With Russian cyberattacks on the rise, NATO nations ready to play offense
A cyberattack closed some of Europe’s biggest airports last month, including London Heathrow, Berlin Brandenburg and Brussels, stranding thousands of passengers as hackers held online data for ransom. The target company, Collins Aerospace, builds check-in systems for airlines, but it also recently won a contract to help NATO wage electronic warfare.
It was another in a series of high-profile cyber incursions into Europe. A few months earlier, hackers opened the floodgates of a Norwegian dam by exploiting a weak password – a mix of real sabotage and cyber sabotage that authorities attributed to Russia.
Such cyberattacks are on the rise, warns a report released this month by the European Union Cybersecurity Agency, and they are often carried out by China and Russia to “erode the resilience” of Western countries.
Why we wrote this
As China and Russia attempt to weaken NATO countries through cyberattacks, the alliance is responding with plans to improve coordination, including counterattacks.
As a result, NATO is strengthening its cyber defenses and improving its tracking of online intruders, compiling databases of hacks that experts liken to fingerprints. Internally, alliance members also grapple with questions at the heart of deterrence. This includes strategizing when to play defense and when to go on offense. NATO member states are also debating what type of cyberattacks merit real military retaliation.
Offensive cyberwarfare is not a topic traditionally discussed openly by NATO officials. But like the online landscape itself, it’s changing rapidly.
“Sometimes an attack is the best defense,” says Lt. Col. Christoph Kühn, chief of staff of the NATO Cooperative Cyber Defense Center of Excellence here in the Estonian capital, once a major medieval trading center and now a cultural and technological hub.
As officials on the digital front lines become accustomed to fending off waves of increasingly sophisticated cyberattacks, they are more willing, analysts say, to discuss the benefits of embedding themselves in adversaries’ systems.
“You can train teams to defend themselves in the event of an attack. You can also – and we must be able to talk about this – train offensive teams,” says Lauri Almann, former permanent secretary of the Estonian Defense Ministry. “Passive defense [alone] is not an option.
There is also a psychological aspect: playing on offense, Mr. Almann adds, helps managers understand the state of mind of cyber adversaries.
However, as some NATO members develop cyber capabilities of a more offensive type, the alliance wonders how these measures, which could strengthen the security of the whole, could also compromise the hard-won cyber secrets of some member states by inadvertently revealing capabilities or showing key cards in the cyber defense hands of other states as well.
“It’s a very complicated kind of dance,” says Hans Horan, a strategic analyst at the Center for Strategic Studies in The Hague, who specializes in intelligence and cyber threat security. “How do you engage in a cyberattack while ensuring that the priorities of different nation states are not compromised in the process?
At the forefront of cyber defense
NATO was not particularly interested in improving its cyberattacks, or even its defense, in 2004.
This is the year Estonia joined NATO. It was also the year that officials in Tallinn, eyeing the Kremlin with suspicion, suggested the alliance create a special center to study cyberwarfare.
The idea was quickly rejected by NATO officials at the time.
But Tallinn officials moved forward and the city built its own research branch. “It was one of the best decisions” his country of just 1.3 million people — a population the size of Dallas — has ever made, Mr. Almann said.
In 2007, Estonia became the first NATO member to suffer a massive cyberattack targeting a country, widely considered one of the first major examples of cyberwarfare. The attacks were attributed to pro-Russian groups in response to the Estonian government’s decision to relocate a Soviet-era war memorial, the “Bronze Soldier,” a sore spot for Estonia and Russia. The attack lasted for weeks. But Estonia fought back, in part thanks to the war simulation exercises it had conducted.
After that, Estonian officials convinced NATO to create the cyber center they had proposed three years earlier.
Mr. Almann has since applied what he learned at the Defense Department to launch a company, CybExer, which builds online training stands. Clients, including European government agencies and airport executives, pay to “train” to respond to artificial cyberattacks.
Behind him, a simulated map of London lights up on a cyber-scope as cell towers stop working and power grids collapse.
The war game scenarios here are varied: an airplane refueling pump at an airport gate won’t stop, and within minutes a runway could be filled with gasoline. In another, the cooling system of an internet server farm is hacked, causing a fire – echoing an event that actually happened in Estonia.
Even civil servants who don’t have computer skills can face large-scale problems, says Almann. “When it comes to cybersecurity, not all questions are technical. » They could involve anything from system shutdowns that the company will demand, down to whether or not to pay a ransom demand.
Likewise, right next to the NATO Cyber Center, war game exercises are held in which participants do not just try to eject intruders and erect firewalls, but also practice the critical art of strategic decision-making, explains Lieutenant Colonel Kühn.
In a single fiscal year, some 8,000 virtual systems could be subject to 8,000 simulated cyberattacks from criminal gangs, state-sponsored actors, or states themselves. This is an opportunity for participants to practice their answers, he adds. “Are they going to say, ‘You attacked us, so we’re attacking you?’ It’s strategic thinking, and we try to train it.
Attack, defense or survival?
In the cyber domain, some NATO members are primarily defensive-minded and others are more attack-minded. Regardless, some have recently decided they have no choice but to go on the offensive, says Lieutenant Colonel Kühn.
These counterattacks are generally not the kind of gentle sabotage found in spy films. Instead, they most likely involve reconnaissance, or concealment, operations in adversary systems. Anything that involves moving from one state’s system to that of another state is considered an offensive operation.
NATO, as an alliance, does not have its own offensive cyber capabilities. Part of the role of the NATO Cyber Center in Tallinn is therefore to help countries develop policies in this area.
“We give the right and left borders, and it is the decision of the governments [job] decide” on their own strategies and policies, explains Lieutenant-Colonel Kühn.
The challenge, however, is that this free-for-all can create a disjointed approach to cyber challenges within the alliance, says Mr. Horan of the Hague Center.
Some members, for example, prefer not to share secrets with countries they believe do not take cybersecurity seriously. For example, when Spain signed a contract with Chinese company Huawei to supply components for its 5G infrastructure, it caused “a big hubbub” within NATO, Horan adds, over whether countries should continue to exchange intelligence with Madrid.
“We don’t share as much evidence as we should,” acknowledges Tõnis Saar, director of NATO’s Cooperative Cyber Defense Center of Excellence. “It’s definitely something we should practice more.”
But progress has been made on other fronts, analysts say. NATO countries are gradually getting better at attributing cyberattacks as they create databases that track different styles of hackers.
Lieutenant Colonel Kühn takes the example of fingerprints recorded in criminal laboratories. When they first started being used, “there weren’t a lot of examples,” he says. “Now we’re getting more and more.”
Still, the improvement is what he describes as “a little better. Not really much better.”
At the same time, the question remains how NATO should react once it has identified the culprit of the hack. The problem with retaliation is that it often reveals adversaries’ vulnerabilities that attacking countries prefer to keep secret until they are absolutely forced to use them.
There has also been debate over the invocation of Article 5, NATO members’ commitment to treat an attack on one member as an attack on all.
When the Geneva Conventions were created, no one questioned whether a computer virus should be considered a weapon or an attack that could lead to retaliation, explains Lieutenant Colonel Kühn. “And it’s not entirely clear yet.”
At the same time, cyberattacks are “much, much more sophisticated” than they were in 2007, Mr. Almann says, when Russia besieged the Estonian government online.
There should be “no automaticity” to invoking Article 5, although there could come a time when these attacks justify it, he adds, if they lead to “consequences and damage that we have not yet seen”.
