311 Dunn Fixed
-
Upload
jayadev-parida -
Category
Documents
-
view
214 -
download
0
Transcript of 311 Dunn Fixed
-
7/30/2019 311 Dunn Fixed
1/5
NATOs New Tricks
Looking back, 2010 seems to have been dominated by reports on one security
issue in particular: cyber threats. The discovery of Stuxnet, the industry-sabo-
taging super worm that scared politicians all over the world; tales of (Chinese)
cyberespionage in many variations; the growing sophistication of cybercrimi-
nals as evidenced by their impressive scams; as well as Wikileaks release of US
diplomatic cables and the subsequent actions of the hacker group Anonymous
all catapulted the cyber topic from the realm of geeky experts and military strat-
egists to a mainstream public fear. Whether the damage inflicted by cyberat-
tacks is becoming more frequent, more organized, and more costly or if our
perception has merely changed is unimportant. The outcome is clear: cyberat-
tacks are considered one of the top security threats and have been anchored
firmly in national strategy documents all over the world.
Given this general mood, NATOs mention of cyberattacks as one of the
primary future security concerns in its new Strategic Concept of November2010 was widely applauded. But NATO was not just following the common
strategic trend: this reference in its new roadmap marked the temporary culmi-
nation point of the Alliances dealing with the threat.
The Cyberthreat Debate Opens
NATOs own cyberstory begins in the late 1990s. Via American forces, during
the Kosovo Operation Allied Force in 1999 NATO was exposed to the opera-
tional reality of what has come to be called information operations. On the one
hand, this multifaceted military doctrine tested by the United States during the
campaign is a continuation of the aims of classic wartime information policy.
On the other hand, it is shaped by the central premise that information domi-
nance is not only an auxiliary to war fighting, but a form of combat in its own
Cyber-AlliesStrengths and weaknesses of NATOs cyberdefense posture
Myriam Dunn Cavelty | NATO has more of a history with cybersecurity thanis widely known. With its new strategy and continued investments, the Al-
liance seems to want to expand its cybersecurity capabilities and responsi-
bilities dramatically. But NATO needs to avoid its Article 5 aspirations for
cyberattacks and risks taking on too much cybersecurity accountability.
IP Global Edition 3 / 2011 11
-
7/30/2019 311 Dunn Fixed
2/5
NATOs New Tricks
right that is suitable for determining the final outcome of conflicts. As a side
effect, it focused Western strategists minds on their Achilles heel and also
marked the beginning of the cyberthreats debate as we know it today. The more
they thought about disruption of enemy information, infrastructures, and net-
works, the more the vulnerability of their own military and civilian networks
became clearand with it, the blatant insecurity of essential assets of industri-
alized societies practically run by these information networks, the so-called
critical infrastructures.
What happened to NATO during the Kosovo conflict was not severe or
critical, but a painful wake-up call: its website was hacked by pro-Serbian hack-
ers and its e-mail server was clogged. The website remained unavailable for
days, which was an acute embarrassment. Far more important for the develop-
ment of NATOs cyberdefense than this hacktivism,
however, was the systematic cyberattack of Estonian net-works in 2007. When Estonian authorities began removing
a bronze statue of a World War II-era Soviet soldier from a
park, a three-plus-week cyberspace battle ensued in
which a wave of so-called Distributed Denial of Service at-
tacks (DDoS) swamped various Estonian websites with tens of thousands of
visits, disabling them by overcrowding the bandwidth for the servers running
the sites.
Even though it was not and will never be possible to provide sufficient evi-
dence for who was behind the attacks, various officials readily and publicly
blamed the Russian government. Also, despite the fact that the attacks bore no
truly serious consequences for Estonia other than economic losses, some offi-
cials even openly toyed with the idea of a counter-attack in the spirit of Article
5 of the North Atlantic Treaty, which states that an armed attack against one
or more NATO countries shall be considered an attack against them all.
The Estonian incident was important for NATOs cyberidentity in several
ways. First, it clearly showed the limits of old-school strategic logic in the face
of cyberattacks and also shaped the perception that the Alliance lacked both
coherent cyberdoctrine and comprehensive cyberstrategy. Second, the incident
also changed the way NATO perceived its own role in cyberdefense matters.Before the incident, NATO had almost exclusively focused on the protection of
their own networksafterward, the need for extended cyberdefense for the
Allies came into focus.
Cyberdefense Management in the Status Quo
In brief, NATOs current cyberdefense structure consists of three organiza-
tional units. The first unit, NATOs Computer Incident Response Capability
Technical Centre (NCIRC TC), was set up in the aftermath of the Kosovo con-
flict and website hack. The NCIRC TC monitors NATO-related websites and
provides 24/7 technical response for cyberthreats. As part of an amended ver-sion of NATOs cyberdefense policy, which is due this summer, the NCIRC
TCs capabilities are expected to be strengthened.
The more NATO thoughtabout disruption of enemynetworks, the more their ownvulnerability became clear.
12 IP Global Edition 3 / 2011
-
7/30/2019 311 Dunn Fixed
3/5
NATOs New Tricks
Second, NATO set up the Cyber Defence Management Authority (CDMA)
in 2008, in order to centralize, manage, and coordinate cyberdefense opera-
tional capabilities across the Alliance. In the future, the CDMA will evolve into
a war-room operation for NATOs cyberdefenses with actual tactical responses
carried out by member states. Third, the Cooperative Cyber Defence Centre of
Excellence, with its clumsy acronym CCD CoE, was set up in Tallinn. Whereas
the CDMA is charged mainly with coordinating NATOs cyberdefense in an
operational capacity, Estonias CoE advances the development of long-term
NATO cyberdefense doctrine and strategy, seeking to be the main source of
expertise in the field of cooperative cyberdefense.
So, what can be made of NATOs cyberdefense structure? A proper evalua-
tion of its actual capabilities like available hardware, software, or specialists is
not possible due to the lack of public information surrounding the exact set-up
and endowment of these units. What becomes clear from public sources, how-ever, is that NATOs cyberdefense system is still in its infancy, though a consid-
erable amount of money seems to be flowing into grooming and improving it.
Duty Bound to Cyberdefense?
NATO being what it is, one specific topic keeps surfacing when cyberthreats
and necessary countermeasures are discussed. Currently, NATOs cyberdefense
actions are framed within Article 4. It means that members will consult to-
gether in the case of cyberattacks, but are not duty bound
to aid each other as described in Article 5 of the Treaty.
Cyberdefense remains predominantly a national responsibil-
ity, but NATO puts a lot of effort into building up structures
to offer this consultation. Whether the Article 4 approach is
sufficient remains a point of debate. According to some
newspaper reports, explicitly extending the definition of attacks that trigger
activation of the Alliance to include cyberattacksand thus changing Article
5was part of the draft version of the new Strategic Concept circulated by
Secretary General Rasmussen ahead of the Lisbon Summit.
The main reason behind this was likely a desire to maximize the deterrent
effect of the Alliance in the cyberdomain. However, the cyberdomain posesconsiderable deterrence limitations. Deterrence works if one party is able to
successfully convey to another that it is both capable and willing to use a set of
available (military) instruments in retaliation if the other crosses a line. But for
this to work, the opponent should first, be a state, and second, be identifiable
as an attacker. While states can be behind some cases of cyberincidents (they
are not usually the culprits), attackers do not have to fear retaliation, since they
can likely remain anonymous if they choose. It is particularly tricky to identify
actors in a timely manner due to frequent time lapses between the action that
an perpetrator takes, the intrusion itself, and the effects of the intrusion. And
even if one or several perpetrators could be identified certainlyproving that astate actor (or a terrorist organization) had coordinated their actions would be
the next difficulty.
Although its actualcapabilities are unknown,NATOs cyberdefense systemis still in its infancy.
IP Global Edition 3 / 2011 13
-
7/30/2019 311 Dunn Fixed
4/5
NATOs New Tricks
The second argument for changing Article 5 is to clarify what kind of a cy-
berattack should trigger NATOs response. However, according to many ex-
perts, changing it would have come at a disadvantage for the organization be-
cause it would decrease its current flexibility. Furthermore, the existing frame-
work already accommodates one specific kind of cyberattack: one whose effects
are similar to an armed assault, for example, in casualties and destruction com-
parable to a military attack. This preserves the logic of Article 5 and prevents a
dangerous expansion of war-logic into the domains of low-level, low-impact
cyberattacks, which constitute the majority of worldwide cyberincidents.
Though they are often portrayed as a huge problem, most cyberattacks only
cause mild inconvenience rather than serious or long-term disruptions.
Keeping NATOs cyberdefense within Article 4 mechanisms is in fact cru-
cial if NATO wants to remain a credible player in cybersecurity mattersany-
thing else would lead to severe legal, practical, and strategic problems. However,it is very likely that there will be further attempts to move the cyber topic under
the frame of Article 5. Since the potentially devastating effects of cyberattacks
are so scary, the temptation is to not only think about worst-case scenarios but
also to give them added (often too much) weight despite their very low probabil-
ity. This, however, will always result in calls for an aggressive, militarized re-
sponse, which poses more of a problem than a solution to cyberinsecurity.
For the same reason, cyberdeterrence can also be expected to garner sus-
tained attention in the future. In theory, effective cyberdeterrence requires a
wide-ranging scheme of offensive and defensive cybercapa-
bilities supported by a robust international legal framework
as well as the ability to attribute an attack to an attacker
without any doubt. Whereas defensive cybercapabilities
and the design of better legal toolsactually a current focus
of NATOs Tallinn Centreare relatively uncontested and
worth investing time and money in, an open or clandestine cyberarms race
must be avoided at all costs because it would have hugely detrimental effects on
the way humankind uses the internet. The same can be said for the attribution
problem, which, were it to be solved, would come at a very high cost for pri-
vacy. States, their militaries, and NATO should also think long and hard aboutwhether the uncertain promise of an increase in security is really worth the
sacrifice of cyberspace as we have come to cherish it.
Cybersecurity and cyberdefense are tough issues for state actors all over the
worldand perhaps even more so for an organization like NATO. The nature
of the problem raises the critical question of what role states should and actu-
ally can play in the field of cybersecurity. Clearly, it is plain impossible for the
state to increase the cybersecurity of an entire country by itself. Most affected
by cybercrime and espionage is the private sector, which owns most of the
critical infrastructure. Unless the state wants to vastly increase regulation, it
cannot ensure the security of these assets. Therefore, most states focus on theprotection of their own networks and, through its legislative bodies, try to en-
sure that any existing gaps in internet law are closed. Furthermore, close part-
Cyberattackers do not haveto fear retaliation since theycan likely remain anonymousif they want to.
14 IP Global Edition 3 / 2011
-
7/30/2019 311 Dunn Fixed
5/5
NATOs New Tricks
nerships with the corporate sector and international partners are pursued,
mostly in order to exchange information on threats and issues.
All of these elementsnamely the focus on the protection of its own net-
works, the inclusion of many stakeholders, and the international dimension
are also part of NATOs cyberdefense concept. In theory at least, NATO mea-
sures up well with international standards. However, the more recent tendency
to expand the logic of its cyberdefense, from the narrow confines of their own
networks to those of their Allies, risks meddling with this historically grown
logic of who can do what in cybersecurity. This will inevitably lead to problems.
Expanding incident response to member states makes sense as long as cyberde-
fense is seen as a building block and confidence building measure within
NATOs transformation. However, if this expansion is promulgated as a mis-
sion to protect civilian infrastructures in general or if there is a belief that
NATO can be a key player in enhancing cybersecurity as a whole, NATO hascreated its own major public relations fiasco.
The problem is that two different types of security logics clash when an
organization like NATO takes on cybersecurity or cyberdefense. When the
words security and defense are used with the prefix cyber, they mean some-
thing fundamentally different from security and defense in an (inter-)national
security setting. There, security is a binary concept: either one is secure or one
is insecure. Cyberdefense on the other hand is a sexy
word for computer security or information assurance,
which is concerned with analyzing the risk to information
networks and then mitigating the identified risks by techni-
cal (and occasionally organizational) means. Risk is a con-
cept aimed at managing an ongoing process, and is by definition linked to the
notion of being insecure. As every systems administrator knows, his or her
goal is not to eliminate all risks (even if this were possible) but to manage them
in the most cost-effective way. Information networks, therefore, can never be
secure in the national security sense. In fact, the opposite is true: cyberinci-
dents are deemed to happen under the logic of risk because they simply cannot
be avoided.
In the national security setting in which NATO is situated, this consti-tutes a formidable communication challenge. How can one promise security
where there can be none? All in all, NATOs cyberdefense concept measures
up to other cyber security concepts out there. However, the gravest threat to
the Allinace in the cyber realm may
be getting saddled with public ac-
countably and ridicule if something
goes wrong despite its substantial
investments. Thus NATO might also
want to start thinking carefully
about investing in expectation man-
agement.
MYRIAM DUNNCAVELTY is head ofthe new risksresearch unit at ETHZurich and a fellowat the stiftung neueverantwortung,Berlin.
NATO might want to startthinking about investing inexpectation management.
IP Global Edition 3 / 2011 15