Home / Our news and views / Cyber security and defence: protection in air, land and cyberspace

Cyber security and defence: protection in air, land and cyberspace

BY MAYA WHITNEY, with BROOKS TIGNER

BRUSSELS – Cyber defence experts and officials are still scratching their heads over the best way to provide cyber security than benefits both civil and military networks. This was in full display during the CyberSec conference here on 27 February, which brought together members of the European Parliament (MEPs), cyber defence experts and NATO officials to debate the role of cyber security in defence. First and foremost: how do/should the EU and NATO work together to prepare against a cyber attack?

Given today’s landscape of cyber and hybrid attacks, NATO now needs to “be able to defend its cyberspace the same way that it defends its air and land” domains, Sorin Ducaru, ambassador-at-large and former NATO assistant secretary general for cyber policy, told the conference.

For Thomas Goodman, director of the Raytheon’s international cyber business division, the focus should be simultaneously on resilience and protection, as it is not a matter of “who” but when. “Collaboration between NATO and EU underpins the notion that readiness is essential for all players, and we need a common understanding of what it means to be resilient.”

Resilience was a theme throughout Cybersec’s defence session: it was seen as the end-all goal for cyber protection – and for collaboration between the EU and NATO.

As most experts observe, attackers are typically two steps ahead of those doing the defending. Thus the ability to bounce back from attack with limited damages should be the goal, rather than staving off each and every kind of attack.

And the ambiguity of attacks means it is crucial that the re-uptake of information take place as fast as possible. The allies have been repelling cyber attacks for a long time, said Jamie Shea, NATO’s deputy assistant secretary general for Emerging Security Challenges, who pointed their first experience with threat during NATO’s intervention in Kosovo in 1999 when Serbian supporters hacked into NATO’s US website.

The cautionary resilience tale referenced throughout the conference was the Petya malware attack on Ukraine in June 2017, which took a mere 17 seconds to infiltrate the country’s critical infrastructure information networks, while recuperation demanded nearly six months. Resilience in that situation would have made the Ukrainian system come back a fraction of this time, observed Shea.

George Sharkov, cyber advisor to Bulgaria’s Ministry of Defence, said public private partnerships are the solution. These, he said, will “protect the ‘knowns’ rather than fighting the unknowns”. That view was echoed by Umas Paet, Estonian MEP and rapporteur of the Euro-Parliament’s report on cyber defence: “EU sites should be open for cooperation with the private sector; success is contingent on this.”

But what should cooperation between NATO and the EU look like?

First, emphasis should be on coordinated training and information sharing, using the EU’s cyber diplomacy toolbox and complemented by NATO’s capabilities, said Sharkov. Working together, the two organisations should create a crisis response playbook, leading to close coordination, though not necessarily a common response.

Diana Kelley, cybersecurity CTO for Microsoft, also urged greater cooperation between NATO and the EU’s law enforcement stakeholders to increase bi-directionality between the two organisations.

The biggest worry, she argued, is degraded or denied information in a combat situation. What happens if a group of soldiers is waiting for critical information or guidance via GPS and the information is tampered with or fragmented? According to Kelley, “the answer” is in cloud computing.

“The cloud can help but [this approach] needs to be careful as it can have multiple entries to information. We need to start thinking about what would happen if we had a complete failure of communication and would have to go back to basics.” For example, she pointed to the US Navy, whose new recruits are being taught navigation by classic celestial orientation in the event their information systems go down.

Pierre Chastanet, acting head of unit for Cloud and Software at the European Commission’s public communications department, argued that the cloud is the safest place for information storage and pointed to a new Commission proposal to create standards for clouds. The draft Cybersecurity Certification Framework would apply to all companies, including cloud providers, to ensure a common level of cyber security for all EU companies. Whether this would be enough to prevent a breach of information when using the cloud for military affairs, however, is another issue as the era of cyber and hybrid attacks deepens.

     THE UPSHOT: Resilience is easier said than done. And in the case of the military, how is a unit supposed to function if it suffers an information blackout or degraded information? A cyber attack could render an entire defensive operation inoperable just by simply altering or damaging the flow of battlefield information. For the military, “impervious” will be more critical than resilience. Until we can find a way to protect the most basic elements of our data and information, placing all of this the multiple-entry-point cloud may need to wait.

     mayawhitney308@gmail.com
     bt@securityeurope.info

Check Also

The EP pushes for international ban on the use of killer robots

By BROOKS TIGNER, with KYLE ATTAR
BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...