NATOs Cyber Strategies and Wireless Warfare in the Information

Age
By Alexandru Moldovan

Our daily routines are becoming increasingly dependent on the

advancements in information technology. Virtual reality influences already
major aspects our life, such as the economy, health and education and it
seems that it will be not long until it will expand its influence into our
personal and national security. In the last years, weve witnessed a major
increase in cyber attacks which have forced governments to make space on
their agendas to ensure the security of their public and private cyber
networks.
The first documented cyber war was fought during the Kosovo War. Between
March 24, 1999 and June 10, 1999 operation Allied Force, a conventional
military operation, was conducted by NATO on the territory of Yugoslavia in
order to stop the human rights abuses in Kosovo. During NATOs military
operations against Serbia, numerous proSerbian hacker groups attacked
NATO Internet infrastructure. ProSerbian hacker groups were aided in their
goal of disrupting NATOs war-fighting capabilities by Russian hackers and
Chinese hackers. One of their victims was NATOs public affairs website for
the war in Kosovo. Containing briefings and news, the web-site was
inoperable for several days due to Distributed Denial of Service attacks.
Another attack was on NATOs server, which was shot down for a short period
because of denial of service attacks over it.
As a result of this experience, small but consistent steps were taken by NATO
in the direction of strengthening their digital defence, starting with the
establishment of the Cyber Defence Programme in 2002. The latest
confirmation of the continuous efforts of the Alliance to strengthen its cyber
security capabilities came at the NATO Summit 2014 in Wales, United
Kingdom. The Wales Summit Declaration, contains explicit references to the
increased importance that NATO gives to the cyber security domain
altogether with concrete steps and plans for the future.
The Tallinn Manual, an international cyber law research and education
standard, defines a cyber attack as a cyber operation, whether offensive or

defensive, that is reasonably expected to cause injury or death to persons or

damage or destruction to objects. Reinforcing the major damage that a
cyber-attack can lead to, the article 72 of the Wales Summit talks states that:
Their impact [ed. cyber-attacks] could be as harmful to modern societies as
a conventional attack. We affirm therefore that cyber defence is part of
NATO's core task of collective defence.
As the defense ministers of the Alliance member states confirmed, NATO
would rather maintain ambiguity about responding to cyber attacks. It also
seems that it is very unlikely that the North Atlantic Council would invoke
collective defense unless there were significant damage and deaths,
equivalent to a kinetic military attack. Developments need to be done as
Allies need to clarify what potential cyber scenarios they would consider to
cross the Article 5 threshold, specifying at the same time the duties that
individual members have in the case of a cyber attack.
Even though the moment when a cyber attack will lead to significant loss of
human lives may seem a distant future, it becomes clearer that the danger
must not be treated lightly. As Professor Michael Schmitt, the Tallinn manual's
editor, stated, "I think just as a century ago we were trying to understand
how aviation would impact the laws of war, today we are in great need of
sorting through these issues in the cyber world today".
The following article will start by shedding light upon the strategic
importance of having a cyber-strategy in place, continuing with the historical
developments that led to NATOs recent concerns and making room on the
same time for identifying inherent flaws caused by the particularities of this
newly conquered frontier: the digital world.

Strategic importance of cyber strategies in modern warfare

In order to face the new emerging threats caused by the aggressive
behaviour of Russia in relation with the Baltic States, in February 2015 the
government of Lithuania decided to reintroduce the compulsory military
service. Despite this measure, new threats were signalled by the President of
Lithuania Dalia Grybauskaite in a public intervention in March 2015: The
first stage of confrontation is taking place - I mean informational war,
propaganda and cyber attacks. So we are already under attack.
Far from being singular this type of unconventional attacks were recorded
also in the 2008 Russo-Georgian War, and in 2007 hackers attack over the
official state and bank websites in Estonia. Needless to say, that the late

attack was attributed to groups of Russian hackers even though the Russian
authorities denied any involvement.
According to James Sherr of Britain's Royal Institute of International Affairs,
this new type of conflict called hybrid warfare is designed to cripple a state
before that state even realizes the conflict has begun. Elaborating the topic,
Sherr adds that hybrid warfare It's a model of warfare designed to slip under
NATO's threshold of perception and reaction. As General Alexander
Vershbow has called it, we are facing a new facet of the ancient Trojan Horse
tactic.
As cyber attacks usage intensifies, we need to look into the details of what
constitutes a cyber attack and how NATO and its allies can use their
experience in order to ensure that accident like this will never catch the
Alliance on a wrong foot.
Expending the Tallinn Manual Process definition of cyber attacks, Wittaker
defines cyber attacks as coordinated actions taken against a states public
institutions, digital infrastructure as well as its critical infrastructure through
cyber space. Since there is no clear terminology that can be used to define
the cyber warfare a range of different theoretical frameworks tries to explain
this universe. A first classification is made by Wittaker who differentiates
between cyber attacks and cyber crimes. While cyber crimes are directed
against individuals and companies, cyber attacks are targeting public
institutions and infrastructure.
A more in-depth classification is made by Schreier who distinguishes
between cyber vandalism or cyber hacktivism, cyber crime or internet
crime and cyber espionage. The most dangerous one for governments is the
cyber crime which affects usually the banking sector, financial institutions,
and the corporate sector. Government networks which hold classified data
are also affected, but less often.
Cyber attacks can be classified as a form of international terrorism and as a
consequence there is a need for a coordinated international approach in
order to address such treats. Special characteristics of the cyber attacks
which make them particularly dangerous are the difficulties that arise from
identifying the origin, nature and impact of the cyber attacks. Over the cyber
space is a lot easier for the cyber criminals to hide their origin as attacks can
be launched from every place of the world. In these conditions, most of the
time retaliation becomes problematic because of the hardship of identifying
the attacker and its intentions. The nature of the attack is also hard to define

as attacks become more and more sophisticated. Taking in consideration the

elaborated schemes of attack that are now developed by attackers,
calculating the damage inflicted to the victim can become an intricate
endeavour.
Most common cyber threats, which are applicable to various information
systems like transportation systems, telecommunication systems, power
systems and industrial equipment are: Authentication violations, Trojan
Horses and Viruses, Malware, Spyware and Phishing, Sabotage, Fraud,
Insecure passwords, Denial of service (DoS) and more modern threats like
Internet of things. For these general threats there are a number of solutions
discovered, such as: Antivirus software and firewalls, Cryptography, Risk
analysis, Biometrics, but we need to keep in mind that every system has its
own hardware and software particularities that the attackers can exploit.
In order to respond to cyber crimes cyber security measures need to be put
in place in order to secure the safety of the data flow in the global network
system, the protection of databases, of transactions, of access to critical
information, the protection of the integrity of the national infrastructures,
such as the telecommunications and power sectors, the protection of
personal information of individuals, the protection of cyber infrastructure
with all its components etc. as Hansen and Nissenbaum underline in their
analysis. Hence, cyber security should be seen as an enabler that secures
our digital way of life and everybody should be responsible of their private
security and not treat this duty as a burden.
Further on it will be treated how NATO comes into play in this new cyber
space and take a closer look at the historical evolution of the NATO
organisms responsible for cyber defence. It will be addressed the issue of
redefining what constitutes an armed attack and how NATO is prepared to
react in the case of cyber warfare.
Historical development of NATOs approach to cyber security
The hybrid war gave the opportunity for cyber warriors and hackers to make
use of their capabilities. Although many of their actions are condemnable,
the end justifies the means in times of war as hackers see it. On the other
hand, NATO has to deal with the problematic situation of how to position its
cyber capabilities in the Alliance global strategy.
Anders Fogh Rasmussen, former NATO Secretary General, stated in June
2014 that the approach to cyber security that NATO has in place focuses on
the principle of collective defence, leaving on the same time room for further
improvement when it comes to the details of the strategy. As Rasmussen

presents the results of the talk in Brussels with the American officials, Our
mandate is pure cyber defense, and Our declaration is a start, he said,
but I cannot tell you it is a complete strategy.
Before the Wales Summit in September 2014, according to Limnell, NATO
had to face three key challenges: integration of cyber capabilities, Article 5
update and a better coordination of national capabilities. Out of these
challenges the biggest one was: [...] to integrate cyber into a broader
strategic and operational concept, both in defence and offence. This
observation is in line with one made by Rasmussen who acknowledged that a
global strategy is still under development.
What led to the existing state of affairs is a series of events that continuously
shaped NATOs capabilities for fighting cyber crimes. In chronological order,
the concept of cyber security made its way for the first time on NATOs
agenda after the hacking incidents in the late 1990s that appeared during
the Kosovo War and consequently led to the start of NATO's Cyber Defence
Programme. After the 2002 Prague Summit, initiatives were taken to
establish the NATO Computer Incident Response Capability (NCIRC). With the
New Strategic Concept developed by NATO in November 2010 at the Lisbon
Summit a cyber security objective was clearly formulated in the Summits
report. Enhancing the ability to prevent, detect, defend against and recover
from cyber-attacks, [...] and coordinate national cyber defence capabilities,
bringing all NATO bodies under centralized cyber protection, and better
integrating NATO cyber awareness, warning and response with member
nations were the guidelines followed by NATO in the coming period. In 2011
it was approved a revised NATO Policy on Cyber Defence and by end of 2012
a NATO Computer Incident Response Capability (NCIRC) was already in place,
organisation now under the NATO Communications and Information Agency
(NCI Agency) that monitors the IT infrastructure and responds to cyber
threats and attacks. Other important milestones for the organization are the
creation of the NATO Co-operative Cyber Defence Centre of Excellence
(CCDCOE) in Tallinn, Estonia and the establishment of NATO Cyber-Defence
Management Authority (CDMA) in 2008.
At this point is important to underline that NATOs cyber defense work is
purely defensive. NATOs members are still responsible for developing their
own national cyber defence capabilities and on the same time they must
protect their own networks. At this level, NATOs role is to share expertise
and information, promote coordination and cooperation and facilitate
development of national capabilities.

Admittedly, the principle of collective defence and the enshrined Article 5

still apply in the case of cyber attacks. As a consequence, the question that
can be asked is Would NATO go to war over a cyber attack invocation of
Article 5? To elucidate this matter, a decision as to when a cyber attack
would lead to the invocation of Article 5 would be taken by the North Atlantic
Council based on a political decision taken on case-by-case basis.
Another relevant aspect for the cyber security topic is that the new cyber
policy has given clarity to the process the Alliance will use to invoke
collective defense while maintaining ambiguity about specific thresholds as
the Alliances ministers of defense stressed out. For reconstructing the
process, firstly, the incident is analyzed at technical level. If the incident has
political implications, these get escalated from the NCIRC to the Cyber
Defence Management Board and Defense Policy and Planning Committee
through to the North Atlantic Council, the principal political decision-making
body of the North Atlantic Treaty Organization.
At the moment, it is very unlikely that the North Atlantic Council would
invoke collective defense unless there were significant damage and deaths,
equivalent to kinetic military force. The criteria for determining whether an
attack should be viewed as an "armed attack" they are not very clear but
several indications can the traced through the literature.
Jeffrey Carr, cyber security analyst and expert, suggests six criteria for
determining whether an attack should be viewed as an "armed attack.
These criteria are: severity, immediacy, directness, invasiveness,
measurability and presumptive legitimacy. We can therefore treat a cyber
attack as an armed attack if it produces a great damage on a long duration
and with multiple effects, while crossing multiple physical or digital borders
and having an illegal nature. It is necessary that the victims can quantify its
harmful effects in order the cyber attack to be considered an armed attack.
Future development possibilities in the area of cyber security
By analyzing the private sector we can reveal the positive impact that
international standards for information security like ISO/IEC 27001 and 27002
can have. Due to the best practices recommendations that are included in
this standards it becomes easier to manage your security efforts. A future
development could be the adaptation of such a standard by NATO.
Another aspect that needs to be taken in consideration is the lack of
transparency from the Alliance members when it comes to the offensive
cyber capabilities that they have at their disposal. Coupled with the lack of

any cyber offensive plans made by the NATO, this impediment can severe
the attacking capabilities of the Alliance.
Another area that can be improved is the legislation. NATO is by definition a
bureaucratic organization and any gap in the legislation is possibly
dangerous for the proper functioning of the organization. A good starting
point for improvement will be a better definition of the concept armed
attack in the context of cyber conflicts.
Further developments could be increased number of common exercises, a
strengthening of the partnership with the private sector or an increased
budget for research and development.
Conclusion
NATOs cyber capabilities have evolved continuously since the Kosovo War.
While the current tactics describe a defensive thinking, we cannot talk at the
moment about a complete cyber security strategy at the Alliance level.
Nevertheless, NATO made some important steps by acknowledging the role
of cyber security, founding NCIRC and similar dedicated institutions and
setting up a clear chain of command in case of cyber attacks.
However, space for improvement still exists. There is a need for a revised
legislation, like in the case of Article 5, and a more transparent
communication between members and international standards for
information security. By solving all this matters, the process of integrating a
standalone cyber strategy in the context of the Alliance global military
strategy will be much easier.