We live in an age in which more people have access to highly sophisticated technologies and almost every social, economic or military asset has become ‘securitized’ or vulnerable to disruption – whether temporary or more lasting – from an outside attacker or even an inside source.
In a globalised but also more confrontational and complex world, resilience will remain an ongoing concern for Allies, requiring constant adaptation as new vulnerabilities and threats emerge.
Cyber space is perhaps the most extreme form of this vulnerability as it interconnects the entire planet in real time, making it possible for anybody to attack any electronically operated target from anywhere at any moment. This vastly complicates the task of defenders, who can rarely know in advance that an attack is being launched, where it will strike or where it will originate. So the defender has to try to protect every important part of the national economic or military infrastructure all the time, while the attacker can choose the individual segment or vulnerable fault line that he wishes to disrupt.
As we move from the internet of things to the internet of everything, more and more of the infrastructure that we depend on for the normal functioning of our lives is being automated or controlled from remoter distances or integrated into ever more complex networks. The SCADAs – or automated control systems for electrical grids or energy pipelines – are but one example. So are cross-border grids which means an energy blackout in Italy can immediately turn off the power in parts of Switzerland, or an overload at one transmission plant in India can plunge 400 million people into temporary darkness, to cite just two recent examples.
The globalisation of networks and the increasing integration of physical infrastructure into the virtual world, for instance the storage of data not in machines but in ‘clouds’, has certainly brought about efficiencies and savings. But it has also greatly magnified the consequences of a disruption and the number of key nodal points and attack surfaces that malevolent actors can exploit.
A second tendency increasing the sense of societal vulnerability is the state of civil preparedness within the Alliance. The delivery of forces and military capabilities that NATO needs to uphold collective defence or to project forces beyond its territory relies on civilian resources. During the Cold War, many of these, such as railways, ports, airfields, grids or airspace were in state hands and easily transferred to NATO control in a crisis or wartime situation. Today, by contrast, 90 per cent of NATO’s supplies and logistics are moved by private companies and 75 per cent of the host nation support for NATO forces forward deployed on the territory of the eastern Allies comes from private sector contracts.
Similarly, when facing distributed denial of service cyber-attacks against its outward-facing networks, NATO has relied on cooperation from the telecoms sector and the internet security companies to filter and capture data, identify malware and provide extra bandwidth.
Without doubt the transfer of ownership and responsibility to the private sector has brought cost-efficiencies; but the quest to reduce costs and overheads to increase profitability has also led to less redundancy and less resilience. In addition, as hybrid threats below the threshold of NATO’s collective defence clause (Article 5 of its founding treaty) blur the traditional distinction between peace and war, government special powers based on wartime emergency legislation have become less practical to implement or even obsolete.
As a result, NATO faces two distinct but inter-related resilience challenges: first, to ensure that it can speedily move all the forces and equipment required to any part of the Alliance facing an imminent threat or attack, ensuring full and unimpeded access to all the infrastructure it needs for this purpose; and second, to be able to anticipate, identify, mitigate and recover from hybrid attacks with minimum disruptive impact on the Alliance’s social, political and military cohesion.
Civil preparedness is, above all, a national responsibility, in the same way that Allies must ensure adequate cyber defence for their critical information technology networks, especially the ones that NATO depends on for its own operations. This said, Allies’ security relies on individual nations upholding this commitment; and NATO has an interest in obtaining as much transparency as possible, so that it can assess potential vulnerabilities or gaps and accurately measure progress. Avoiding unpleasant surprises in crisis situations when the Alliance needs swift and reliable information and the capacity to analyse, decide and respond swiftly has to be the goal.
Consequently, the theme of ‘resilience’ – how to define it, assess it and enhance it across the Alliance – has become a leading topic for the NATO Summit in Warsaw, in July.
Resilience is increasingly seen as the corollary of deterrence and reassurance measures in the classical military sphere as part of a comprehensive security strategy for the Alliance. The seven baseline requirements to be assessed are:
1) assured continuity of government and critical government services;
2) resilient energy supplies;
3) ability to deal effectively with the uncontrolled movement of people;
4) resilient food and water resources;
5) ability to deal with mass casualties;
6) resilient communications systems; and finally
7) resilient transportation systems.
These seven areas apply to the entire crisis spectrum, from an evolving hybrid threat all the way up to the most demanding scenarios envisaged by Alliance planners.
So how can NATO make its contribution to improving resilience within its 28 Allied nations?
Five specific areas come to mind:
The first is cyber defence. NATO experiences 200 million incidents on its networks every day and around 200 more serious intrusion attempts every month. This level of hostile activity is also what Allies are experiencing as the ‘new normal’ in the cyber domain. NATO’s first task has been to upgrade the protection of its own networks by giving the NATO Cyber Incident Response Capability (NCIRC) additional capabilities for earlier detection and more rapid response to cyberattacks. Two Rapid Response teams have also been created to assist Allies, as well as to manage incidents affecting NATO itself.
NATO has now moved on to help Allies improve their cyber resilience by introducing capability targets into the NATO defence planning process and devising a new memorandum of understanding between NATO and individual Allies to establish secure connectivity and arrangements for information-sharing and crisis management. A number of Allies have come together to develop specific capabilities in fields such as a malware information-sharing platform, training and education, and systems configuration for effective decision-making.
The NATO Cooperative Cyber Defence Centre of Excellence in Estonia has helped NATO to organize state-of-the art annual exercises to improve the skills of cyber operators using a cyber range that Estonia has transferred to NATO.
Finally, and given the importance of industry that owns 90 per cent of the networks NATO and the Allies depend on, the Alliance is developing a NATO-industry cyber partnership to encourage information-sharing and best practices. This will give NATO a better grasp of the rapid pace of innovation in the sphere of information technology and how it can better integrate emerging technologies and new concepts into its cyber defence. The proposal to create an ‘innovation hub’ at the NATO Communications and Information Agency should facilitate this dialogue and mutual understanding between NATO and the small-and-medium-size technology providers that are often the most innovative in this area.
As the Alliance looks towards the Warsaw Summit, some further measures are on the table. One is a ‘cyber defence pledge’ or commitment to speed up national implementation of the NATO capability targets, which requires sustained national focus and adequate resources.
A second idea is to look into the political, legal and operational consequences of declaring cyber as a domain, as many Allies have done already in terms of their national cyber strategies. This reflects the increasing awareness that most conflicts and crises these days have a cyber dimension and that – as NATO increases the momentum of its military activities for collective defence – NATO commanders need the requisite tools and authorities to defend against advanced cyberattacks and to operate across the cyber spectrum.
A second area of resilience is a strategy to respond to hybrid warfare which NATO foreign ministers approved last December. NATO is improving its intelligence-sharing and early warning processes in order to better anticipate and map hybrid warfare activities. It is developing in this respect a set of early warning indicators that can trigger a number of crisis-response options. This is because rapid identification of a hybrid attack (as opposed to an isolated or random incident) and speedy decision-making are essential to nip these attacks in the bud and block escalation.
NATO ambassadors and defence ministers have held simulation and scenario-based exercises to fine-tune their situational awareness and responsiveness vis-à-vis threats, which are specifically designed to be ambiguous and difficult to attribute.
Effective strategic communications to dispel false information, propaganda, lies and myths is also an essential part of coping with hybrid attacks that seek to confuse public opinion, aggravate social tensions and undermine trust in governments.
All this does not mean that Allies are as vulnerable to a hybrid attack as Ukraine proved to be during Russia’s illegal annexation of Crimea. However, Allies are now encouraged to map potential vulnerabilities that can arise from Russia’s involvement in business, financial, media or energy concerns, for example, and to share the lessons learned from resilience stress testing more broadly within NATO.
A third area under discussion concerns NATO’s ability to fully implement its Readiness Action Plan for the reinforcement and defence of Allies, whether to the east or to the south. NATO members have to adjust their territorial defence mechanisms and infrastructure to the new security environment and revive the planning fora that existed during the Cold War.
In particular, NATO planners require cross-border transit arrangements for the rapid deployment of the Very High Readiness Joint Task Force and NATO Response Force. As new Graduated Response Plans for detailed collective defence arrangements are adopted, the Allies must ensure that elements such as transport, flight corridors, civil-military airspace coordination, fuel stocks, pre-positioned equipment, port access and legal agreements are fully integrated into military planning.
Crisis-response measures to activate civil emergency measures will need to be updated and civil defence requirements will need to be given more attention, based on the military requirements for the Readiness Action Plan and associated capability packages for its deployment. A more sustained dialogue between military commanders and national civil emergency authorities is now being established.
Stepping up cooperation with the EU
A fourth area is the relationship between NATO and the European Union (EU). The two organisations occupy different parts of the resilience spectrum but there is also considerable overlap in the middle. A joined-up approach based on a shared situational awareness and coordination of responses is key to a successful response.
Currently NATO is talking with the EU on enhanced cooperation in four areas: civil-military planning; cyber defence; information-sharing; and analysis and coordinated strategic communication to spot disinformation and communicate a credible narrative. One early deliverable is a technical arrangement between the NATO NCIRC and the EU Computer Emergency Response Team (EU CERT) for the exchange of information, which was concluded in early February.
Up to the Warsaw Summit, NATO and the EU are continuing their discussions at the staff level, as the EU finalises its own strategy to respond to hybrid threats. The aim is to harmonise procedures and to support each other’s efforts in responding comprehensively. The ambition is to identify pragmatic, flexible approaches which could be reflected in a joint declaration by NATO and the EU at the Warsaw Summit. NATO and the EU are also developing compatible ‘playbooks’ to ensure more participation in each other’s activities, such as exercises and training.
It is also important that NATO and the EU work together to tackle other resilience challenges that do not result from deliberate attacks. The most urgent of these is the migration crisis. NATO has recently deployed a maritime task force in the Aegean to work with Greece and Turkey and the EU border agency, Frontex, to monitor the flow of refugees and migrants and in this way help to curb the illegal activities of smugglers and traffickers.
Working with partner countries
Finally, NATO’s partners can also help to improve the Alliance’s overall resilience. Not only Ukraine but many other partners have been the victim of hybrid operations. Their experiences and lessons learned can help NATO to better understand the type and impact of hybrid tactics. More information-sharing and early warning can help NATO decision-makers to identify incipient attacks that could start in a partner country but rapidly spread to NATO territory.
Conversely, NATO’s experience and expertise can help partners improve their own capacity for resilience. Unsurprisingly resilience areas like cyber defence and civil emergency planning are increasingly featuring in defence capacity building packages for partners such as Georgia, Moldova, Jordan and Iraq. In the Baltic region, Sweden and Finland – two of NATO’s most active partners, which have enhanced opportunities for dialogue and cooperation – have also faced hybrid pressures from Russia. These Nordic partners have drawn closer to NATO through consultations, training and exercises, including the conclusion of host nation support arrangements for crisis assistance.
In conclusion, Allies need to adapt constantly as new vulnerabilities and threats emerge from non-state actors such as so-called Islamic State, as much as from state actors like Russia. Resilience is here to stay as a core element of collective defence. That is why NATO will stay focused on reducing its exposure to threats to its cohesion, independence and security.