Last month, a cyber attack shut down some of Europe's biggest airports, including London Heathrow, Berlin Brandenburg and Brussels, leaving thousands of passengers stranded as hackers held online data for ransom. The target, Collins Aerospace, builds check-in systems for airlines, but it also recently won a contract to help NATO conduct electronic warfare.
It was another in a series of high-profile cyberattacks in Europe. A few months earlier, hackers opened the floodgates of a Norwegian dam using a weak password – a mixture of real and cyber sabotage that authorities attributed to Russia.
Such cyberattacks are on the rise, the European Union Cybersecurity Agency warned in a report published this month, and are often carried out by China and Russia to “undermine the resilience” of Western countries.
Why did we write this
As China and Russia try to weaken NATO countries through cyberattacks, the alliance is responding with plans to improve coordination, including on counterattacks.
As a result, NATO is strengthening its cyber defenses and getting better at tracking online attackers, compiling databases of hackers that experts compare to fingerprints. At home, alliance members are also grappling with the issues underlying deterrence. This includes strategizing about when to play defense and when to go on offense. NATO member states are also debating which cyberattacks merit meaningful military retaliation.
Offensive cyber warfare is not a topic that NATO officials traditionally discuss openly. But like the online landscape itself, things are changing quickly.
“Sometimes attack is the best defense,” says Lt. Col. Christoph Kühn, chief of staff of the NATO Cooperative Cyber Defense Center of Excellence here in the capital of Estonia, once a major medieval trading center and now a center of culture and technology.
As officials here on the digital frontier become accustomed to fending off increasingly sophisticated waves of cyberattacks, they are becoming more willing to discuss the benefits of infiltrating attackers' systems, analysts say.
“You can train teams to defend against an attack. You can also – and we should be able to talk about this – train offensive teams,” says Lauri Ahlmann, former permanent secretary of the Estonian Ministry of Defense. “Passive defense [alone] This is not an option.”
There's also a psychological aspect to it: Playing offense, Mr. Ahlmann adds, helps officials understand the mindset of cyber opponents.
However, as some NATO members develop offensive-style cyber capabilities, the alliance is grappling with how these steps, which could strengthen overall security, could also jeopardize individual member states' hard-won cyber secrets, inadvertently exposing capabilities or showing key cards in the hands of other states' cyber defenses.
“It’s a very complex dance,” says Hans Horan, a strategic analyst at the Hague Center for Strategic Studies who specializes in cyber threat intelligence and security. “How do you engage in a cyber attack while ensuring that the priorities of individual nation states are not compromised in the process?”
At the forefront of cyber defense
Back in 2004, NATO wasn't particularly interested in improving its cybercrime capabilities, or its defenses for that matter.
This year Estonia joined NATO. It was also the year that officials in Tallinn, wary of the Kremlin, proposed that the alliance create a special center to study cyber warfare.
The idea was immediately rejected by NATO officials at the time.
But officials in Tallinn have moved forward, and the city has created its own research unit. “It was one of the best decisions” his country of just 1.3 million people, a population the size of Dallas, has ever made, Mr. Ahlmann says.
In 2007, Estonia became the first NATO member to fall victim to a massive cyber attack on the country, widely considered one of the first major examples of cyber warfare. The attacks were attributed to pro-Russian groups responding to the Estonian government's decision to move the Soviet-era Bronze Soldier war memorial, a sensitive issue for Estonia and Russia. The attack continued for several weeks. But Estonia fought back, thanks in part to its war games exercises.
Estonian officials then convinced NATO to create the cyber center they had proposed three years earlier.
Mr. Ahlmann has since applied what he learned at the Department of Defense to launch a company called CybExer, which creates online training ranges. Clients, including European government agencies and airport managers, pay for “practice” in responding to man-made cyber attacks.
Behind him, a simulated map of London lights up on cyber range as cell towers go dark and power grids collapse.
The war game scenarios here are varied: the aircraft fuel pump at the airport gate does not stop, and the runway can be filled with gasoline in a matter of minutes. In another case, the cooling system of an internet server farm was hacked, causing a fire, mirroring an event that actually happened in Estonia.
Even officials who may not be computer savvy can struggle with common problems, Mr. Ahlmann said. “In cybersecurity, not all issues are technical.” These could include anything that society would require the system to be shut down, and the first consideration would be whether to pay the ransom demand.
Similarly, military exercises are being held near the NATO Cyber Center in which participants not only try to drive out intruders and build firewalls, but also practice the critical art of strategic decision-making, says Lt. Col. Kühn.
During one exercise, approximately 8,000 virtual systems could be subject to 8,000 simulated cyberattacks from criminal groups, state-sponsored actors or states themselves. “This is a chance for participants to practice their answers,” he adds. “They will say, 'You attacked us, so we attack you?' This is strategic thinking, and we try to train for this.”
Attack, defense or survival?
In cyberspace, there are NATO members who are primarily defensive and others who are more offensive. Despite this, some have recently decided they now have no choice but to go on the offensive, says Lt. Col. Kühn.
These counterattacks are usually not the kind of sabotage by the good guys that plays out in spy movies. Instead, they are more likely to be associated with reconnaissance operations or hiding in enemy systems. Anything that involves a transition from a state’s own system to another state’s system is considered an offensive operation.
NATO, as an alliance, does not have its own offensive cyber capabilities, so part of the role of the NATO Cyber Center in Tallinn is to help countries develop policies on this front.
“We give a right and a left border, and this is a matter for governments.” [job] “decide” your own strategy and policies, says Lt. Col. Kühn.
The problem, however, is that this “every nation for itself” concept could create a disjointed approach to addressing cyber issues within the alliance, says the Hague Center's Mr. Horan.
Some members, for example, prefer not to share secrets with countries they believe do not take cybersecurity seriously. For example, when Spain signed a contract with China's Huawei to supply components for its 5G infrastructure, it caused “quite a big commotion” within NATO, Mr. Horan adds, over whether countries should continue to trade intelligence with Madrid.
“We don't provide as much evidence as we should,” admits Tõnis Saar, director of NATO's Cooperative Cyber Defense Center of Excellence. “It’s definitely something we should practice more.”
But analysts say there is progress on other fronts as well. NATO countries are gradually getting better at identifying the causes of cyber attacks, creating databases that track different hacking styles.
Lieutenant Colonel Kühn gives the example of fingerprints being indexed in forensic laboratories. When they first started being used, “you didn't have many examples,” he says. “Now there are more and more of us.”
However, the improvement is what he describes as “a little bit better. Not that much better.”
At the same time, questions remain about how NATO should respond once it identifies the culprit of the hack. The problem with retaliation is that it often reveals vulnerabilities of adversaries that attacking countries would prefer to keep secret until they are forced to exploit them.
There is also debate over the application of Article 5, the obligation of NATO members to treat an attack on one member as an attack on all.
When the Geneva Conventions were created, no one thought about whether a computer virus should be considered a weapon or an attack that could lead to retaliation, says Lt. Col. Kuhn. – And this is not entirely clear yet.
At the same time, Mr. Ahlmann said, cyber attacks have become “much more sophisticated” than in 2007, when Russia imposed an online siege on the Estonian government.
There should not be “any automatic” invocation of Article 5, although there may come a point when these attacks justify it, he adds, if they cause “consequences and damage that we have not yet seen.”
