"Any future war will have a cyber dimension"
As part of our conference co-organized with the British Embassy “Defending critical communication infrastructures against bot and troll armies in Central-Eastern Europe”, we interviewed Attila Mesterházy, President of the NATO Parliamentary Assembly. He explains his perspective on NATO’s strategy and top priorities in the cyber domain, and NATO’s role in handling the coronavirus crisis.
While the European Parliament is well known, the NATO Parliamentary Assembly’s functioning is known to a much lesser extent for the wider public. What does this parliamentary assembly do? How are its members elected, how are the decisions made, and what is the main role of this assembly?
The NATO Parliamentary Assembly brings together 266 national legislators from the 29 member countries of NATO (very soon 269 from 30 member countries when North Macedonia’s accession has been completed). Unlike members of the European Parliament, NATO PA delegates are members of their national parliaments. Each parliament appoints a delegation which must include representatives of both majority and opposition. Many of them sit in their national defence or foreign affairs committees and, thus, have a particular interest in and expertise on transatlantic relations, security, and defence.
The NATO PA meets twice a year in plenary format and many more times throughout the year in smaller formats. It provides a forum where members of parliament can exchange views and consult with their counterparts elsewhere in Europe and North America on all aspects of the transatlantic relationship. This helps them better understand these other countries’ priorities and constraints and reach common views on shared security challenges. The NATO PA is institutionally separate and independent from NATO and has no legislative power. However, its influence lies in the fact that it provides NATO and NATO governments with a sense of parliamentary – and public – opinion on NATO and NATO’s actions.
Like parliaments, the Assembly discusses and adopts reports and resolutions which examine the key issues on NATO’s agenda. Together with the briefings that the Assembly receives from NATO officials and other experts, they are valuable resources for parliamentarians in their national legislative work. At the same time, these documents – which are all public – help inform citizens about NATO’s priorities and actions.
What does the NATO cyber policy strategy consist of? What are its priorities?
The world is becoming increasingly more connected. But this also means that cyber threats are skyrocketing. That is why cyber security, defence, and deterrence have become matters of urgency for NATO as well as the NATO PA. The Assembly follows the evolution of NATO cyber policy very closely. Last year, the Assembly adopted a report and resolution on how NATO can strengthen cyber security, defence, and deterrence. Our Rapporteur Susan Davis, a member of the US House of Representatives, did a great job outlining NATO’s policies and priorities as well as addressing the areas where NATO and the member states could do more.
Since 2014, NATO has made it clear that cyber attacks can rise to the level where they threaten an Ally’s territorial integrity, political independence, or national security, which could lead NATO to invoke Article 5 – NATO’s collective defence clause. In the years since, cyber security, defence, and deterrence has become an unambiguous part of NATO's core tasks, and the Alliance has implemented the steps to make this a reality.
As in any other military domain, NATO’s overall policy rests on cyber security and defence, on the one hand, and cyber deterrence, on the other. In practice, this means that NATO and the Allies do their utmost to reduce cyber vulnerabilities, block access points to their systems, and minimise the potential impact of breaches.
Unfortunately, despite the best countermeasures, attackers will often find the vulnerabilities, gain access to systems, and succeed in their attacks – if they have sufficient time, skills, and resources. Therefore, it is very important that Allies can deter cyber attacks from taking place in the first place. By now, any potential opponent should have realised that a sufficiently harmful cyber attack against one Ally will be considered an armed attack against all. In that case, Allies will stand shoulder to shoulder with that Ally and invoke Article 5 to collectively defend themselves.
At the NATO level, I see five distinct priorities at the moment:
First, NATO continues to refine its strategies and policies and to make these crystal clear to all potential adversaries. This is the key to successful deterrence and reducing the risks of escalation.
Second, Allies continue to develop the right cyber capabilities for our armed forces. NATO as an institution plays an important role through the NATO Defence Planning Process (see more below).
Third, NATO is increasingly focused on how to integrate cyber capabilities – voluntarily provided by individual Allies – in NATO operations and missions, so that we can defend ourselves as effectively in cyber space as we do in in the air, on land, and at sea – in line with NATO’s defensive mandate.
Fourth, Allies engage in very concrete cyber cooperation. NATO protects its own networks, of course. But it also enhances cyber security and defence in Allied states through awareness raising, education, training, exercises, information sharing, and mutual assistance.
Fifth, a strong network of partners is essential to address our cyber challenges. NATO therefore engages with a wide range of partners, including industry, academia, partner nations, and other international organisations, most importantly the European Union.
What is the relation between national cyber security strategies of the allies and NATO’s cyber strategy?
It is, first and foremost, member states who must bear the primary responsibility to defend themselves in cyber space. Under NATO’s Article 3, each Ally has an individual responsibility to maintain and develop both individual and collective capacity to resist armed attacks. Since cyber space is now a military domain like any other, Allies must also live up to their cyber responsibility. They do so primarily through the NATO Defence Planning Process.
Under the NATO Defence Planning Process, each Ally sets national planning targets, and the other Allies regularly examine whether the Ally has met its established goals and mandates. Cyber Defence Capability Targets include targets on cyber defence governance, response capabilities for NATO networks, and education and training programmes. Moreover, at the 2016 Warsaw Summit, Allies committed to a Cyber Defence Pledge. Under the Pledge, member states vowed to improve their cyber resilience and response capability and conduct annual self-assessments.
That being said our cyber systems are, of course, very much connected in the Alliance. And the weakest link could bring down our defences. This is where NATO adds a lot of value. The list is long, but the Alliance has joint bodies and tools to:
- jointly develop capabilities;
- cooperate on and exchange best practices;
- work together on situational awareness, information sharing, and shared assessments;
- help enhance skills and awareness, including on ensuring a better gender balance and diverse workforce in the cyber field; and
- foster and engage in joint education, training, and exercises.
What are the biggest challenges for NATO in the cyber space? How could we overcome them?
Challenges abound in the cyber domain. We cannot become complacent, but we are making progress on a great many of them. As an Alliance, we are upping the security of our systems, becoming nimbler in our defence, reinforcing deterrence, and supporting international norms- and confidence-building measures.
But let me address the biggest challenge we have identified last year: the rise of persistent cyber campaigns. Increasingly, we see potential adversaries conduct campaigns of connected cyber operations which do not seek the immediate knock-out punch but which over time try to corrode our sources of power. Such persistent campaigns often combine cyber operations with other actions that probe and exploit our weaknesses, for example through political and informational means, economic intimidation, and manipulation. The attacks on electoral process in the Alliance in recent years are key examples. And our colleague Susan Davis also addressed these in a 2018 report and resolution.
I believe such persistent cyber campaigns pose bigger strategic risks than more ‘episodic’ or ‘opportunistic’ cyber operations. And Allies have begun defining and refining their policies to counter such persistent campaigns. The United States, for example, has substantially changed its cyber policy as a result. The Pentagon’s new Persistent Engagement strategy does not limit itself to a merely defensive posture of safeguarding its own internal networks and responding to breaches after they occur, but instead “defends forward”, seeking to halt or at least disrupt malicious cyber activity at the source.
Addressing this challenge must start with recognising the long-term strategic risk. Next, NATO and Allies must counter such campaigns with the right mix of security, defence, and deterrence, including increased civil preparedness and resilience. It was good to see that at a May 2019 meeting of Allied National Security Advisors took a first step in this direction. But a more intensive debate about how to respond should take place within the Alliance.
How can we defend ourselves against disinformation and cyber warfare? What are the necessary countermeasures on societal and individual level?
Disinformation is certainly not a new phenomenon, but its extent has reached alarming proportions in recent years due to technological innovations and especially the social media revolution. It is particularly disruptive when a powerful state, such as Russia, decides to use disinformation deliberately to attain its foreign policy goals. As a result, we have to deal with coordinated, targeted attacks by ‘traditional’ propaganda channels such as RT or Sputnik, but also with the wide employment of internet ‘trolls’ and ‘bots’. Disinformation is not just about baking ‘fake news’ or extremely biased ‘analysis’ – it’s also about sowing confusion and distrust in any kind of information. The future of disinformation could be even more disturbing if the ‘bad guys’ master techniques such as ‘deep fakes’. Unfortunately, there is no silver bullet to address this problem. Our potential adversaries have a certain advantage because they are not bound by ethical constraints. Also, flooding the information space with fake news is easier and can be done faster than countering all these claims with evidence. But I like to recall the famous phrase by Abraham Lincoln that “You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.” The Kremlin’s lies and disinformation about the ‘green men’ in Crimea, the downing of the MH17 over Eastern Ukraine, or the poisoning of the Skripals in the UK became obvious to all rational people and did nothing but a disservice to Russia’s global image and its national interests. We have to be patient, refrain from engaging in counter-propaganda, and combine our efforts on all levels – from setting up multinational institutions such as the EU East StratCom Task Force, NATO Stratcom Center of Excellence in Riga, as well as national units charged with identifying fake news and hostile propaganda, promoting co-operation with traditional and social media, imposing penalties for spreading hate speech, blacklisting and freezing the assets of the most active Russian disinformation warriors, and, last but not least, investing in education to promote critical thinking and enhance the cyber literacy of our citizens.
When it comes to ‘cyber warfare’, some have raised the fear that states or the hackers they employ could carry out large-scale cyber attacks “out of the blue” and under the cover of anonymity, thus ‘shutting down’ a country. Of course, such attacks can never fully be ruled out, and NATO and Allied strategies and policies account for this. However, the risk of a so-called ‘cyber 9/11’ or ‘cyber Pearl Harbor’ are smaller than media headlines would have you believe. For one, governments, private companies, and research organisations are getting better at and more confident in attributing malicious cyber operations. Moreover, just as no modern war can be won by relying on only one set of military capabilities, a ‘pure’ cyber war will likely not succeed. Shutting down a country’s energy supplies will certainly cause widespread chaos, damage, and probably lives lost, but it will not win a war – unless you follow up with other military means.
This leads me to a different point about cyber in warfare: any future war will have a cyber dimension – just as it will have an air, land, and naval dimension. The reason is that cyber attacks can produce significant military effects when integrated with other military operations. Cyber attacks can, for example, help armed forces collect intelligence or degrade, disrupt, or destroy military command and control networks or weapons and sensor systems. In a longer war, civilian critical infrastructure - for example, power and electricity networks – or defence industry facilities could also become targets. And this leads us back to providing our armed forces with the right cyber capabilities, so that our aircraft can take off, our troops can move, and our ships can protect our seas.
According to a recent EEAS report, Russia is using its disinformation apparatus to sow panic in the EU and the rest of the West. It is using contradictory, confusing and malicious reports to make it harder for the EU to communicate its response to the pandemic. What should be the technological or media organisations’ role in countering such emergencies?
This was a very important and timely report by the EEAS. Indeed, the Kremlin information warriors thrive in this kind of crisis situations. The coronavirus emergency is also convenient for the current regime, as it distracts citizens’ attention away from Russia’s economic troubles as well as Mr Putin’s cynical tampering with the Constitution in order to stay in power after his term expires. Moreover, the crisis can be exploited by the Kremlin propagandists as evidence of the West’s decadence, of the inefficiency of liberal democratic political systems, and of the impotence of the EU and NATO. In terms of our response, we should first and foremost demand greater responsibility from social media giants to get their house in order and redouble efforts to remove inflammatory and misleading content. Responsible media, civil society organisations, and activists – such as internet ‘elves’ – also have an important part to play in identifying disinformation attacks and encouraging citizens to choose information sources responsibly. We should also support the development of technological solutions, such as the use of AI and data-centric technologies to assess the information environment and identify threats in a timely manner. However, more importantly, our European and Euro-Atlantic nations and institutions should focus on actually demonstrating their solidarity and capacity to deal with such formidable crises in an efficient and co-operative manner, thereby narrowing the scope for disinformation attacks by hostile powers.
During the COVID-19 epidemic, NATO has been playing an active role, for example in Italy, by setting up field hospitals to assist Italian efforts of contain the virus. However, the European and Western audience is more informed about Chinese or Russian „help” provided to Italy than that of NATO’s efforts. Why do you think NATO has failed to deliver this important message to the local and Western audiences in times of crisis?
Although any help, wherever it comes from, is of course welcome in the current circumstances, it is clear that Russia and China have a particular interest in publicising their assistance to Italy and other affected nations. This fits particularly well with their attempts to divide Europe and NATO by cultivating relations with individual nations. Russia and China also have the advantage that they are single and centralised actors. It is therefore easier for them to push their messages than it is for alliances of nations and multilateral institutions.
Of course, for NATO as a political-military alliance, a key priority at this stage is to ensure that its command-and-control and its military capabilities remain fully operational even as several personnel at NATO HQ as well as dozens of soldiers in its operations have been infected with the virus.
This being said, the more important point is, indeed, that NATO Allies have supported each other during this crisis both bilaterally and collectively. France, for instance sent 1 million masks and 200,000 protective suits to Italy; Germany provided substantial assistance to Italy as well — as much as China has so far. Besides, one should not forget that Germany and other European countries, including Italy by the way, provided considerable assistance to China itself in the initial phases of the crisis.
You may argue that more could be done, but it will probably surprise many people to learn that NATO actually has capabilities which can assist nations in a health crisis. First, of course, the armed forces in many NATO countries have been called in to help – setting up field military hospitals, transporting medical supplies, and dispatching COVID-19 patients to hospitals in less affected areas. Just recently NATO planes flew in medical supplies to the Czech Republic, Slovakia, and Romania. At the same time, and this is a lesser known dimension of NATO, the Alliance maintains networks of civilian experts in many areas, including civil protection, which it can draw upon whenever their expertise is needed. Last but not least, the Euro-Atlantic Disaster Response Coordination Centre (EADRCC) serves as a clearing house for requests of assistance from NATO members and partners for all sorts of disasters ranging from forest fires to earthquakes to technological incidents. Both Ukraine and Spain have in fact submitted requests of assistance to NATO through the EADRCC in relation to the COVID-19 emergency.
I should also note that while NATO is playing its part in helping stricken nations, the EU has vastly more resources in dealing with this crisis, especially when it comes to helping our economies. I applaud the recent proposal to launch a 37-billion Euro plan to help member states deal with this crisis– by the way, this plan is very generous towards my country, Hungary.