competences. The ever-changing threat

Transcription

1 This paper is part of the Transatlantic Policy Briefs series published by the Slovak Atlantic Commission (SAC) and its thinktank, the Central European Policy Institute (CEPI). The briefs bring together experts from Central Europe to propose solutions to the most pressing issues on the transatlantic security agenda. SAC and CEPI are grateful to NATO s Public Diplomacy Division for their financial support. The Central European Policy Institute is a new regional thinktank established in Bratislava in 2012 by the Slovak Atlantic Commission. It links the top research institutions and experts from across Central Europe. CEPI is devoted to improving the quality of the region s contributions to the EU and NATO debates on the main challenges of today. We believe that Central Europe should take on more responsibility in the EU and NATO for issues ranging from the economic crisis to energy and security. The alliance has agreed to strengthen its defences against cyber-attacks. Member-states are centralising control over the security of NATO s internet systems, and creating rapid response teams to help allies in case of future cyber-attacks. The steps have yet to be fully implemented but in theory they make good sense. The rapid response teams in particular could become very important; many of the smaller allies will welcome additional help against cyberthreats. To improve their defences further, NATO countries should agree under what circumstances, if any, they envision threatening or using conventional military force in response to cyber-attacks, and whether such strikes should trigger the alliance s Article V clause, which obligates all allies to respond to an attack on one. NATO had suffered its first publicised cyber-attacks in 1999, when hackers blocked access to the organisation s websites and e- mail servers to protest the air strikes against Serbia. The alliance vowed to be better prepared next time, yet in 2007 it failed to prevent attackers from shutting down virtually all of Estonia s internetbased services for several days. Even though the most powerful military organisation in the world had had eight years to prepare, it could do little to assist its memberstate. Worse, neither its security strategy nor its military doctrine had anticipated such an attack the alliance s very understanding of the gravity of the problem was out of date. In its 2010 Strategic Concept, NATO set out to make things right by expanding its capacity in cyber-security. In the most significant development since, the member-states agreed a revised policy on cyber-defence in July Although it is too early to assess if the policy works (it has not yet been completely implemented), the alliance seems to have at last made cybersecurity one of its core competences. The ever-changing threat An analysis of the effectiveness of NATO s cyber-defences must begin with a definition of the problem. Estonia-type cyberattacks the so-called distributed-denial-of-service attacks (DDoS), which shut down servers by overloading it with

2 requests for a service are actually just one out of many threats, and probably not the most serious one. Their real impact on Estonia was limited to preventing users from remotely accessing some services such as banking. This was unnerving, but the same services remained available locally (by going to bank branches, for example). Even more importantly, no unauthorised leaks of data occurred, no data was destroyed or modified, and no false data was injected into the systems. The attack did not undermine overall trust in the attacked systems banks, the government and other. Cyber-attacks of the future will be far more damaging. They will aim to compromise the data or system itself, and thus undermine the users faith not only in the reliability of internet access but also in the services provided via the internet. This could affect vital services such as banking or tax administration. The exact forms could vary from unauthorised destruction or modification of data and injection of false data to targeted modifications of software used to process and present data. These sorts of attacks, rather than DDoS, are the top cyber-security threat of today. A recent strike at US government and defence contractors provides a warning example. Unable to reach their target directly, the attackers have allegedly used a technique called watering hole : they broke into some legitimate websites, likely to be visited by users from the targeted agencies, and dropped pieces of malware there. If a predefined user, who the malware recognised as an official or contractor, visited the website, his or her machine was infected by yet another programme. This latter malware not only granted the attackers direct access to the users computers, but also compromised their trust in the service from which the infection had originated. Although the web site in question was safe for a number of regular users, it constituted a threat for a specified group of them. i Cyber-attacks aimed at public key infrastructure which creates and manages digital certificates would do yet more damage to public trust. Issued by special authorities, certificates are used to verify authenticity of the communicating partner for example authenticity of a website and thereby establish elementary confidence in the internet. There are hundreds of certificate authorities, trusted by default by web browsers and operating systems around the world. When one of them is successfully attacked, as was the case of the Dutch DigiNotar in July 2011, attackers can obtain hundreds of rogue digital certificates, and use them to impersonate high-profile domains. Since certificates are used worldwide by standardised software (such as internet browsers), the number of affected users could reach into hundreds of millions. A particular way of undermining trust in systems and their operators lies in disseminating sensitive or false information. A good illustration is the December 2011 attack on the servers of Stratfor, a corporate intelligence company. The attackers posted complete credit card records of its subscribers and over 28,000 addresses of its high-profile collaborators, dealing the credibility of the company a serious blow. ii Another form of information-manipulating attack makes use of social networks such as Facebook, LinkedIn or MySpace. In one such recent case, a fictional person, Robin Sage, created on popular portals, won the trust of many in the U.S. military, and various agencies in just a month. She was invited to conferences, asked to review sensitive documents and offered jobs. iii Increasingly, single cyber-attacks are only one element in a bigger plan, aiming for instance to gain access to highly classified data. A recent strike on RSA, a company selling cyber-security hardware to various US agencies, is a good example. Allegedly, the attackers who penetrated its systems were seeking sensitive information on some feature of RSA-made devices, which would have allowed them to gain unauthorised access to other systems protected by this particular hardware. One relatively limited cyber-attack would thus have opened floodgates to a much broader and dangerous one. Perhaps the most damaging form of informationdistorting attack is a potential Wikileaks-like massive release of sensitive data, intentionally mixed with false information. Carefully designed to affect credibility of selected political or military leaders, if could stir popular anger and undermine

3 governments; such false information could be a powerful weapon against both states and individuals. Growing complexity and cost of such attacks suggest that the actors responsible for them are states rather than individuals or groups of criminals. The key indication here is costeffectiveness: complex attacks require not only technical expertise but also money, time and organisational skills. They do not bring quick results, and therefore hold less appeal for individual hackers or criminal groups (who can organise a lucrative online fraud for less money and in less time). However, for states, and particularly for special services, prolonged and complex actions are the usual way of gaining information advantage over their foes. The most visible example of such complicated, costly attack is the infamous Stuxnet worm, which appears to have caused many Iranian centrifuges used to enrich uranium to spin out of control and destroy themselves. Stuxnet was expensive to assemble, required considerable inside information to be deployed successfully, and yielded no monetary benefit, which strongly suggests government involvement (the New Yorker magazine has linked it to US and Israeli intelligence agencies). iv By all appearances, governments are quickly displacing individual hackers and criminal groups as the possessors of the most superior cyber-attacking capability, even if they often act through proxies to avoid identification. Is NATO ready for this new, rough cyberworld? The alliance s new cyber-defence policy envisions a two-pronged approach for NATO: first, to protect its own assets in cyber-space, and second, to assist member-states in responding to cyber-attacks and improving resilience of their national networks, both civilian and military. With regard to the first task, the key element of the updated policy is centralisation. Until recently, responsibility for the protection of NATO s electronic systems was fragmented. No single body oversaw the safety of the various civilian and military systems of the many NATO agencies and its missions abroad. No unified security standard existed, nor the capacity to monitor the standard s observance or to gather data about incidents and specific threats. This is changing with the creation of a single body co-ordinating cyber-defence: NATO Cyber Defence Management Board (CDMB), comprising of those representatives of different NATO structures, who are responsible for cyber security. Further, NATO established a Computer Incident Response Capability (NCIRC) to act as an in-house emergency response team. It has been tasked with evaluating security of NATO s networks and disseminating information on incidents and threats to individual systems administrators. Most importantly, it will provide expertise and technical services in case of attacks against NATO s networks. NCIRC experts are meant to help system administrators to block attacks, limit the damage and repair software errors (so-called vulnerabilities), which make attacks possible. Centralisation of responsibility for protecting NATO s own networks is a step in the right direction. The alternative that each NATO agency, command or division polices its own networks and sets its own standards for safety is far inferior. Overtime, the NCIRC could become the central depository of NATO s knowledge in cyber security. It will be the only body with the overall sense of the level and types of threats to NATO networks. And if it does its job well, it will have acquired technical expertise in cyberdefence and cyber-threats unrivalled within NATO, as well as a network of contacts with the allies Computer Emergency Response Teams (CERTs, which the countries have established to act in cases of attack on national networks). With regard to NATO s second key task assistance to allies the alliance aims to do three things: create and enforce a security standard for those national cyber-systems, which are vital for the effective functioning of the whole alliance; create a mechanism to exchange information about incidents and newly identified threats; and, finally, establish Rapid Reaction Teams (RRTs) to be dispatched to a member-state asking for assistance in case of cyber-attacks. v The RRTs will presumably reinforce national CERTs of the NATO member-states and of other institutions tasked to

4 protect cyber-space, such as police or special services. This approach is in keeping with the alliance s overall defence philosophy: while the member-states are required to operate capabilities sufficient for their strategic needs, the alliance guarantees that their national forces will be reinforced in times of a conflict. NATO does not assume responsibility for protecting national networks, neither civilian nor military (an option suggested by some after Estonia case), but it acts as a provider of expertise and technical assistance. The member-assistance element of the alliance s cyber-defence policy is likely to become the most visible part of its effort in cyber-security. The smaller countries in particular will be keen to make use of it; they tend to have a harder time building national CERTs manned with a sufficient number of highly qualified and skilled professionals (though, as Estonia s case proves, even smaller NATO countries can become a powerhouse in cyber-security, providing they concentrate enough resources on the task). For those countries the alliance s reinforcements may play a crucial role in containing cyber-attacks, particularly a large-scale action against a number of networks. But countries that have large cyber-security programmes are likely to benefit too, because NCIRC could become a source of additional expertise and data to them. Finally, the RRTs will have important symbolic value: their deployment in times of crises will send a signal of allied solidarity with the afflicted state. As such, the RRTs may come to play a role similar to some traditional high-demand military assets such as the Dutch or German Patriot missile defence batteries, which are deployed from time to time to countries that worry about missile threats to their territories. In another sign of how central cyber-defences have become to warfighting, the allies have tasked the North Atlantic Council, NATO s highest decision-making body, with responsibility for overseeing the overall NATO cyber-defense policy. Just as importantly, NATO s defence planners will now include cyber-capabilities in the process of reviewing, planning and developing NATO s overall force structure, along with traditional military assets. This means that allies will be expected to produce a certain minimum level of national cyber-defence capability, with defence planners from NATO headquarters monitoring whether countries are fulfilling their commitments. As their next step, the allies should agree whether and which kinds of cyber-incidents count as Article V events, meaning that they ought to trigger an automatic collective response from NATO. Cyber-attacks have become so sophisticated and potentially devastating that allies now think of them as an existential threat. And if NATO were to limit itself to disseminating information, exchanging best practices, raising threat awareness or creating cyber-security standards, it would fail at its primary mission: to reassure the allies that they will not be abandoned both politically and operationally in case of some of the most dangerous attacks imaginable. Clearly, not every cyber-attack will qualify as Article V. But those that deliberately cause accidents in large industrial facilities (such as nuclear power plants, or chemical factories) or severely damage the country s banking system may need to be given consideration, along with other cyber-threats with comparable impact. Instead of conclusions At least three more cyber-tasks lie ahead of the allies. On the more technical end of the scale, NATO should develop a coherent terminology for defining cyber-concepts. The alliance has no agreed definition of cyber-security, and over the last few years, its documents have used terms such as cyber-security, cyber-terrorism, cyberwarfare, cyber-defence, cyber-crime, cyberattacks, cyber-threats nearly interchangeably. The confusion of terms makes it difficult to build a solid policy against cyber-threats. NATO ought to use its dedicated Co-operative Cyber Defence Centre of Excellence in Tallinn to clarify the terminology, thus making it easier for allies to understand each other and co-operate. The second task is more political. The allies ought to explore whether NATO should resort to traditional diplomacy and military force in response to cyber-attacks. NATO s present strategy is, essentially, deterrence by denial : it assumes that potential attackers will not care to

5 hit NATO, because they know that the alliance will be well defended, and that their actions will have limited effect. While this approach may work against individual hackers or even groups, it is less likely to deter state-sponsored attackers, who tend to be far more technically savvy, and thus readier to overwhelm NATO s cyber-defences. If technicians fail to contain cyber-attacks, it will be a responsibility of politicians or even militaries to make opponents stop. In many cases, NATO will not know who is responsible: on the internet, attackers can obscure their identity far more effectively than in the real world. But if the offending party is proven to be a foreign government, and should military force be the only remaining tool of stopping it, NATO countries should not be improvising; they ought to think through the scenarios and their likely responses before they become a reality. Cyber-defence and cyber-warfare should become part of NATO military doctrine. This, as noted earlier, requires that allies also clarify what kinds of cyber-attacks qualify as Article V incidents. However, NATO s emphasis should be on yet another, third task: making success of its new cyber-policy. The overall approach is sound but it needs to be implemented well, and adapt to changing needs. For example, attacks on mobile devices formerly a minor nuisance are becoming a primary way of stealing sensitive corporate (and governmental) data. NATO needs to produce a set of benchmarks to gauge whether its policy keeps pace with changing threats. The alliance has at last recognised that the attacks on Estonia or the 1999 cyber-strikes on its networks were not isolated incidents but signs of things to come. It now needs to demonstrate that it is not only aware of the gravity of the threat but also ready to defend against it. i For more see Espionage Hackers Target Watering Hole Sites, September 25th 2012, ii R. Stiennon, Fallout from the Christmas Hack of Stratfor, December 28th 2011, iii D. Batty, US security chiefs tricked in social networking experiment, July 24th 2010, guardian.co.uk iv For more see Bruce Schneier, Stuxnet, October 7th 2010, v J. Healey, L. van Bochoven, NATO s Cyber Capabilities: Yesterday, Today, and Tomorrow, Atlantic Council Issue Brief, February 27th Marcin Terlikowski is analyst at the Polish Institute of International Affairs. Jozef Vyskoč is associate fellow at the Central European Policy Institute, information security specialist and auditor of VaF consulting company. Disclaimer: The views and opinions expressed herein are those of the authors and do not necessarily reflect those of their employers or of the publisher. Slovak Atlantic Commission, 2013 This publication has been co-financed by the NATO Public Diplomacy Division.