Opening Remarks by Ambassador Sorin Ducaru, NATO Assistant Secretary General
Session 1 – Cyber Power and Evolving Concepts of War
Information Technology and National Security
Dr. Kenneth Geers
From the catapult to the H-Bomb, there has always been a close relationship between technology and security. But the Internet — and the human-2-human “cyberspace” around it — has accelerated the pace of this historic connection. Each of us now has a supercomputer in our pocket. Vulnerable operating systems and applications are used to manage everything from missiles to power grids. Anonymous hackers roam every part of the World Wide Web. By contrast, cyber defense is a slow, tedious, and uncertain process. For national security planners, this is a volatile concoction that is difficult to understand — let alone navigate successfully.
Dr. Mitko Bogdanoski
We live in a well-connected and technology dependent world. People, institutions, companies have increased needs for communication in everyday life. Global and seamless connectivity today is enabled by cyber-infrastructure consisting of a large variety of different technologies which are in a continuous process of development and innovations. However, the same cyber infrastructure is becoming more and more vulnerable. At the same time, the way of conducting operations is becoming more sophisticated. The cyber operations through the most severe threats known as cyber attacks are major challenges to the fast technology development. Potential targets are systems which control the nation’s defences and critical infrastructure. The criminal organizations, states as well as terrorists of the future will win the wars without firing a shot – just by destroying infrastructure that significantly relies on information technology. They can exploit the vulnerable cyberspace to achieve strategic advantage against the mightier enemies. Increasingly dependent on the complex critical communication and information systems (CIS), the NATO and the partner countries must adapt and enhance their defences in order to confront emerging challenges head-on. The reason for this is that the capabilities of so-called “cyber weapons” as well as cyber attack surface are increasing with tremendous speed. The presentation will briefly describe specific examples of most advanced cyber attacks, as well as motivation behind the attacks. At the end, it will cover some specific measures and mechanisms that could be used to protect modern society from advanced cyber attacks.
Dr. John Hurley
The concept of war as seen within the four conventional battlefield domains is now considered in the new field of engagement, Cyberspace. Power, historically associated with nations heavily resourced, including strong militaries and substantive funding were easy to identify because only a few would qualify. Cyberspace has been a game-changer in terms of how power is now defined given the low cost of entry to nations, non-nations, groups and individuals and the sheer speed with which events can occur. The military’s history in conventional warfare has placed a distinct fingerprint on the levels of engagement drawn from its unique tradition and culture. Many of the historical lessons learned from conventional warfare can provide invaluable insight into conflicts that will be defined in Cyberspace. It is very important to remember, however, that the combatants in the cyberspace domain are not limited to the military, i.e., they translate across the boundaries of all three of the societal communities (citizen, government, and private industry). We look at how these realities greatly impact our views and approaches in realizing power and its use in warfare in Cyberspace.
Mr. Eli Jellenc
A view of “cyber power” that emphasizes the centrality of cyber-intelligence tradecraft in the conduct of cyber warfare and how this is changing the relationships among intel staff, military organizations, civilian security officials (law enforcement, etc.), and policymakers. The increasing relevance and influence of diverse private sector actors (many of which are multinational) and non-state actors (including criminals and hacktivists) in this “intelligence-led-conflict” dynamic. No international security issue since (at least) the age of maritime piracy and great power naval rivalry in the 18th century has seen such deep and consequential involvement by the private sector and non-state actors alongside states; this historical analogy can offer some lessons for how we think about the global scope of geopolitical cyber conflict, but it also requires the inclusion of newer conceptual frameworks that draw on contemporary communication theory and conflict modelling (especially models designed to analyse complex, irregular conflicts). The fact that we are witnessing a large-n “cyber arms race” dynamic that differs from any previous arms race we have ever seen. There are more players (no less than 15 significant powers) “racing” at once. Each participant in this arms race develops their capabilities in part by conducting cyber intelligence operations against adversaries and allies at the same time. The private sector providers of many types of components or solutions within states’ cyber capabilities are selling the same or similar capabilities to other states at the same time.
Session 2- Reconsidering Military Employment, Education and Leadership in Cyber Age
Dr. Liviu Muresan
Just like a territory is often understood as encompassing an area, so too has security been thought of in express association with a geographic or sectorial area, neglecting the height and the depths of a security volume. Recent developments in the interdependency of complex systems, including our societies, economies and polities make it crucial to adjust our understanding of security to include vertical dimensions. These factors present new sets of challenges for security, especially with regards to that of critical infrastructures – the issue of multidisciplinarity in their study, the issue of jurisdiction and collective action, the issue of the mismatch of security cultures between actors who have to collectively tackle a problem and so on. The presentation will focus on three dimensions of security – cyber, climate and space – which are, to a certain extent, interwoven from a security perspective. For instance, understanding and planning for climate change involves a reliance on new tools and applications, many of which are space-based, engendering a dependency on space systems which are severely vulnerable to all manner of threats, including that of cyber attacks. Separately, as well, these dimensions of security constitute an overarching factor of insecurity for societies, with multiple points of stress and vulnerability throughout the complex system-of-systems, but in a way which is hard to address through current organizations, tools and modes of thought.
Dr. Laura Steinberg
Syracuse University’s Dept of Electrical Engineering and Computer has been teaching a unique program for undergraduate students to prepare them for careers in cybersecurity. Drawing upon a long history of collaboration with the Air Force Research Lab in Rome, NY, the program includes an intensive semester of cybersecurity courses, in which traditional computer science classes are re-structured to teach cybersecurity as a fundamental basis of computing. The curriculum is designed and delivered by a combination of computer scientists and computer engineers in collaboration with AFRL, and draws students from both Syracuse University and Air Force ROTC programs around the country. In addition, Syracuse has recently launched a MS cybersecurity program which incorporates important learnings from our AFRL collaborations.
Mr. Minhac Celik
Today international conflicts are no longer considered without their reflections on cyber space. Given both public and private sector’s increasing dependency on IT infrastructures and individuals intense use of ICT, threat perception and security understanding have been transformed in a way that states cannot easily overcome new challenges with traditional approaches. Since cyberattacks are strongly connected to political realities, states face a desperate need to develop cyber capabilities in order to prevent possible attacks, protect strategic assets in cyber space and deter rivals. The focus of this my presentation is on the relations between states and hackers. There are different styles and methods among governments in forging links with civilian hackers. While some states are inclined to have inorganic relations with some hacker groups by providing them training, technical support, and intelligence, some other states keep themselves away from having this kind of relations for a set of reasons including political culture, democracy, transparency etc.
Meeting the Demands of a Volatile, Uncertain, Complex, Ambiguous and Interconnected (VUCA-and I) World
Dr. John S. Hurley
The North Atlantic Treaty Organization (NATO) has as its stated purpose: “safeguard the freedom and security of its members through political and military means”. In a world in which the boundaries that were so adroitly defined by conventional domains of engagement (land, air, maritime, and space) have become increasingly blurred in cyberspace there are now distinctly different challenges. The pervasiveness of computing throughout our society has brought into play non-traditional combatants and targets that have dramatically changed the rules of engagement often defined by military principles and tradition. The speed, attribution, and resource challenges that cyberspace dictates are only expected to get worse as attackers become more aggressive, committed, resourced, and smarter about ways to get to our information assets. The need to focus on a more comprehensive readiness plan to enable more responsiveness to conflicts; and the need to have a dedicated view towards the future are no longer options that we might consider. They now represent necessary game-changers that enable us to make viable decisions just to slow down the onslaught of attacks. In this presentation, the focus is on a more information-driven, quantitative approach to better drive consensus, support, and comfort for our senior leaders as they seek to meet Mission and security goals.
Session 3 – Technical Aspects for Military Cyber Domain
Dr. Hayrettin Bahsi
Sufficient protection against the cyber threats depends on a holistic view of technology, people and process aspects of security. However, existing information security standards and common practices deal with each of these aspects separately and do not address the exploration of relations among them. The scope of decision support systems in the field is even more limited as they give only support to technology related issues. Consequently, the actual impacts of cyber threats on missions remain unknown in military applications, the effects of cyber attacks on industrial control processes cannot be predicted in critical infrastructures and cyber risks on business processes are not properly evaluated in enterprise environments. In this study, the relation between technology and process is elaborated within the context of cyber situational awareness in a military domain so that the requirements for the impact assessment of the threats on missions are discussed and possible approaches for the integration of this assessment to a complete situational awareness system is given.
Dr. Jingwei Huang
Modern military activities involve significant data sharing across security domains. We present the concepts and architecture of a Mission-oriented Multi-domain Multi-level security Graphics Server (M3GS) in the environment of GIG 2.0 and cloud computing. M3GS aims at providing information support for a dynamic team collaborating on a mission of warfighting, intelligence, anti-terrorism, or rescue and disaster relief; information providers input data (with various security labels in different security domains) into M3GS, and through M3GS, those data are displayed with proper widgets on the screens of information clients permitted to access; what data can flow to which screen is governed by security policies. While the Bell-LaPadula model is used to enforce traditional mandatory access control, a new challenge is how to meet both “need-to-know” policy and the more recent “need-to-share”policy. A significant problem is that the data shared have different owners from different security domains, and are subject to their own security policies. We address this problem by using dynamic provenance-dependent attribute-based policies.
After considering cyber as a dimension of national security, many nations published national cyber security strategies since early 2000s. After a short while, cyber started to be considered as a new domain of warfare. The US treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential in 2011. The next NATO Summit will take place in July, 2016 in Warsaw, Poland. During the summit, it is expected that NATO will accept Cyber as a new domain of warfare. After treating cyber a new domain of warfare, the next agenda item is capacity building in cyber domain. In this presentation, challenges of integrating cyber domain to existing domains and recommendations to cope with the challenges will be discussed. Major focus of the presentation is human resource development and establishment of communication and decision making mechanisms between strategic, operational and tactical levels.
Dr. Roland Pulfer
The increasing cost pressure, the ever-changing regulatory requirements and the complexity and dynamics in departments, technology, politic, social networks and the unstoppable globalization, now constitute the greatest challenges to for business and technical architectures. In addition, lead the global trouble spots to a sustainable change in society, politics and System of Systems Engineering and are creating unforeseeable new risks. Only through efficient, effective and holistic engineering this trend can be transferred into sustainable operation and transformation. Practical examples will be shown how complex issues and dependencies can be documented and managed.
Session 4 – The Role of Military/NATO to Protect Critical Information Infrastructure
Mr. Matthijs Veenendaal
Most nations have crisis management structures that were created before the digital domain became of paramount importance. With the advent of cyberspace, most developed countries (certainly in NATO-member states) many different organisations have been made responsible for certain elements of protecting relevant digital infrastructure. These are usually already existing organisations with a historic mandate and responsibilities from before the time cyber security issues became relevant. When defining government responsibilities in cyberspace, states therefore generally start by adapting existing mandates and institutions. While many states are developing national cyber security strategies, the exact role and responsibilities of the armed forces in cyberspace often remain unclear. The armed forces play a role in the protection of cyber assets but nations have very different ways in which this role is defined. It is therefore worthwhile to look into the procedures, legal framework and practices of different countries in using military organisations to protect non-military (civil) digital networks in normal as well crisis situations. The presentation will focus on the challenges involved in defining and clarifying the responsibilities of the armed forces regarding the protection of national security and how these relate to civilian authorities. Common national challenges are identified, as are approaches that potentially improve cyber security through better civil-military cooperation.
Triangular System of Systems Risks with High Consequences and Low Awareness
Dr. Adrian Gheroghe
Critical infrastructure protection (CIP) is a growing research concept, which focuses on increasing of readiness in response to hazardous incidences that can affect national, regional or global critical infrastructure. Over the last two decades, with the revolutionary expansion of internet-based technologies, interdependencies of critical infrastructures have evolved to much higher level of reliance on undersea cables, and space technologies. Moreover, global climate change concerns and the surge on supplying the everlasting growth of global energy demand, have made new shale energy resources more promising for energy importing countries, and it’s impact on underground water resources and seismic earthquakes have been neglected so far. In this presentation, I am going to elucidate the growing importance of three main global critical infrastructures of undersea cables, underground shale technologies and space technologies and scrutinize their interdependencies through developing an overarching triangular viewpoint toward them.
Dr. Roberto Setola
Cyber attacks against Critical Infrastructures represent a new dimension of warfare. This kind of attack can reduce the exposure level of the attacker and at the same time, it can seriously impact the target with short and long-term consequences on the effectiveness of the infrastructures and, consequently, on the welfare of the population. This imposes to design specific defence strategies that need to be tailored on the peculiarities of the ICS (Industrial Control System) and it requires a strong Public-Private Partnership.
Dr. Margot Weijnen
The question of the role of NATO in protecting critical information infrastructure raises many questions in its wake. What part of the information infrastructure is critical? Can it be protected? Is military protection called for? How should it be prepared for such protection? Which actors are responsible? These questions are not easily answered in a world where information infrastructure is every day more deeply penetrating into the capillaries of society and the economy, and our perception of the criticality of its many functions is changing with it. Even in a world at peace, without geopolitical instability and terrorist threats, safeguarding the resilience of critical infrastructures is a daunting challenge, given the organizational and institutional fragmentation that characterizes today’s infrastructure systems. Unbundling of infrastructure value chains, internationalization of infrastructures and infrastructure bound markets and increasing cross-sector interdependencies between infrastructures have fragmented the governance of infrastructure systems. While the pivotal role of information infrastructure is evident in a world of Big Data, the actors to be involved, which hardware and which information to be protected are only becoming less clear. The paper to be presented will reflect on the fluidity of our notions of critical information structure, including its critical stakeholders, and the consequences of this fluidity for protecting it. Can a smart adaptive protection strategy be devised? What tasks and responsibilities would that entail for different owners and stakeholders and what is the role of NATO/military in such a strategy? How could the protection of critical information infrastructure strike a balance between safeguarding infrastructure functionalities, safeguarding information, and protecting citizens and societal stakeholders from abuse of information by terrorists or enemy forces?
Session 5 – Integration of Cyber Power to Military Power
The Logic of Cyber Deterrence
Dr. Richard B. Andres
In recent years, few defense related topics have garnered as much interest or created as much frustration as cyber deterrence. The classical deterrence mechanisms that work against conventional and nuclear weapons are generally incapable of preventing states from using their cyber capabilities during peacetime to attack, damage, and steal from their opponents and during war in ways that could cause combat to escalate. This presentation describes the logic of cyber deterrence and how it differs from the logic of conventional and nuclear deterrence. It offers suggestions for how NATO can alter its defense posture to accommodate the emerging security landscape.
Dr. James Moreland
The cyber domain is undergoing extraordinary changes that present both exceptional opportunities to and major challenges for operational users of military power. The challenges arise from the malevolent actors who use cyber power to disrupt military operations and the many security vulnerabilities that plague this networked environment. Exploiting opportunities and overcoming challenges will require an end-to-end examination and assessment of operational mission threads to determine the critical interfaces. That said, the Department of Defense has a responsibility to articulate clear warfighter requirements that scale Cyberspace key performance parameters to operational need, and makes the “next generation” effects/kill chain humanly comprehensible. A Mission Engineering discipline is required which combines a structured System-of-Systems Engineering approach with operational planning to tighten the linkage between tactical operations and technical development. The assessment of military technologies, systems and/or capabilities requires a systems-of-systems approach to analyze the impact of making these military investments across the diverse warfighting domains of surface, undersea, air, land, and networks as well as maritime Coalition force integration. This assessment is being accomplished through the development of effects/kill chains to illuminate capability advantages and disadvantages of the alternatives; consider joint operational plans; examine sufficient feasible alternatives; characterize key assumptions, variables and sensitivities to change; as well as assess technology risk and maturity. The overall objective is to provide a single, secure, reliable, timely, effective and agile joint warfighter enterprise information environment closely aligned with the defense intelligence mission area.
Dr. Kenneth Geers
The Internet has changed the nature of nearly every profession, including that of soldiers and spies. Today, international conflicts have a cyber dimension, whose scope and impact are hard to predict. Online propaganda and espionage occur countless times each day, and preparations for cyber war are increasing — with few established international norms to guide the process. Cyber operations are now an integral way that state agencies fulfill national security requirements, from Chechnya in the mid-1990’s to Syria in 2016. As a consequence, national security leadership must dramatically improve its understanding of the technology, law, and ethics of cyber attack and defense in order to competently factor cyber warfare into all stages of military planning.
Dr. Mustafa Canan
Cyberspace is recognized as a warfare domain by a number of countries. Subsequently, these countries developed a concept of cyberspace operations. The ensuing formalization of the cyberspace as a warfare domain was followed by the development of corresponding doctrines. On the other hand, several countries, and NATO are still working to formalize and to recognize the cyberspace as a warfare domain. Both state of affairs share understanding, integration, development, and formalism related problems in integrating the cyberspace power to the military power. These problems emanate from the long standing existence of cyber assets within the land, air, sea and space warfare domains. This induces an immense interconnectedness. Thus, a discussion about an identified cyberspace capability will delineate the change from interconnectedness to integration in an operational context. This paper discusses cyberspace as a warfare domain in information environment, cyberspace operations and relations to information operations, and the integration of an offensive cyberspace operation capability to the joint military operations.
Session 6 – Essentials of a Military Cyber Strategy
Small Countries and Big Choices: Embedding the National Cyber Capacity In the Intelligence Sector or Outside?
Mr. Sergei Boeke
In nearly all countries, national cyber capacity has been developed within the SIGINT branch, a part of foreign intelligence. In the field of cyber security governance, there is literature available on the institutional arrangements in the US and how the new US Cyber Defense Command is co-located with the National Security Agency (NSA) and directed by the same flag officer. The Review Group on Intelligence and Communications Technology, set up by President Obama in the wake of Edward Snowden’s leaks, proposed separating the two tasks and organizations (recommendation 23-25). These suggestions were not implemented. From a practical perspective, this enabled the continuation of an unprecedented bundling of cyber expertise. From a governance perspective, however, this results in a continued blurring of responsibilities and mandates. With a fraction of the budget available in the US, small European countries are also building up military cyber-capacity and having to choose where they concentrate capacity. This presentation will briefly compare the situation in the Netherlands and Denmark, two NATO countries that are investing in cyber defense and even developing an offensive cyber capacity. In the Netherlands a Def(ense)CERT was set up in 2013, and Defense Cyber Command a year later. These are separate from the intelligence agencies, and for civilian critical infrastructure, the ministry of Security and Justice is in the lead with its own National Cyber Security Centre (the former GovCERT). Denmark, on the other hand, has made the Ministry of Defense the leading department, and bundled all the cyber expertise in the Danish Defense Intelligence Service (DDIS). What are the advantages and disadvantages of these approaches, and how important is the distinction civilian-military and intelligence or non-intelligence?
Mr. Eli Jellenc
Only in recent years have nation-states’ cyber strategies existed in sufficient number and variety to analyze them comparatively, across nation-states and over time. What can the similarities and differences among cyber strategies teach us about military cyber capabilities and their use, relative to certain types of missions and to other instruments of statecraft? This talk addresses these questions, among others, by developing and applying analytic models that help us decompose cyber strategies into their essential elements and assess their relationship to states’ cyber defense postures and activities.
Among the key findings to be considered are:
- the observation that states’ overarching cyber policies and their attendant military cyber strategies often inform one another in problematic, complex ways
- military cyber strategy is an unusually fluid and volatile area that will see more change than continuity in the near future
- some innovations in military cyber strategy (especially those of the 5-eyes militaries) are increasingly influencing civilian cyber security strategy and planning
- the implications of the porous boundaries between military and civilian, state and private sector, coercion and intelligence are only beginning to be understood and accounted for in military cyber strategy, yet these characteristics have some precedent in the recent history of asymmetric conflict
Dr. Bilge Karabacak
National cyber security comprises various dimensions such as critical infrastructure protection, fighting against cybercrime and conducting cyber military operations. Critical infrastructure protection and fighting against cybercrime are the most prevalent and mature dimensions. In addition to the national efforts, there are also international efforts associated with these two dimensions. For example, Budapest Contention is an international treaty to fight collaboratively against cybercrime. Compared to the other dimensions, conducting cyber military operations can be regarded as a novel dimension of national cyber security. It also includes confidential items such as offensive actions, cyber intelligence, and counterintelligence. While some countries do not tend to reveal their cyber military efforts because of confidentiality concerns, some others partially expose their cyber military capabilities to deter. The number of the studies on cyber military is limited as a result of novelty and confidentiality in the cyber military domain. Nevertheless, there are some academic articles and governmental documents. In this study, the recent evolution of the cyber military approaches is examined. Recommendations and future challenges for military cyber strategies are presented by taking the recent trend into account.
Session 7 – Legal Considerations for Military Cyber Operations
Dr. Metodi Hadji Janev
Cyber warfare occupies policymakers’ and military leaders’ agenda around the world. The notion that cyber-attacks could pose serious consequences pushes states and international security organizations to create separate unites at different level. Many argue that the face of cyber events has changed in last 10 years from exploitation to disruption and that we are now in what they call the phase where the cyberattacks will result in physical destruction. Looking from the perspective of interconnectivity and interdependence between physical and cyber world we could agree that there cyberattacks hold potential to cause serious cascade effects and severe damage and threaten national security. Even more today, cyber operations usually are purposefully designed with the intent to accomplish political and strategic objectives (causing an effect) in the “real world”. Felt threaten some states and organizations (NATO) have seriously considered armed response to cyberattacks. Nevertheless, although these concerns are relevant as ever the complexity of the future cyber conflict stem from the fact that cyberattacks could not always cause the scales and effects equal to armed attack. Therefore, the presentation and debate will focus on the applicability of the law of armed conflict to cyber operations. It will explain the current debate inside legal academic and professional community in this context (confronting “pro” and “cons”) and explain how and why this debate is relevant for future cyber strategists.
Dr. Karine Bannelier-Christakis
The intention of this paper will be to focus on the legal issues related to the question of use of force and cyber-attacks against Non-State actors (NSA). States increasingly launch military operations against NSA which are often located in the territory of third States. The most prominent and recent example is of course the strikes by the US-led coalition and other States against ISIS in Syria, Iraq and Libya. Today these military operations conducted by States against NSA often include cyber-operations in addition to the use of conventional weapons.
Moreover hostile States could “hide” behind NSA for launching cyber-attacks against other States, which immediately raises the question of the legal possibility for the victim of such attacks to use military means in order to react against such acts and/or threats. Military activities conducted against NSA in cyberspace raise multiple issues for International Law. It is generally accepted that International Law, including rules governing the use of armed force and the UN Charter’s mechanism of collective security, applies in cyberspace. However, the problem of the exact legal basis for attacks against NSA present in the territory of third States has led to heated debate in international legal scholarship. Could a State claim a right of self-defence in order to launch such military operations against NSA present in the territory of another State? What is the legal validity of the theory according to which such a right could exist if the State concerned is “unwilling or unable” to eradicate the threats posed by NSA? And how could we resolve difficult issues of attribution to particular States of the hostile acts of NSA – especially in the field of cyber-activities where secrecy prevails and technical difficulties could render such a task a real probatio diabolica?