A new NATO military command centre able to deter cyber-attacks should be fully staffed and operational in 2023, but the alliance still lacks ground rules for doing so, a senior general announced at NATO’s annual cyber conference in Mons, Belgium on Tuesday (16 October).
Meanwhile, the EU is considering sanctions against cyber perpetrators as fears of outside meddling are growing in the run-up to the European elections next May.
The NATO Communications and Information Agency (NCIA) headquartered in Brussels currently has a workforce of 1,500 civilian and 1,000 military “cyber warriors”, with an estimated budget of €1 billion for 2019. The facility provides assistance from air and missile defence, education and training, operational analysis, joint intelligence and services for securing laptops.
The now newly announced cyberspace operations centre (CYOC) which will be based at the military headquarters (SHAPE) in Mons is meant to host a 70-strong team of experts fed with military intelligence and real-time information by 2023.
“Our ultimate aim is to be completely aware of our cyberspace, to understand minute-by-minute the state of our networks so that commanders can rely on them,” said Ian West, chief of cybersecurity at the NATO communication agency.
NATO does not have its own cyber weapons. In response and as a message primarily aimed at Russia, several countries, including the US and Estonia, have offered the Alliance their cyber capabilities in recent weeks.
EU considers sanctions against cyber attackers
The announcement came following last week’s (11 October) report from the Dutch intelligence services in partnership with the UK that a range of cyberattacks was carried out by the GRU, the Russian military intelligence service, on various sectors ranging from sport to transport and the 2016 US presidential election.
During an EU summit in Brussels on Thursday (18 October), EU leaders are set to pledge stronger measures to equip themselves against cyber attacks and feared interference in next year’s European elections in May.
The EU already has sanction regimes in place for violations of nuclear and chemical weapons accords. According to a proposal presented last week by countries including the UK, Netherlands, Estonia, Finland, Lithuania and Romania, the leaders will discuss establishing a cyber sanctions regime and expanding the scope of measures against individuals and organisations behind such attacks.
The measures could include freezing assets and banning them from entering the EU.
“This is, however, just a deterrent with small firepower, so to say,” an EU diplomat told EURACTIV on Wednesday.
“While conventional warfare missteps can be brought before a relevant authority, there is no legal institution that could decide on who the perpetrator of a cyber-attack is: all we have is confidential intelligence data and the interpretation of treaties that are not equipped for the cybersphere.”
Mutual defence clause and cyber
According to NCIA General Manager Kevin J. Scheid, the three weeks during the 2018 July Summit period have seen a significant increase in malicious activity, with a peak during the two summit days. “We see that we have to step up our cybersecurity so that we are prepared for a major strike or resilient enough to survive a first strike,” he told the cyber conference audience.
“Our concept of operations, a toolbox for short-notice decisions about how to respond, is not in place yet. This is one of the challenges we face,” Major General Wolfgang Renner, a German air force commander who oversees the new cyber operations centre, or CYOC, told the conference in Mons.
Approved by NATO defence ministers during the 2014 Wales Summit, the Alliance updated this Article 5 provision towards a new cyber defence policy in which cyberspace was recognised as the new defence frontier.
Article 5 states that an “armed attack” against one member of NATO “shall be considered an armed attack against them all” and opens the way for members to take defensive action to restore security. Following the agreement, a digital attack on a member state is now covered by Article 5.
“A decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis,” the Wales provision reads.
“We have to be prepared, to be able to execute operations in cyberspace. We have already gone beyond protection and prevention,” he told reporters.
According to him, the aim is to integrate national cyber capabilities into alliance operations, if possible cyber-warfare principles can be agreed upon. Actions might then be coordinated through the new cyber operations centre and quick decisions on whether to use cyber measures taken under the command of NATO’s Supreme Allied Commander in Europe (SACEUR).
“In my opinion, something like this is basically possible, but it has to be arranged,” Renner said.
Legal question about attribution
“From a legal perspective, what we see is a trend of disagreement about the law by the US, Russia and other countries, but also disagreement between developing countries and developed technically agile countries; between scholars – and even between allies,” said Eneken Tikk of the Cyber Policy Institute in Finland.
“What we need to take very seriously is legal inclination,” said Tikk, especially when it comes to the interaction between law and cybersecurity, “the biggest challenge, the elephant in the room we keep facing, is bringing it all together: our strategic ambitions, national realities and the lessons learned.”
“When I work with governments around the world I sense a growing unease, both towards these capabilities and towards this assumed right to conduct cyber operations,” she told the NATO cyber conference in Mons.
“NATO cannot create its own code of international law, given the tensions that are currently there. We can agree, that is a great step. But I have a hard time imagining how all NATO members will adopt this idea that sovereignty is not a legally protected good,” she concluded.