Two years after recognising cyberspace as a domain for military activity, Nato is grappling with the implications for its members of the new cyber-warfare reality, according to officials speaking yesterday at the Cybersec Forum 2018 in Krakow.
The officials, from Nato and member countries, was entitled "Operationalizing Cyber Defence: a key shift in Nato policy and planning" and was chaired by Romanian ambassador Sorin Ducaru, senior fellow of the Hudson Institute and former assistant secretary general for emerging security challenges at Nato.
I think we are close enough now, the mindset of the alliance has shifted enough, to realise that you cannot be a bystander when it comes to cyber
Ducaru told the audience that the recognition of cyberspace as a military domain had two implications for the alliance:
Nato will assume that all future conventional operations will take place in a degraded cyber environment due to enemy activity
Nato must develop its nascent cyber-offensive mandate which will be developed, maintained and delivered by members of the alliance
Cdr Michael Widmann and Ambassador Sorin Ducaru
Antonio Missiroli, assistant secretary general for emerging security challenges at Nato, told the audience that Nato members are spending more on cyber-defence. In fact, he said that for many members, increasing spending on cyber-defence is easier than finding more money for conventional military capabilities.
Recent statements by the UK and Netherland intelligence services regarding cyber-attacks planned by the GRU intelligence agency in Russia – and subsequent supportive statements from the European Union – demonstrate that Nato and Europe are presenting a united front against Russian aggression, he said.
But he said that this is not the final word on the topic – cyber is a fast-moving policy domain and he expected to see many new developments in the next year.
Tomasz Zdzikot, secretary of state at the Polish Ministry of National Defence, said that the challenge for Nato members now is to develop the cyber capabilities to be able to support cyber-operations. However, cyber-capability in itself is not enough, he said – states must also develop the legal framework to justify and control cyber-operations, especially those of an offensive nature.
While cyberspace is a new domain for warfare, it is not inherently special, said Brigadier General Hans Folmer of the Netherlands Army. The use of cyber-weapons has ramifications, not only in direct effects on an opponent but also in terms of political implications.
Folmer said that development of specialist software – or offensive malware – is not sufficient to create a cyber-offensive capability: states must also develop the right people and processes to control the use of cyber-weapons because ultimately control lies with the politicians.
Antonio Missiroli, Tomasz Zdzikot, Brig Gen Hans Folmer and Justin Kershaw
Commander Michael Widmann, head of the strategy branch at Nato’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), told the audience that Nato’s cyber-operations doctrine is currently in its third draft. He said that significant progress had been made in several areas but members were currently stuck on the definitions of defensive and offensive cyber-operations.
"I think we are close enough now, the mindset of the alliance has shifted enough, to realise that you cannot be a bystander when it comes to cyber," he said. Even though Nato is a defensive organisation, it does not mean that Nato cannot have offensive capabilities, he added.
He noted that a key concern for Nato – which it is addressing in its education programme – is how to integrate cyber into conventional operations, and he added, many conventional military exercises now incorporate cyber as a key component.
He expects the doctrine to be finalised early next year.
A challenge for Nato countries is responding to cyber-attacks because of the sheer speed at which they happen, said Missiroli. Nato is developing a "cyber playbook" as guidance for network operation centres which must respond to incidents.
Zdzikot said that cyber commanders have guidance, doctrines and strategies which are very good but what is needed now is a legislative framework within Nato countries to support cyber-operations.
He warned against each country developing legal frameworks by itself. "It’s a challenge, it’s a task for the Nato alliance and the international community to create more law and less political operation," he said.
Speaking to SC Magazine UK after the session, Ducaru reiterated the importance of Nato members developing the capabilities and the legal framework to deploy defensive and offensive cyber-tools.
Five members of Nato have enacted domestic legislation to support cyber-offensive operations. Those countries which have not developed that legislation are not in a position to offer support for action, he said.
"They don’t have legislation to support it, but Nato has already decided under what parameters it would think about employing offensive cyber-capabilities," Ducaru said.
He said that the cyber-operations domain should be treated just like other domains of warfare, with an approach adopted that matches the planning, training and doctrines of conventional warfare.
Cyber is still a work in progress for Nato, and while cyber-operations centres have been created, the concept of operations, or CONOPS, is still in development, he said.
However, cyber-offensive capabilities will be essential to the defence of the alliance, he said, because there is a recognition that states cannot be bystanders to cyber-attacks and the ability to retaliate – through political, diplomatic, cyber or conventional military means – is essential for deterrence.