A cyberattack shut down some of Europe’s biggest airports last month – including London Heathrow, Berlin Brandenburg, and Brussels – stranding thousands of passengers as hackers held online data for ransom. The target, Collins Aerospace, builds check-in systems for airlines, but it had also recently scored a contract to help NATO wage electronic warfare.
It was yet another in a series of high-profile cyber incursions in Europe. A few months earlier, hackers opened a Norwegian dam’s floodgates by exploiting a weak password – a mixture of real-life and cyber sabotage that authorities attributed to Russia.
Such cyberstrikes are on the rise, warns a report this month by the European Union’s Agency for Cybersecurity, and they are often carried out by China and Russia to “erode the resiliency” of Western nations.
Why We Wrote This
As China and Russia try to weaken NATO nations through cyberattacks, the alliance is responding with plans for better coordination – including for counterattack.
NATO, as a result, is beefing up its cyberdefenses and is getting better at tracking online intruders, compiling databases of hacks that experts liken to fingerprints. Internally, alliance members are also wrestling with questions at the heart of deterrence. These include strategizing about when to play defense and when to go on offense. NATO member states are also debating what sort of cyberattacks merit real-world military retaliation.
Offensive cyberwarfare is not a topic traditionally discussed openly among NATO officials. But like the online landscape itself, this is rapidly changing.
“Sometimes, an attack is the best defense,” says Lt. Col. Christoph Kühn, the chief of staff at NATO’s Cooperative Cyber Defense Center of Excellence here in Estonia’s capital, once a major medieval trade center and now a culture and technology hub.
As officials here on the digital front lines grow accustomed to repelling increasingly sophisticated waves of cyberattacks, they are more willing, analysts say, to discuss the benefits of rooting around in adversaries’ systems.
“You can train teams to defend when under attack. You can also – and we have to be able to talk about it – train offensive teams,” says Lauri Almann, former permanent secretary of the Estonian Defense Ministry. “Passive defense [alone] is not an option.”
There is also a psychological aspect to it: Playing offense, Mr. Almann adds, helps officials understand the mindset of cyber adversaries.
Yet, as some NATO members develop more offensive-style cyber capabilities, the alliance is grappling with how these moves, which might bolster the security of the whole, could also compromise hard-won cybersecrets of individual member states by inadvertently revealing capabilities or showing key cards in the cyberdefense hands of other states as well.
“It’s a very complicated kind of dance,” says Hans Horan, a strategic analyst at the Hague Center for Strategic Studies who specializes in cyberthreat intelligence and security. “How do you engage in a cyberattack while ensuring that the priorities of the individual nation-states aren’t compromised in the process?”
On the forefront of cyberdefense
NATO was not particularly interested in improving its cyber offenses, or defenses for that matter, back in 2004.
That was the year Estonia joined NATO. It was also the year that officials in Tallinn, warily eyeing the Kremlin, suggested the alliance set up a special center to study cyberwarfare.
The idea was promptly rejected by NATO officials at the time.
But officials in Tallinn forged ahead, and the city built its own research arm. “It was one of the best decisions” his country of just 1.3 million people – a population the size of Dallas – has ever made, says Mr. Almann.
In 2007, Estonia became the first NATO member to be the victim of a massive cyberattack targeting a country, widely considered one of the first major examples of cyberwarfare. The attacks were attributed to pro-Russian groups responding to the Estonian government’s decision to relocate a Soviet-era war memorial, the “Bronze Soldier,” a sore point for Estonia and Russia. The attack went on for weeks. But Estonia fought back, thanks in part to the war-gaming exercises it had been conducting.
After that, Estonian officials convinced NATO to set up the cyber center they had proposed three years earlier.
Since then, Mr. Almann has applied what he learned at the Defense Ministry to launch a company, CybExer, that builds online practice ranges. Clients, including European government agencies and airport executives, pay to “practice” responding to artificial cyberattacks.
Behind him, a simulated map of London lights up on a cyber range as cell towers stop working and electrical grids collapse.
The war-gaming scenarios here are varied: A plane refueling pump at an airport gate won’t stop, and in a matter of minutes, a runway could be filled with gasoline. In another, the cooling system of an internet server farm is hacked, causing a fire – echoing an event that actually happened in Estonia.
Even officials who might not be steeped in computer know-how can wrestle with big-picture problems, Mr. Almann says. “In cyber security, not all questions are technical.” They might involve everything from which system shutdowns society will demand be addressed first to whether to pay a ransom demand.
Similarly, just down the road at NATO’s Cyber Center, there are war-gaming exercises in which participants are not simply trying to eject intruders and erect firewalls, but also practicing the critical art of strategic decision-making, Lieutenant Colonel Kühn says.
During a single exercise, some 8,000 virtual systems might be subjected to 8,000 simulated cyberattacks from criminal gangs, state-sponsored actors, or the states themselves. It is a chance for participants to practice responses, he adds. “Are they going to say, ‘You have attacked us, so we’re attacking you?’ That is strategic thinking, and we try to train this.”
Offense, defense, or survival?
Within the cyber realm, there are NATO members that are primarily defensive-minded and others more inclined to attack. Regardless, some have recently decided they now have little choice but to go on the offensive, Lieutenant Colonel Kühn says.
These counterattacks are typically not the sort of good-guy sabotage that plays out in spy films. Instead, they most likely involve reconnaissance operations, or lurking, in adversaries’ systems. Anything that involves crossing from a state’s own system into the system of another state is considered an offensive operation.
NATO, as an alliance, has no offensive cyber capabilities of its own, so part of the NATO cyber center’s role in Tallinn is to help countries develop policies on that front.
“We give the right and left border, and it’s the governments’ [job] to decide” their own strategies and policies, Lieutenant Colonel Kühn says.
The challenge is, however, that this every-nation-for-itself framework can create a disjointed approach to cyber challenges within the alliance, says Mr. Horan of the Hague Center.
Some members, for example, prefer not to share secrets with countries that they believe don’t take cybersecurity seriously. For example, when Spain signed a contract with the Chinese corporation Huawei to provide components for its 5G infrastructure, it caused “quite a big kerfuffle” within NATO, Mr. Horan adds, about whether countries should continue trading intelligence with Madrid.
“We don’t share as much evidence as we should,” acknowledges Tõnis Saar, the director of NATO’s Cooperative Cyber Defense Center of Excellence. “That’s definitely one thing which we should practice more.”
But there is progress on other fronts, analysts say. NATO countries are gradually getting better at attributing cyberattacks as they build databases that track different hacker styles.
Lieutenant Colonel Kühn uses the example of fingerprints that are indexed in crime labs. When they first started being used, “you didn’t have a lot of examples,” he says. “Now, we are getting more and more.”
Still, the improvement is what he describes as “a small amount better. Not, like, hugely better.”
At the same time, the question remains of how NATO should respond once it identifies the culprit in a hack. The problem with retaliation is that it often reveals adversaries’ vulnerabilities that attacking countries would rather keep secret until they absolutely must use them.
There has also been debate about invoking Article 5, the pledge of NATO members make to treat an attack on one member as an attack on all.
When the Geneva Conventions were created, no one was thinking about whether a computer virus should be considered a weapon or an attack that could result in retaliation, Lieutenant Colonel Kühn says. “And it’s not quite clear yet.”
At the same time, cyberattacks are “much, much more sophisticated” than they were back in 2007, Mr. Almann says, when Russia laid online siege to the Estonian government.
There should not be “any automaticity” to invoking Article 5, though there could come a time when these attacks warrant it, he adds, if they usher in “consequences and the kind of damage that we haven’t seen yet.”
