This paper provides an academic perspective on national and international cyber issues. The intent is to add to the wealth of international discourse on the emerging field of cyber security. The paper seeks to achieve this goal by first reflecting on the current state of threats to cyber security across the globe. Second, it will look at some of the national and international positions being taken to put in place near as well as long term cyber security. The national focus is primarily on the stated policies and positions of the United States, and the international focus is on NATO efforts to defend its own networks. These are the actors that have been central in advancing the security of the Internet, over which most communications and information, both open and secure, flows. Notwithstanding their centrality, the United States and NATO are but one nation and one international organization among many strong and capable actors in the global cyber domain. Therefore, this reflection is couched in the broader context of a constellation of actors in a domain that is as yet without broad consensus on norms of behavior. It is the perspective of an American analyst. Other critical perspectives must be taken into account in order to distill a holistic appraisal of cyber security.
Part I. The US and Cybersecurity in the International area
The centerpiece of U.S. international engagement on cyber security for the future continues to be the 2011 International Strategy for Cyberspace.35 This pivotal document espouses a commitment to the three principles of freedom of expression, privacy, and open access to information. It identifies a U.S. goal of «…work[ing]internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters freedom of expression and innovation.
The U.S. International Strategy for Cyberspace endorses the understanding that long standing norms of international behavior in peace and conflict also apply in cyberspace, while accepting that work is needed to clarify how these norms apply and where they will need to be supplemented. Norms therefore should be grounded in the traditional principles of upholding fundamental freedoms, respect for property, valuing privacy, protection from crime, and the right of states to engage in self defense. Based on these values the U.S. supports the emerging international norms of:
- Global Interoperability
- Network Stability
- Reliable Access
- Multi-Stakeholder Governance
- Cyber Security Due Diligence by States37
The Strategy goes on to describe three primary lines of U.S. effort on cyber security: strengthening international partnerships through diplomacy; dissuading and deterring attacks through strong defenses; and, furthering global prosperity and security by investing in development.
The Strategy also elaborates seven policy priorities being pursued by the United States to realize a future Internet that is secure as well as reliable and open and interoperable:
- Promotion of international standards and open markets for economic growth
- Enhancing the security, reliability and resiliency of global networks
- Extending collaboration on law enforcement and the rule of law
- Military preparedness to deal with the security challenges of cyberspace
- Promotion of effective and inclusive Internet governance structures
- Building capacity, security and prosperity
- Furthering the cause of fundamental freedoms and privacy via Internet freedom
As the above outline shows, the U.S. elaborated, more than two years ago, a comprehensive roadmap for policy development by all departments as they engage in cyber space activities. It provides the basis for developing cyber security programs. It also points to the U.S. vision for a peaceful, dependable and productive future Internet.
Since that time, a number of programs have been initiated to implement this strategy even as the threats already described continue to gain momentum. In many ways the rapid growth of threats is fueling new security initiatives. In 2012 the United States supported work at the United Nations (described below), at the Organization for Security and Cooperation in Europe, and at NATO – to cite three of many international efforts – intended to coalesce international consensus on cyber security matters.
As already noted above, in February 2013 the White House issued its Executive Order (EO) establishing procedures for improving the cyber security of critical infrastructure. The EO is a useful document for outsiders to gain an impression of the complex interaction of the many federal agencies involved in cyber security, from the Departments of Homeland Security,38 Commerce, Defense, and Justice to agencies such as the Office of Management and Budget and the Federal Bureau of Investigation. These are but a few of the major government participants in infrastructure protection.39 These same departments each play a role in connecting to their international counterparts in other nations to coordinate on matters of cyber security, from law enforcement to interoperable standards.
Active and Robust International Engagement
A common theme of international implementation is engagement, whether in existing forums, multinational institutions or bilateral meetings. Indeed, the United States is represented in almost every international forum on cyber security, either officially, by representatives of the private sector or by academic experts. All these types of representation have been present over the years at the IISI International Forum in Garmisch-Partenkirchen, Germany, which is steadily gaining prominence.40 Official U.S. government participation takes place more often than realized. U.S. State Department officials participated in the 2011 OSCE forum on confidence and security41 building measures for cyber security, and a Commerce Department official is a member of the UN Internet Governance Forum’s Multi-Advisory Group42. The U.S. Vice President participated in the London Conference on cyber space norms.43 In 2012, the U.S. participated in the Budapest Conference on Cyberspace, and it is preparing to join the third in this series of UK-initiated conferences, the Seoul Conference, in October 2013.
The three most significant powers in global cyber security issues are China, Russia and the United States, and it is no secret these powers differ in their policy positions on the security and openness of the Internet, among other issues. Notwithstanding their differences all three powers maintain regular dialogue with the others in a variety of relevant venues. All three participate regularly in most international forums on cyber security. One example would be the London, Budapest and Seoul conference trilogy just cited. Perhaps the highest visibility venue is the United Nations Group of Government Experts (UNGGE) that meets on «Developments in the Field of Information and Telecommunications in the Context of International Security.
The result of a Russian initiative, the 15 nation UNGGE has met over three series of events, in 2004, 2009-10, and in 2012-13, to consider threats from the cyber sphere. The first meeting did not result in an agreed report, however the second set of meetings did agree to a report on several policy recommendations.45 The current series of meetings concludes in June 2013. If a report can be agreed it is to be delivered to the General Assembly before the end of 2013. It is important to note that GGE agreements reflect the consensus among not only the five permanent members of the UN Security Council but also Germany, India and many other major powers, plus other important powers well known on cyber issues.
Although the results of the GGE is sometimes regarded as weak and limited thus far, it represents the current state of agreed consensus on cyber security at the highest level and thus is important to note in seeking to advance new agreements.
In April 2013, the United States and China, after much negotiating, reached an agreement to establish a working group to discuss cyber security concerns. The key issue for the United States has been a growing conviction that cyber espionage aimed at stealing intellectual property from U.S. firms, including defense industry firms, have been traceable to China, and specifically the Chinese military. China is concerned over what is perceived to be inappropriate information being made openly accessible to online users in China, potentially undermining government authority. The U.S.-China working group on cyber security matters is to hold its first meeting in July, in conjunction with the fifth annual U.S.-China Strategic and Economic Dialogue in Washington.
Even more significant will be the landmark U.S.-Russia agreement on measures to reduce risk of cyber conflict, signed by Presidents Obama and Putin at the UK hosted G-8 Summit on 17 June 2013. The agreement, which calls for standing up ‘within the next month’ a bilateral working group similar to the U.S.-China working group, also establishes three formal channels between U.S. and Russian counterparts. The first is a ‘hot line’ between the U.S. cyber security coordinator and his or her Russian counterpart to allow for direct communications in time of crisis. The second is to use the U.S. Nuclear Risk Reduction Center built in 1987 for nuclear warnings, to be used now to warn each other of cyber exercises that might be mistaken for attacks, and to raise inquires when perceived attacks appear to emanate from the territory of the other party. The final formal channel being agreed is the direct sharing of technical information, such as IP addresses suspected of emitting malicious traffic, between the U.S. Computer Emergency Readiness Team at the Department of Homeland Security and its Russian counterpart.
What is clear is, that despite sometimes sharply differing views and perhaps in part due to rapidly growing concerns over malicious activity in cyber space,49 China, Russia and the United States are taking substantial and tangible steps toward establishing norms of behavior that will reduce tensions and serve as a model for other powers.
Assisting Other Nations in Strengthening Their Cyber Security Posture
A consistent policy theme being carried forward from the U.S. International Strategy for Cyberspace is to assist other nations in developing awareness of and strengthening their response to — cyber threats, especially those that might emanate from within their own borders.50 Assistance can include advice on protecting networks, educating and certifying cyber security professionals, standing up initial Computer Emergency Readiness Teams (CERTs), and organizing capacity within network operation centers and secure data centers.
Work is ongoing with the Government of the Islamic Republic of Afghanistan in many of these areas by the Departments of Commerce and Defense, as well as private universities and businesses.51 U.S. is also assisting NATO partners bilaterally, as well as other developing countries around the globe who have expressed interest in working with the United States to improve their national cyber security posture. The logic of this engagement is simple: any place on the Internet that remains unsecured against malware is a potential vector into the Internet that could be a risk to all who use it. Hence, the more global the security the safer the Internet is for all.
Creating a Future Workforce Educated in Cyber Security
Another key aspect of U.S. cyber security is the education of a future general population that will be astute in online security. This is part of a Department of Homeland Security program called «Stop-Think-Connect.» The United States is also educating a substantial cohort of highly skilled future cyber security professionals for service in both the private and public sectors. This pool of talent will serve to confront future challenges to the reliability, security and resiliency of the Internet, and protect the information that transits its infrastructure.
A key education initiative of the National Science Foundation is the Cyber Watch program, which began in 2005 as a consortium of 10 institutions in the Washington D.C. area. Today, it is a nationwide program covering 29 states and consisting of 50 community colleges and 45 universities, offering degrees and technical as well as non-technical cyber competitions. More than 40 businesses, government organizations and associations are affiliated with this program, which has also trained over 500 faculty members at its member institutions. Cyber Watch has developed several models of Information Assurance Curricula for academic degrees and certifications in cyber security at every collegiate level.
More recently, Cyber Watch has began to extend its education to the high school level. Cyber Watch is one of the most promising educational programs for a future U.S. workforce of highly talented cyber security professionals. Another very important educational program is the National Security Agency’s program for universities and colleges to be awarded the status of National Center of Academic Excellence in Information Assurance (i.e., cyber security) education. This program includes strict criteria for designations as either a Center of Academic Excellence for two-year education programs, four-year degree programs or as a Center of Excellence in information assurance research. As of 2013, 166 colleges have been awarded Center of Academic Excellence status in at least one category.
Part II. NATO and Cyber Defense — 2013 Update
Cyber Security first seized NATO attention at the head of state level in 2002, shortly after the Alliance suffered its first cyber attack. Since then, cyber defense has rarely left the agenda of NATO’s leadership or the agendas of leaders of its member states. These leaders have concluded that cyber attacks could reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability. In turn, Alliance agencies, commands, schools and staffs are working to realize the goals of preventing, detecting, defending against and recovering from any and all cyber attacks. Indeed, over the past 12 years, cyber defense has become highly institutionalized across the Alliance and within its processes, including the core NATO Defense Planning Process.
The North Atlantic Treaty Organization (NATO) continues in 2013 to strengthen its capacity to defend its internal networks from a mounting number of daily intrusions, the threat of inadvertent compromise from user missteps, and from a steady stream of external cyber attacks. In early June Alliance Defense Ministers held their first ever meeting dedicated solely to cyber defense, a testimonial to the intensifying concern across NATO and among its members. It was agreed that as a priority defensive protection must be extended to all NATO owned and operated networks before the end of 2013. The ministers also tasked NATO staffs to provide a report by October on how NATO can support members who request assistance if they come under cyber attack.
NATO’s core interest in the cyber domain is the protection of Alliance owned and operated networks. As an alliance, NATO views the broader matter of cyber security as a national and not a NATO task. The Alliance does not want members to become dependent on NATO capabilities and thus reduce their national investments in cyber security. Although its focus is mainly on cyber defense, as the news report above indicates, the Alliance is studying whether or not it might be able to assist members who request help in responding to cyber attacks. To quote NATO Secretary General Anders Rasmussen, “Cyber attacks do not stop at national borders. Our defenses should not, either.”
Effective NATO Cyber Defense Governance
Cyber Defense is directed by the North Atlantic Council (NAC), as are all Alliance undertakings. In 2011, the NAC carried out the decisions of Alliance members at their summit at Lisbon in 2010. Those decisions called for a new cyber defense concept, policy and action plan – all of which the NAC approved by June 2011.
As a major enterprise, cyber defense oversight involves all NATO stakeholders, who meet together as the Cyber Defense Management Board. Day to day activities and management of programs is the business of the International Staff, in particular, the Cyber Defense Office within the Emerging Security Challenges Directorate. Another key staff is the NATO Headquarters Consultation, Command and Control Staff. This is a combined staff, comprised of members of the International Staff (primarily civilian) and International Military Staff (primarily military). This staff oversees cyber defense at NATO headquarters and agencies.
The NATO Communications and Information Agency (NCIA) directs the technical execution of cyber defense (among many other responsibilities). One element of NCIA is the NATO Computer Incident Response Capability (NCIRC), which is NATO’s equivalent of a CERT – the primary monitor of networks for detecting and responding to intrusions and other risks to full operational capabilities.
The two NATO strategic commands play key roles in NATO cyber defense. Allied Command Operations (ACO) is responsible for command over all operational forces and therefore operates most of the networks that must be protected. Allied Command Transformation (ACT) has responsibility for the majority of cyber defense action plan items. Several action plan initiatives are discussed in more detail below.
NATO member nations, as already stated, have primary responsibility for their own cyber security. However, where NATO and national networks interface the Alliance works with its members to ensure nations follow NATO’s technical and procedural standards with regard to the protection of NATO information and classifications.
The Role of Allied Command Transformation
ACT is NATO’s agent for change; its intellectual capital for the future. It is the command responsible for the multinational aspects of force transformation, which primarily is carried out by nations yet informed by NATO with respect to requirements for multinational interoperability. This role applies to cyber defense as it does to all NATO missions and functions. Thus ACT oversees a number of tasks aimed at strengthening NATO’s cyber defense posture, both today and in the long term. The primary tasks of ACT are the development of Alliance (i.e., multinational) concepts and doctrine, and development of NATO training, education and exercises. All these apply to cyber defense just as they do to other military disciplines.
An additional important task is guiding development of NATO cyber defense capabilities of the future. This starts with fulfilling all the requirements already agreed but yet to be fully put in place. ACT also oversees planning for the longer term cyber defense requirements in order to stay abreast of anticipated future threats within expected resources. In developing future needs, Act takes into account operational lessons learned and assesses the effectiveness of current capabilities.
ACT has responsibility for developing NATO concepts and doctrine for cyber defense awareness, education and training for Alliance schools and for disseminating to members for use in their schools as appropriate. In 2013 NATO is on track to complete its update of cyber defense concepts and doctrine, and along with other staffs, ACT is guiding development of Alliance cyber defense training plans, education programs and exercises. Once completed, these products are to be reviewed by HQ NATO and member nations. Like all training, cyber defense training proposals will ultimately be submitted to NATO’s Military Committee for approval.
ACT is responsible for outreach programs to tap the expertise of industry and academia in seeking solutions to the many NATO cyber defense challenges. NATO has a well-developed regime for engaging with industry and this must now include cyber defense technologies. NATO is developing ties to academia through ACT to help Alliance staffs find innovative solutions to issues such as applying the concept of burden sharing to cyber defense, or determining NATO dependencies on national communication and information systems.
The Cooperative Cyber Defense Center of Excellence
The CCD COE in Tallinn, Estonia has just celebrated its 5th anniversary and continues to strengthen its capacity in terms of resources and activities. 11 NATO members are sponsoring nations and two more have announced plans to join the Center’s sponsors.58 Although not a formal part of NATO’s structure, CCD COE is an important and integral component of NATO’s cyber defense team. ACT oversees all centers of excellence in terms of accrediting them with the Alliance and proposing inputs to their program of work. At present, the 2014 program of work for CCD COE is being prepared.
The CCD COE mission is to enhance capabilities, cooperation and information sharing across NATO, and among NATO nations and partners in cyber defense through education, research and development, lessons learned and consultation. The Center’s goal is to be the main source of expertise in the field of cooperative cyber defense by accumulating, creating, and disseminating knowledge in related matters within NATO, NATO nations and partners. The three competency areas in which CCD COE pursues its goal are: legal and policy matters; training and doctrine issues; and research and development.
CCD COE has an impressive annual work plan of research publications, technical courses, conferences and cyber exercises. For example, it has already completed its First Quarter 2013 Cyber Security Status Watch report; conducted its annual network defense exercise Locked Shield 2013 (in April), and its annual CyCon conference (in June).
There has been a marked increase in high profile disruptions of government and commercial enterprise networks over the past 18-36 months. These attacks suggest an increasing attraction of the cyber domain as the medium of choice for conducting attacks in pursuit of social and political as well as criminal motivations. We can expect this trend to continue and grow so long as the international community remains diffused on what constitutes acceptable behavior in cyberspace. Attackers may be criminals, or either state or non-state actors. While attribution remains difficult, the theory that any attacker has to expect some gain from conducting an attack offers some indication of the source of attacks. Strengthening defenses is much more in the hands of legitimate network users, be they individuals, businesses or governments. All should raise their level of defense.
The United States is moving forward on several paths to strengthen its defenses, with a somewhat heightened sense of urgency in light of recent attacks around the world. The United States is moving to strengthen the defensive posture of all online activities, both public and private – government agencies, businesses, organizations, communities and individuals. In this regard, the Departments of Defense and Homeland Security will ensure especially the security of the .mil and .gov domains. Overall, special attention is being given to the protection of critical infrastructure. A U.S. goal is a future population that is much more aware of risk even as it will be much more online. The United States is engaged internationally at all relevant junctures in the pursuit of a stronger framework of laws and norms to guide the legitimate use of cyberspace. Finally, the United States is interested in a culture of international cooperation to keep the Internet open and secure.
NATO is organized and is implementing a comprehensive program of cyber defenses that will protect its own networks. As an Alliance of 28 countries, NATO is establishing effective network governance and strong network defenses. What NATO has accomplished already in terms of organization, agreements and deployed defensive technologies is informative on what might eventually be achieved by the community of nations across the globe.
Charles l. Barry
Senior Research Fellow,
Center for Technology and National Security Policy (CTNSP)
Charles Barry is an independent consultant and research fellow at the national defense university. Views expressed in this paper are his alone and do not necessarily reflect the policies of the National Defense University, the department of defense or the United States government.
This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.