The first steps of the Alliance in building an organized cyberspace defense system. But states want to keep their cyber operations secret
At the 2018 NATO summit in Brussels, the 29 members of the alliance agreed to set up a “Cyberspace Operations Center [CyOC] in Belgium to provide situational awareness and coordination of NATO operational activity within cyberspace.” By August 31, 2018, the center was stood up in a trial structure at the Supreme Headquarters Allied Powers Europe (SHAPE) in Mons, Belgium. And six months later, Laura Brent, Cyber Defense Officer at NATO HQ, proclaimed that “CyOC serves as NATO’s theatre component for cyberspace and is responsible for providing cyberspace situational awareness, centralised planning for the cyberspace aspects of Alliance operations and missions, and coordination for cyberspace operational concerns.” Roughly by 2023, the center is expected to become fully operational with a projected 70 staff.
Over the course of the last year, more and more information has trickled into the public domain as to how NATO’s CyOC is supposed to function in practice and how the alliance envisions to leverage the center in the future. However, the question as to how an adversary might potentially exploit the CyOC setup, for the sole purpose of create friction within the alliance, has not been widely explored in public. So let’s see what havoc we can wreak.
CyOC supports the alliance in two areas: First, the Center is tasked with enabling the Supreme Allied Commander Europe (SACEUR) to conduct NATO military operations in cyberspace. Meaning, while Allied Command Operations (ACO) supports the SACEUR on the overall strategic planning for military operations, CyOC serves as the fulcrum that integrates and coordinates national sovereign cyber effects. CyOC existence is necessary, because in contrast to NATO’s realspace military cooperation, allies are inherently unwilling to share any tactical insights into their covert offense cyber operations. Thus, if cooperation is impossible to create on the tactical level, the only way possible forward was to build a center that would strategically coordinate how individual member states could voluntarily use their offensive cyber capabilities in support of NATO military operations. Col. Donald Lewis, deputy director of CyOC explained it best by noting that, “NATO doesn’t do offensive cyber, but it will integrate actions from sovereign nations who are capable and willing to provide them, but under their national responsibility.”
CyOC’s second task is to provide ACO and the SACEUR with a comprehensive situational awareness on the alliance’s threat landscape in cyberspace. This includes (a) threat aspects, ranging from forensic malware analysis and open source intelligence (OSINT) collection, to the gathering of indicators of compromise (IOCs) for malware detection. It also encompasses insights into (b) NATO’s own communication and information systems. As Ian West, chief of cybersecurity at the NATO Communications and Information Agency succinctly put it, “our ultimate aim is to be completely aware of our cyberspace, to understand minute-by-minute the state of our networks so that commanders can rely on them.” And, it further includes (c) mission aspects for the mission owners, such as gathering intelligence on adversarial system vulnerabilities to outlining political and operational constraints (e.g. actions that mission owners should not take). In essence, CyOC functions as a fusion cell for this wealth of information and therefore has to build and maintain relations with numerous agencies, organizations, and companies to fulfill its mission task.
Now, given that CyOC is still in its embryonic stage, and as Maj. Gen. Wolfgang Renner, Deputy Chief of Staff CIS and Cyber Defense at SHAPE, explained, “it isn’t even ready to announce its projected date to achieve Initial Operational Capability,” any overarching criticism of CyOC itself would be overzealous and premature. But what we can do is play around with a few hypothetical scenarios on how an adversary might turn the table on CyOC.
In the first scenario, we will exploit how CyOC shares and collects information. According to open source, CyOC is envisioned to maintain three linkages – governed by NATO’s information exchange requirements (IER) – under which it receives and provides OSINT, IOCs, best practices, malware analysis, and a fifth item whose IER code is unknown to me. Those three linkages are between (1) CyOC and the 29 NATO member states, (2) CyOC and non-NATO nations (most likely selective members from NATO’s Mediterranean Dialogue, the Partnership for Peace program, NATO’s Partners across the globe, and the Istanbul Cooperation Initiative), and (3) CyOC and “Other Nations,” which are not further defined.
The obvious entry point we can identify is that CyOC is not limiting itself to the NATO Area of Responsibility, but is pulling in information globally, in line with the interconnectedness of cyberspace, the globalization of supply chains, and the dispersal of the same/similar soft- and hardware products around the world. Hypothetically, an adversary could exploit this information feed by providing one of the non-NATO nations with indicators of compromise – and even malware analysis – of offensive tooling that belongs to one of the 29 NATO members. Meaning, when that information travels to CyOC and is then disseminated internally, in accordance with NATO’s cyber defensive mission, CyOC would end up serving as the vehicle for burning allied tooling in-house and thereby creating institutional friction within the alliance. To some degree this move emulates – in a more targeted and non-public fashion – the release of adversarial malware samples on the crowdsourcing analysis and malware repository site Virus Total, as officially practiced by US Cyber Command since early November 2018.
The second scenario exploits how allies voluntarily employ their offensive cyber capabilities in support of a NATO military operation. The SACEUR is politically in a very difficult position. He has to place his trust and confidence in a member state’s cyber capability that he has no insights into. Meaning, from a legal point of view, the SACEUR’s approval and employment of said cyber capability makes him liable for any mishaps on the battlefield. Some SACEURs might not be willing to take this risk and could subsequently ignore levelling offensive cyber capabilities altogether. Complicating the legal situation is that the nation state who voluntarily executes the offensive cyber operation has its own command structure, and thus would retain liability for any misconduct as well. Therefore, if an adversary is able to portray an allied offensive cyber operation as a violation of international humanitarian law, then it could kill two birds with one stone.
Imagine NATO conducting a military operation against a fictional country A. Two NATO members – Denmark and the US – are voluntarily offering their offensive cyber capabilities to CyOC. US Cyber Command executes its mission without hick-ups, while the Danes run into a few problems but ultimately take down their assigned target as well. Country A triages the two incidents and determines that the attack on its missile defense system was highly sophisticated and self-contained, but the attack targeting its arms manufacturer was sloppy and could have potentially affected other targets. Country A makes the logical assumption that, because the SACEUR is and has always been a US American officer, the sophisticated attack must have been executed by US Cyber Command. The second attack was deemed too sloppy for the US, so country A decides to run an information warfare campaign to see whose head will pop out of the water. Meaning, after a couple of days, country A’s media reports that the arms manufacturer has been targeted by a sloppy cyber attack, and that the malware used also affected the life-support systems of a make-shift hospital leading to the death of 21 children. The Danes now have a problem. The SACEUR now has a problem. At a minimum, I would expect the Danes to immediately pull out of CyOC and the SACEUR shutting down any future offensive cyber operations under its command. At a maximum, this might kick-off a heated discussion within NATO that might culminate in Copenhagen banning the Danish MoD to conduct offensive cyber operations and the future SACEUR not trusting any allies – apart from the US – from hitting targets in cyberspace. Depending on the outcome of the subsequent Danish investigation, things might cool down in the long run, but conducting offensive cyber operations will become a highly contentious domestically.
The two examples have shown how an adversary could theoretically wreak chaos within the alliance by leveraging how CyOC works. Practically, it might be an entirely different story, depending on how far an adversary is willing to go to achieve a certain effect. Time will tell whether CyOC is the vanguard of the alliance or will become the Achilles heel for its downfall in cyberspace.
The first steps of the Alliance in building an organized cyberspace defense system. But states want to keep their cyber operations secret
