Highlights from the Side Event of the NATO Cyber Pledge Conference 2021

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in cooperation with King’s College London and William & Mary hosted on April 16th, 2021, the virtual ‘NATO Cyber Defence: A Decade of Opportunities and Challenges’, the official sideline event of the NATO Cyber Defence Pledge Conference 2021. This event was made possible by a generous grant from the U.S. Mission to NATO.  The event engaged almost 200 viewers. Recording is available on YouTube, Session I and Session II.

Dr Stephen E. Hanson, Vice Provost for International Affairs, William & Mary, provided introductory remarks and set the scene for a stimulating discussion on the heels of yesterday’s Locked Shields exercise.

Mr Douglas Jones, Chargé d’Affaires ad Interim at the US Mission to NATO, provided welcome remarks. Mr. Jones highlighted how NATO is the most successful Alliance in history and is constantly adapting to meet new security threats, whether from known actors, ungoverned spaces, or hybrid scenarios. Information technology is transforming modern life, driving innovation, and facilitating the sharing of ideas. Mr Jones affirmed the 2016 Cyber Defence Pledge and the need to enhance cyber defence of infrastructure. Building on adaptability, the ‘secret sauce’ of NATO is that like-minded allies can work together on difficult challenges, something US President Joe Biden is keen to revitalize. Working with allies and partners is key to succeeding against the challenges being faced by the Alliance, which will improve member states’ ability to defend themselves and their populations. Mr Jones noted how COVID-19 has had a significant impact on cybersecurity challenges, as malign actors take advantage of the situation to undermine health systems or sow rifts among allies. The global pandemic has also spotlighted the underlying vulnerabilities in our interconnected world, where supply chains are of critical importance and require partnerships to secure. In summary, Mr Jones emphasized that cybersecurity and countering threats will require a ‘whole of government’ and ‘whole of sector’ holistic approach.

SESSION I, ‘NATO Cyber Defence and Offence in the International Environment’, featured three distinguished panellists led by moderator Dr Antonio Missiroli, Associate Senior Policy Fellow for Emerging Security Threats, Leiden University. Dr Missiroli opened the panel by calling attention to the 15 April decision by the United States, with support from many allies, to place sanctions on Russia in retaliation for the SolarWinds attack and election interference. He believed these events work to underscore the importance of this virtual event. Today, nations examine ways in which NATO member states align their sovereign interests, doctrines, capabilities, and more to work together in a coherent and synergistic way.

Dr Brandon Valeriano, Donald Bren Chair of Military Innovation, Brute Krulak Center, Marine Corps University; Senior Fellow, Cato Institute, began with the stark observation that there is no clarity among Alliance members as to what ‘persistent engagement’ means. In some ways, it is about superiority through persistence as a nation seizes and maintains the initiative by engaging and contesting adversaries where they manoeuvre. ‘Defend Forward’ will pre-emptively help allies to support one another and reinforce norms, with hopes that senior government officials will coordinate their nation’s cyber defence capabilities. A layered ’whole of nation’ approach to this can involve: shaping behaviour, developing normative regimes that govern cyberspace, and leveraging non-military instruments to produce cyber stability; denying benefits (deterrence), focusing on resilience and defence in-depth, securing elections, and defending critical infrastructure, and imposing costs. While some of this is aspirational, it will aid in escalation management that is driven by reality, assessments, and metrics. NATO member nations can coordinate better on norms, which are enfranchised by practice.

Dr Max Smeets, Senior Researcher, the Center for Security Studies, ETH Zürich, began with a paradox. Over the past few years, there has been a convergence of NATO member states’ views on the importance of developing a cyber posture. But, there has been a divergence over what a cyber posture should look like, which can significantly impede NATO’s ability to operate in the cyber domain. This has implications for strategic goals, operational capacity, and legal proceedings. In addition, sovereignty is a sticking point as member states do not agree on what constitutes a violation of sovereignty. Should the divide be bridged, NATO could take away the opportunity for the adversary to act. There is a promising path forward. Even without major cyber policy coordination, nations are converging over time as their dedicated and sustained policy efforts bring them together.

Ms Amy Ertan, PhD candidate, Royal Holloway, University of London, anchored her comments in the United Kingdom’s new National Cyber Force (NCF). Recognizing resource constraints, the United Kingdom is weighing how to counter cyber activity, possibly with direct or persistent engagements. As it develops its offensive capabilities, the United Kingdom is not operating in a vacuum and is actively considering matters of international law, the applicability of cyber norms, permissible and non-permissible environments, and questions of ethics and international humanitarian law. Allies, like France or Norway, have very different definitions of offensive cyber operations, and alliances like NATO will need to address this divergence in doctrinal approaches when deciding what responsible state behaviour in cyberspace looks like. Agreed terminology is a great place to start. The questions and answers  that followed addressed an understanding of offensive cyber operations, and the extent to which they can be used, the bipolarity or bifurcation of cyberspace, the extent to which the imposition of credible costs would permit a nation or Alliance to control or manage escalatory effects, and the effect of nonstate actors on cyber security policy in the future.

SESSION II, ‘Resilience and Supply Chain Cybersecurity: Alliances and Partnerships’ featured three distinguished panellists led by moderator Dr Alexi Drew, Research Associate, King’s College London. Mr Neil Robinson, Policy Officer, Cyber Defence at NATO,  cast NATO in the role of a platform to help member states come together to overcome the complexities of the supply chain and better understand what is in the toolbox and which tools are available. Allies need to appreciate the security-value trade-off because ‘cheap and fast’ is not necessarily secure and prevention is cheaper than mitigation. Transparency, the predictability of approaches to understand supply chain risks, and trustworthiness are all important items for nations and companies to value. As evidenced by the Tom Cruise deepfake, NATO will need non-traditional partners including small and medium enterprises in the defence world and entertainment industry, to name two. These are not the traditional service-provider relationships and will help NATO to deal with challenges like the changing nature of innovation.

Dr Allan Friedman, Director, Cybersecurity Initiatives, National Telecommunications & Information Administration (NTIA), United States Department of Commerce, questioned why we do not receive a list of ingredients in the supply chains of mission critical systems, but we do have such information about the Twinkie snack. A Software Bill of Materials (SBOM) would provide NATO with a formal record containing the supply chain and ingredients, or nested inventory, that will get us toward trusted (albeit imperfect) data. The end user can then use the data to make key decisions— “do I need to go back to the supplier or is this enough data for my level of risk and assurance?” This is true of many ecosystems and not just cybersecurity. Open, transparent, and international processes related to the supply chain should reflect the needs of the community and, in the case of NTIA, contribute to agile policy development.

Ms Liisa Past, Head of Cybersecurity Business Development, Cybernetica, followed a pragmatic approach that includes a degree of shared vulnerability. The current ecosystem for supply chain assurance is predicated on a time delay that creates the impossible dilemma of accredited vs. secured. By the time a system or item is accredited, more than six months have passed. Assessing trust and the reliability of the vendor or digital service provider is part of this ecosystem. Questions related to the rule of law and the owners (or stealers) of the intellectual property are important to raise if information sharing is to be actionable and useful. Alas, there is no silver bullet. The questions and answers that followed addressed whether there is an outbalanced cost to small and medium companies that might have a disproportionate cost on innovation, and what NATO can do to increase the capacity of member states and partners to meet these costs and achieve the end goal of a secure accreditation process.

Colonel Jaak Tarien, Director, CCDCOE, closed the event by noting that the world is getting more complex as things happen simultaneously in today’s security environment. Nations need to improve their information sharing to allow for joint timely and credible responses. We need to strengthen cybersecurity through the Cyber Defence Pledge and in close collaboration with partners.