Sophia Besch / Nov 2018
NATO’s primary and most urgent cyber task is the protection its own communications systems and networks. But the alliance also offers training opportunities and tried to make information sharing between allies easier, in order to help capitals to protect their sytems and ‘critical’ networks from attacks.
NATO has no legal enforcement mechanisms and persuading the allies to strengthen their cyber defences is a challenge. In defence spending, a more traditional field of NATO responsibility, the alliance has a high-profile instrument at its disposal to exert pressure on allies: the two per cent pledge. NATO has decided to take an analogous approach to its cyber work. The ‘cyber defence pledge’ was conceived in 2016. It makes NATO responsible not just for protecting the alliance’s networks but also for setting best practices and standards and raising resources and awareness in capitals.
NATO allies have now begun to allocate more resources to the protection of national networks. It is difficult to tell how much of that progress is linked to the cyber pledge: repeated cyber attacks on NATO allies in recent years have given them good reason to invest voluntarily. However, like the two per cent defence spending pledge, the cyber pledge can be useful in giving added political legitimacy to those warning of the need for urgent action and pushing for increased cyber spending.
Unlike the two per cent pledge, however, it can be hard to tell how much cyber spending is enough. Computer hardware and software are cheap compared to conventional defence kit such as fighter jets, even if the cost of training humans for cyber tasks is high. One problem is that there is no simple formula for how much cyber defence is required. NATO has always justified its defence equipment requirements by asking allies to match the armament efforts of hostile countries, in particular Russia. It is difficult to quantify cyber requirements in the same way.
Instead the cyber pledge focuses on the effects of investment, such as whether a member-state is
able to monitor a network 24/7, or to detect and trace attacks. A simple comparison of cyber strength between NATO and Russia, North Korea or China is difficult. But many point to the strength of Western countries in innovative technologies as a considerable advantage. Still, NATO struggles to reap the fruits of the innovative businesses located in its member-states. Its lengthy and often overly bureaucratic procurement process restricts NATO’s ability to access the newest cyber defence technologies. In a field where technology is moving very fast, NATO will forever lag behind if it cannot reform the way it procures cyber capabilities.
The cyber pledge will not work unless the private sector is also involved: NATO
should embrace its role not just as a platform where allies can share information, but also as a forum for exchanges with industry. Businesses will often have experienced similar or worse attacks on their networks than NATO, and member-states and can share lessons learnt. NATO has established a platform to share information with industry, but the database is only being used for unclassified technical characteristics of malware for the time being, and thus is limited in its usefulness for users.
The alliance also has a clear security interest in fostering civil-military and public-private co-operation in the field of network protection. Not all critical infrastructure networks are under military or government control. But at the moment, if, for example, a power plant in a NATO member-state were suddenly to shut down, NATO Headquarters would probably not be the first number a company called, even though the security and defence implications of a compromised electricity grid could be severe. In spite of their importance, civilian networks are currently left to individual NATO allies to look after. An attack on civilian infrastructure networks could be both economically damaging and a defence threat: for example, if an attacker hacked the German rail network at a time of tension, they could prevent NATO reinforcements moving forward, and simultaneously cripple the German economy. This is an obvious area for NATO-EU co-operation. But while NATO and the EU have stepped up their co-operation efforts in a number of areas in recent years, with cyber security high on the list, their exchanges remain slow and formal, limited to non-classified information.
Information-sharing is a major problem for NATO allies. While NATO can offer useful tools and a secure environment, it always relies on national players to provide input on the cyber attacks they have experienced and the tools they are developing to defend against future incidents, not least because once a cyber measure has been deployed and its effect revealed, its potency is lost and it can often never be used again.
NATO should lead by example: it should reform its acquisition processes to fit the development cycles of cyber technology, make sure that personnel are trained to see the cyber security dimension of their everyday work, seek out co-operation with industry, and improve its co-operation with the EU through better information-sharing mechanisms and more joint cyber exercises. But to get its allies to increase their efforts domestically and to learn from each other, NATO still relies primarily on peer pressure. The hope is that the cyber pledge will be more persuasive than its defence spending equivalent.