BY MAYA WHITNEY, with BROOKS TIGNER
BRUSSELS – Cyber defence experts and officials are still scratching their heads over the best way to provide cyber security than benefits both civil and military networks. This was in full display during the CyberSec conference here on 27 February, which brought together members of the European Parliament (MEPs), cyber defence experts and NATO officials to debate the role of cyber security in defence. First and foremost: how do/should the EU and NATO work together to prepare against a cyber attack?
Given today’s landscape of cyber and hybrid attacks, NATO now needs to “be able to defend its cyberspace the same way that it defends its air and land” domains, Sorin Ducaru, ambassador-at-large and former NATO assistant secretary general for cyber policy, told the conference.
For Thomas Goodman, director of the Raytheon’s international cyber business division, the focus should be simultaneously on resilience and protection, as it is not a matter of “who” but when. “Collaboration between NATO and EU underpins the notion that readiness is essential for all players, and we need a common understanding of what it means to be resilient.”
Resilience was a theme throughout Cybersec’s defence session: it was seen as the end-all goal for cyber protection – and for collaboration between the EU and NATO.
As most experts observe, attackers are typically two steps ahead of those doing the defending. Thus the ability to bounce back from attack with limited damages should be the goal, rather than staving off each and every kind of attack.
And the ambiguity of attacks means it is crucial that the re-uptake of information take place as fast as possible. The allies have been repelling cyber attacks for a long time, said Jamie Shea, NATO’s deputy assistant secretary general for Emerging Security Challenges, who pointed their first experience with threat during NATO’s intervention in Kosovo in 1999 when Serbian supporters hacked into NATO’s US website.
The cautionary resilience tale referenced throughout the conference was the Petya malware attack on Ukraine in June 2017, which took a mere 17 seconds to infiltrate the country’s critical infrastructure information networks, while recuperation demanded nearly six months. Resilience in that situation would have made the Ukrainian system come back a fraction of this time, observed Shea.
George Sharkov, cyber advisor to Bulgaria’s Ministry of Defence, said public private partnerships are the solution. These, he said, will “protect the ‘knowns’ rather than fighting the unknowns”. That view was echoed by Umas Paet, Estonian MEP and rapporteur of the Euro-Parliament’s report on cyber defence: “EU sites should be open for cooperation with the private sector; success is contingent on this.”
But what should cooperation between NATO and the EU look like?
First, emphasis should be on coordinated training and information sharing, using the EU’s cyber diplomacy toolbox and complemented by NATO’s capabilities, said Sharkov. Working together, the two organisations should create a crisis response playbook, leading to close coordination, though not necessarily a common response.
Diana Kelley, cybersecurity CTO for Microsoft, also urged greater cooperation between NATO and the EU’s law enforcement stakeholders to increase bi-directionality between the two organisations.
The biggest worry, she argued, is degraded or denied information in a combat situation. What happens if a group of soldiers is waiting for critical information or guidance via GPS and the information is tampered with or fragmented? According to Kelley, “the answer” is in cloud computing.
“The cloud can help but [this approach] needs to be careful as it can have multiple entries to information. We need to start thinking about what would happen if we had a complete failure of communication and would have to go back to basics.” For example, she pointed to the US Navy, whose new recruits are being taught navigation by classic celestial orientation in the event their information systems go down.
Pierre Chastanet, acting head of unit for Cloud and Software at the European Commission’s public communications department, argued that the cloud is the safest place for information storage and pointed to a new Commission proposal to create standards for clouds. The draft Cybersecurity Certification Framework would apply to all companies, including cloud providers, to ensure a common level of cyber security for all EU companies. Whether this would be enough to prevent a breach of information when using the cloud for military affairs, however, is another issue as the era of cyber and hybrid attacks deepens.