department of Homeland Security, which protects U.S. government networks.32
34. Whereas Estonia remains focused on Russia, statements by U.S. officials indicate a more diverse range of adversaries. U.S. officials indicate that terrorist groups, including al Qaeda, Hamas, and Hezbollah, have expressed the desire to use cyber attacks to target the U.S., although they qualify that none have successfully done so as yet. In terms of state actors, both Russia and China are regarded as serious sources of cyber threats to the United States.
35. The Chinese state has built a wealth of expertise in the area. In the 1990s, China’s Ministry of Public Security pioneered the art of state control of cyber space: China can now effectively monitor the domestic Internet and wireless traffic of its 1,298 million Internet users.33 On the military front, China’s 2006 defence White Paper stated the PLA’s strategic goal “of building informationized armed forces and being capable of winning informationized wars by the mid21st century”. The PLA has had cyber warfare units since 2003, and experts indicate that they are both highly active and sophisticated. A number of high profile events in 2007 sparked renewed U.S. interest in China’s military cyber warfare capacity. Most notably, the hacking of a Pentagon network in June 2007 resulted in the shutting down of part of a computer system serving the Defense Secretary’s office.
C. INTERNATIONAL ORGANIZATIONS
1. The United Nations
36. Although cyber security has been a feature of policy debates within the Security Council and General Assembly, the United Nations’ efforts to improve cyber security have so far been diffuse, and largely restricted to advisory provisions. For example, so-called “internet governance” principles have been presented at the United Nations (UN) World Summit on the Information Society in 2005, and separately, the UN Office on Drugs and Crime has been advocating a broad, inclusive focus to address problems of cyber crime through joint training events.
37. Most substantively, the International Telecommunication Union (ITU) – a UN specialized agency – launched a Global Cyber security Agenda in 2007 to provide a framework within which the international response to growing cyber security challenges can be co-ordinated. Reports suggest that an ITU drafting group, including representatives from the Chinese Government and the U.S. National Security Agency, is in the process of preparing guidelines on technical standards to define methods of tracing the original source of Internet communications – IP traceback technology. The ITU has previously spoken of anonymity on the Internet as “an important problem [that] may lead to criminality”. It proposes “pseudonymity” as a more appropriate concept, where personal information is kept private, but not anonymous or secret.
2. The European Union
38. Fuelled largely by a drive to stamp out child pornography, EU cyber crime legislation has been growing increasingly robust, although the EU “cannot be said to have a comprehensive approach to the problem” as yet.34 The EU’s value as a general model for international cooperation is tempered by the organization’s special political institutions, which make it possible to impose binding supranational legislation within EU member states and have no parallel in NATO. Moreover, EU legislation is necessarily only applicable to EU member states, whereas cyber crime is a far more extensive cross-border phenomenon.
39. The 2004 Council of Europe Convention on Cyber crime requires signatory nations to create the basic legal infrastructure required to address cyber crime effectively, and to commit to assisting other signatory nations in investigating and prosecuting cyber criminals. It is an open convention, meaning that non-member countries of the Council of Europe (COE) are also invited to ratify it.35
40. The Convention includes definitions of various forms of cyber crime, and lays the foundation for an alignment of national legislation with its provisions. It defines the illegal access of data, the illegal interception of data, data interference, and computer system interference as crimes, amongst other acts. The Convention additionally lays out general principles relating to international co-operation on cyber crime, and suggests a legal framework for the extradition of cyber crime suspects.
41. The Convention is the only binding international treaty on the subject to have been adopted to date, and has been met with a broad measure of international support, with 46 state signatories so far. According to the Council of Europe, Turkey is the only Alliance Member yet to sign up to the Convention. While all other Alliance Members have signed it, the following have yet to ratify it: Belgium, Canada, the Czech Republic, Germany, Greece, Luxembourg, Poland, Portugal, Spain, and the United Kingdom. Notable non-signatories of the Convention, as of August 2009, include China and Russia.
42. Although there has been broad international acceptance of the Convention, some have criticized it as insufficient to properly handle acts with national security implications. Firstly, the Convention treats attacks on information systems as criminal offences against private and public property, thereby disregarding the national security dimension of such attacks. Secondly, it does not differentiate between attacks on ordinary computer systems and those on critical infrastructure information systems, or between small- and large-scale attacks.
43. In spite of these criticisms, your Rapporteur believes that the Convention represents a basic but essential piece of international legislation. It provides a sound set of legal and technical definitions upon which additional agreements for enhanced co-operation may be developed. Moreover, this report has shown that there is significant overlap between cyber crime, cyber terrorism and cyber warfare. The Convention's illegalization of all acts of cyber attack, regardless of motivation, means that it requires signatories, when requested, to apprehend and hand over for prosecution all international cyber attackers, regardless of their definition by host nations as criminals, terrorists, or even praiseworthy patriots.
44. Apart from the Convention, the COE has been active in developing other measures to strengthen cyber security. For example, it supports countries’ ratification, accession, and implementation of the Convention through a dedicated Project on Cyber crime. In April 2008, during one of its frequent cyber crime conferences, the COE called for Internet Service Providers (ISPs) to share more information on attacks and on the speed of responses to government data requests.
45. NATO started its cyber defence programme in 2002 after incidents in the late 1990s related to operations in the Balkans. As NATO began military operations against Serbia, numerous proSerbian hacker groups attacked NATO Internet infrastructure with the stated goal of disrupting NATO’s war-fighting capabilities.36 At NATO headquarters in Belgium, the attacks were a public relations setback. The NATO public affairs website for the war in Kosovo, where the Alliance sought to portray its side of the conflict via briefings and news updates, was “virtually inoperable for several days” thanks to DDoS attacks. A concurrent flood of email also choked NATO’s email server.37
46. As a result of this experience, NATO leaders at the 2002 Prague Summit directed that a technical NATO Cyber Defence Programme be implemented, establishing the NATO Computer Incident Response Capability (NCIRC). With a NCIRC Co-ordination Centre at NATO HQ in Brussels and a NCIRC Technical Centre in Mons, NATO has now equipped itself with an organisation capable of delivering several critical tasks, from the detection and prevention of computer viruses and unauthorized intrusion into NATO’s networks to management of cryptographic devices for the Internet. In addition, NATO’s experts provide technical support for computer security incidents as well as policy and forensic services. The head of the NCIRC Coordination Centre, Suleyman Anil, is particularly concerned about the social profiling and targeting of NATO officials in increasingly sophisticated espionage attacks.38
47. NATO viewed the cyber attacks on Estonia as a serious “operational security” issue, sending at least one expert to Tallinn to assist the Estonians in an unprecedented act. Until the attacks, NATO primarily addressed the protection of its own internal systems rather than helping Allies to protect theirs. The attacks, however, demonstrated the need for an Alliance cyber defence policy that would also address the need for co-operation to protect critical communication systems beyond the encrypted networks of NATO HQ.
48. By the time Allied defence ministers met on 14 June 2007, exactly seven weeks after the first cyber attack on Estonia, NATO experts had produced a ‘lessons learned’ report that provided the framework for the future work necessary in the area of cyber defence. At their meeting in Noordwijk in October 2007, Allied defence ministers were presented with a more detailed NATO report thoroughly assessing the Alliance’s approach to cyber defence. The report recommended specific roles for the Alliance, as well as the implementation of a number of new measures aimed at improving protection against cyber attacks.
49. The report also called for the development of a NATO cyber defence policy – a policy approved in January 2008, and endorsed by heads of state and government at the Bucharest Summit that April.39 The speed with which the NATO Policy on Cyber Defence was agreed highlights the very broad political consensus amongst Alliance Members as to both the seriousness of cyber threats, and NATO’s potentially valuable role in this area. The Alliance’s relevant military and technical bodies are currently engaged in implementing the policy, as are as the individual Allies.
50. Although the exact details of the NATO Policy on Cyber Defence remain classified, the establishment of the afore-mentioned CCD CoE in Estonia is one noteworthy step taken in line with it. Set up as a primary source of expertise for NATO in co-operative cyber defence related matters, the main tasks of the 30-person body include:
51. Funded entirely by its sponsoring nations,40 the CCD CoE can best be thought of as a research and learning centre where best practices are developed and shared.41 The Centre has already highlighted the development of a good legal framework as “perhaps the single most pressing need within the domain of computer network defence.” During a NATO PA visit to Estonia in 2008, the head of the Centre at the time, Lieutenant General Johannes Kert, stressed the need for an international agreement that clearly defines key concepts, and lauded the Council of Europe Convention on Cyber crime as a step in the right direction.42
52. As well as the CCD CoE, officials at NATO have also revealed the creation of a Cyber Defence Management Authority (CDMA) as part of NATO’s cyber defence policy. As its name implies, the CDMA is a NATO-wide authority charged with initiating and co-ordinating “immediate and effective cyber defence action where appropriate”. In a shift away from stressing the defence of its own internal systems, the Authority serves as a central command for the technical, political, and information-sharing efforts of Alliance members, as well as directing and managing existing NATO cyber defence entities. On request, the CDMA is also prepared and able to co-ordinate or provide assistance in a concerted effort if an Ally or Allies fall victim to a cyber attack of national or Allied significance.
For NATO Cyber policy timeline see word document
53. The CDMA is unique in its structure because it consolidates the management of all of these tasks and agencies under a body with permanent political-level representation. At the time of writing, this is an innovation that has yet to be duplicated in either another international organization or country.
54. The CDMA enjoyed a substantial amount of agreement on its concept, and has been operational since April 2008. In impressively rapid fashion, within its first ten months, the executive body of CDMA convened five times, developed a concept of operations, held the first ever NATO cyber defence exercise and planned a second including 18 NATO member states. It also deployed an expert to Georgia, and endorsed a series of policies on issues from cooperation with Partners to legal aspects of cyber defence.
55. At the NATO Summit in Strasbourg/Kehl in April 2009, member states pledged to accelerate the acquisition of new cyber defence assets; make cyber defence an integral part of NATO exercises; and strengthen the linkages between NATO and Partner countries on protection against cyber attacks.43 Officials at NATO HQ continue to hold consultations with member states on the legal aspects of cyber defence.
56. Most recently, NATO officials have confirmed the development of Rapid-Reaction Teams (RRTs) to be made available to member states to counter cyber attacks. Whereas NATO dispatched ad hoc teams to Estonia and Georgia following the attacks in those countries in 2007 and 2008, the new RRTs will be on call and available for immediate deployment should a member country make a political-level request to the Alliance. Requests by non-members will have to be approved by the North Atlantic Council. Scheduled to be fully operational by 2012, the RRTs will consist of a combination of NATO members of staff and experts from member nations. If called into action, the RRTs will work under the direct guidance of the attacked nation.
57. Even so, despite the generally swift nature of NATO’s response to the Estonia cyber attacks, officials have indicated that institutional inertia within the Alliance continues to pose a challenge in addressing the threat expeditiously. In particular, internal debates on categorizing the nature of the cyber threat have made it harder to fast-track the acquisition of new cyber defence assets or equipment. In order to keep up with this evolving challenge, the Alliance may have to streamline its processes as it seeks to improve its cyber defence capabilities.
58. Diplomatic interest in the cyber attacks on Estonia was high, in part because of the Estoniandriven focus on the way in which Article 5 of The North Atlantic Treaty would be interpreted. Article 5 states that “an armed attack against one [Alliance member] shall be considered an attack against them all”. It has only been invoked once before, following the terrorist attacks of 11 September 2001.
59. Estonia, in particular, has been keen to examine the possible automatic extension of NATO’s collective self-defence clause to the victims of cyber attack. Because critical national infrastructures are growing increasingly dependent upon Internet-based applications, Estonian defence minister Jaak Aaviksoo has said that cyber war today represents an equivalent threat to the blockading of countries’ ports two hundred years ago – a nation’s access to the world could be denied. The analogy raises questions about whether cyber attacks should now be categorized amongst conventionally regarded acts of war.
60. In elaborating NATO’s cyber defence principles following the Estonia attacks, Alliance members have proceeded from the principles of Allied solidarity and recognition of national sovereignty. In other words, the common goal is that all NATO Allies will be ready and able to support each other in the event of a cyber attack and, in advance of this aim, will develop cyber defence capabilities within their own countries. However, statements by NATO officials have been careful to frame NATO’s cyber defence actions within Article 4 which reads: “The Parties will consult together whenever, in the opinion of any of them, the territorial integrity, political independence or security of any of the Parties is threatened.” Former NATO Secretary General Jaap de Hoop Scheffer also emphasized that there was general acceptance among NATO defence ministers that cyber defence was a “national responsibility”.
61. Cyber defence poses a special problem for NATO policymakers, who are seeking to maximize the deterrent effect of the Alliance in a domain that has a novel combination of limitations. The decision to announce an expansion of Article 5 to encompass cyber attacks may cause potential aggressors to think twice, but would it excessively restrict NATO’s options in a crisis management scenario? How can the danger of misidentifying an aggressor be avoided? If the source of a cyber attack can be identified with certainty, which forms of cyber attack can NATO consider as direct acts of aggression against a Member or Members, and which constitute indirect acts of aggression? And what is the best way for NATO to deal with the mobilization of informal volunteer groups to carry out deniable cyber attacks on behalf of a non-NATO member government?
62. Measures to address the threat to states from cyber attack have to be global and allinclusive, drawing on government capabilities, companies, and society at large. In this way, cyber security initiatives are similar to initiatives advancing nuclear non-proliferation, and initiatives to combat terrorism. National parliaments have a pivotal role to play in addressing the threat of cyber attacks by shaping and voting on national laws, by ratifying international agreements, and by ensuring legal and other measures are correctly applied by their respective governments.
63. Specifically, parliamentarians should take the following measures on the domestic front.
a. Where it does not exist, support the development of a National Strategy on Cyber Security. This process includes the following steps:
i. Defining and classifying risks and threats in the area of cyber defence, and ensuring that practical measures are in place to deal with potential incidents. These measures should include effective Computer Emergency Response Teams and the designation of an established authority to direct and co-ordinate national cyber defence efforts.
ii. Scrutinizing the domestic legal framework, and ensuring that coherent and effective laws are in place to address the evolving threat from cyber space.
b. Ensure the ratification and entry into force of the Council of Europe Convention on Cyber crime.
c. Ensure their governments are swift in implementing NATO’s cyber defence policy and that their national strategies are consistent with the Alliance approach.
64. Internationally, parliamentarians should:
a. Support NATO’s CCD CoE initiative and take the necessary steps to ensure that the Centre has sufficient human, material and financial resources to achieve its objectives, as well as seconding national personnel there for training and exchange of best practices;
b. Encourage co-operation and the exchange of information between state authorities and crucial NATO cyber defence bodies such as the CDMA (only Turkey, the U.S., and Slovakia have signed agreements on working-level co-ordination with NATO at the time of writing);
c. Work in co-operation with Alliance members to draft model legislation that builds on the Council of Europe Convention on Cyber crime by:
ii. differentiating between ordinary computer systems and critical infrastructure information systems;
iv. defining key terms to these ends to build a NATO-wide conceptual consensus on cyber threats;
d. Encourage notable non-signatories such as Russia, China, Brazil, and India, to accede to the Council of Europe Convention on Cyber crime;
e. Verify the efficacy of NATO and member states’ cyber defence efforts through NATO’s periodic international exercises, and ensure that these exercises are fully funded and staffed; and
f. Support efforts to develop effective international regulations regarding the manner in which Internet Service Providers (ISPs) handle malicious traffic, and minimum security standards for computers allowed to use ISP services.
65. Parliamentarians should remain cognizant of the fact that in pursuing the above recommendations, they are playing a key role in addressing vulnerabilities that could seriously impact NATO and fellow member states.
66. However, they should also bear in mind the following points of caution.
a. Whilst cyber attacks represent a serious threat to international peace and security, many are in fact examples of vandalism or hooliganism. The public backlash to the misuse of national security laws for the prosecution of acts of civil disobedience in cyber space has the potential to undermine support for broader efforts to implement cyber security measures that are crucial to Allied security.
b. Noting that arms races have historically preceded wars and outbreaks of violence, and that systems experiencing rapid technological innovation are prone to arms races, ensure that the development of cyber defence capabilities by state bodies does not begin to take on a dynamic of its own.
67. All indications signal that cyber attacks are now one of the most serious asymmetric threats faced by the Alliance and its member states, along with terrorism and nuclear proliferation. The open nature of the Internet makes preventing cyber attacks difficult; effective international cooperation will be critical to addressing this problem in the years to come. As the world’s premier collective defence entity, NATO has a responsibility to take adequate measures to protect itself from such threats, as well as having a potentially significant role to play in contributing to the cyber defence of its Members, both through deterrence and by co-ordinating common cyber security measures. NATO’s new strategic concept should reflect this important new element of Alliance activity. National parliamentarians have an important role to play in hastening the implementation of NATO’s cyber defence policy, as well as ensuring that cyber security measures are responsibly put in place and exercised at the domestic level.
* Hacking: breaking into secure computer networks to access restricted information.
* Malware: a ‘Trojan horse’ programme, which hides a malicious computer code within an innocent document. A computer infected with malware can be controlled by the attacker and directed to carry out functions normally available only to the system owner.
* Botnet: a collection of computers infected with malware that an attacker can exploit.
* DDoS: use of a botnet to overload a computer network server with requests so that it can no longer function.
* IP Traceback: a name given to any method of reliably determining the origin of a packet of data on the Internet. Unlikely to be useful against most DDoS attacks since these are carried out by botnets of unknowing ‘zombie’ computers that have been hijacked by malware.
* Keystroke loggers: computer programme used to record the sequence of keystrokes that a user types in. Keystroke loggers may be introduced by malware or can be built into the computer hardware itself.
1 In 1998, the U.S.-based Presidential Commission on Critical Infrastructure Protection reported that protecting cyberspace would become crucial for national security.