On 6 June 2018 the North Atlantic Council (NAC) approved the Military Committee’s (MC) Vision and Strategy (V&S) on Cyberspace as a Domain of Operations, a significant milestone in the ongoing development of this Domain for the Alliance – essential for policy, capability and doctrine development as well as for guiding operational planning and mission execution. The high-level message up front: NATO must be able to defend itself in Cyberspace (during peacetime, crisis and in conflict) as effectively as it does in the other Domains, and must integrate Cyberspace into a coordinated cross-domain approach to achieve joint operational effects in support of NATO’s deterrence and defence posture. Furthermore, two guiding principles permeate the V&S, that effective Cyberspace defence requires ‘a persistent level of readiness’ and that ‘coordination of cyberspace operations … is best centralized’.1 Personnel throughout the Alliance must understand what this means in order to adapt and/or refine how we function to be able to support the ongoing development of our capabilities in Cyberspace. Those in the Air Forces in particular, charged with maintaining policy and doctrine, as well as those planning and coordinating the projection of Air Power assets, must ensure the Air Domain and rapidly developing Cyberspace Domain are aligned and ‘fly in formation’, or change their flight plan and alter heading as required.
Defence: Possess and Defend
Toward defending itself in Cyberspace, and though it may seem somewhat contradictory, the MC recognizes two lines of effort: NATO must possess and maintain its own networks (modern and secure, static and deployable) and at the same time be prepared to carry on with Alliance Operations and Missions (AOM) in a degraded environment in the event that attacks conducted in and through Cyberspace against our systems are successful. As far as possessing and maintaining our own networks, the NATO Communications and Information Agency (NCI Agency or commonly referred to as ‘NCIA’) is the principle Command, Control and Communications (C3) capability deliverer, Communications and Information Systems (CIS) service provider and Information Technology (IT) support organization for the Alliance, and this will not change in the foreseeable future. With a great deal of technical expertise and experience, formed into its current state in 2012 but with roots going back 60 years, NCIA is emerging as a premier agency for providing modern and secure networks. Aside from the more familiar services (such as the NATO UNCLASSIFIED and SECRET Networks), NCIA delivers a host of specialized support such as the Command and Control (C2) technology to support Ballistic Missile Defence (BMD), the Air Command and Control Systems (ACCS) and the Federated Mission Network (FMN)2.
NCIA and its detachments throughout NATO are highly trained and well equipped to provide the level of security necessary for its networks. Their Annual Report for 2017 admits, however, that vacancies, aggravated by a competitive market and cumbersome personnel regulations, meant it struggled to achieve the level of workforce required to make good on all of its service delivery demands.3 Despite fewer staff than required, the first-class skills and agility of its personnel are proven. It was NATO’s team of 30 cyber defenders led by NCIA that won the international Cyberspace Exercise ‘Locked Shields’ in 2018.4 Locked Shields is generally believed to be the ‘largest and most advanced live-fire cyber defence exercise in the world […] for national Cyber defenders to practice the protection of national IT systems and critical infrastructure under the intense pressure of a severe cyber-attack’.5 So, in terms of NATO’s own systems, the Alliance is at least ‘on course’ to providing, maintaining and defending its networks.
What of more specialized, aerospace systems and networks critical to NATO AOM but not provided or supported by NCIA? Michal Kalidova and Alexander DeFazio, from the Defence Investment Division of the NATO HQ International Staff, examined the defence of NATO’s aviation capabilities against attacks in/through Cyberspace. Unsurprisingly, they reported that our collective aviation assets (military and civilian) are heavily dependent on Cyberspace, and not only on traditional IT/CIS. This dependency extends through operational systems in our Air Operations Centres, Air Traffic Management (ATM) and other specialized mission systems and, finally, into our aircraft platforms themselves. They remind us that many of the aviation systems in use today were designed decades ago before the explosive growth of the Internet and the full extent of the threat of attack possible through Cyberspace was fully appreciated. Consequently, there remain numerous potential access points for would-be attackers, including ‘maintenance and logistics systems, radios and datalinks, and other systems that connect operators and platforms (i.e. aircraft, pods or weapons)’.6 Given the prominence of legacy systems and numerous potential access points, they concluded that the best way to defend aviation assets and systems from Cyber attacks ‘is through a combination of defence in-depth, resiliency and advanced defence measures’.7 Briefly, by ‘defence in depth’ they mean sound system design/engineering and efficient application management to reduce attack surfaces, having layers of barriers to thwart unauthorized access, borders to prevent lateral movement within systems, measures to deny privilege escalation and features preventing data exfiltration. ‘Resiliency’ refers to the ability to continue operating despite being under attack (a recurring recommendation). By ‘advanced defence measures’ they mean those procedures and tools to enable monitoring, detecting, isolating and defeating attackers, as well as incorporating Cyberspace into the comprehensive and well-established Aviation Safety and Airworthiness programs. While the V&S does not specify aerospace systems, the direction and guidance to achieve the requisite level of security certainly apply. Naturally, if the experts assess that defence in depth, resiliency and advanced defence measures are required, then it rests upon personnel at all levels in operational and supporting roles in the air environment to apply the necessary rigour to establish the goals and identify, implement and enforce the standards to achieve this level of security.
Defence: Prepare for a Degraded Environment
What of the second line of effort, preparing for the dreaded possibility of having to work in a degraded environment? If the defensive posture should fail and the integrity or availability of networks/systems are compromised, NATO must still be able to carry on with AOM. Despite the theft of designs8 and cyber defence vulnerabilities9, let us presume for the moment that the adversaries do not have the ability to infiltrate and degrade NATO’s flying platforms or tactical weapons systems and restrict consideration to IT/CIS and C2 systems. How prepared is NATO to operate in a degraded environment? Are NATO planners and coordinators able to ‘retrograde’, back to the point of using past tools such as pens and paper, grease pencils and plastic boards, telephones and faxes if necessary? We will not know the answer to these questions until we exercise under these conditions. The argument most often heard during exercises is that we can’t take down our systems since that will interfere with achieving the training objectives. Perhaps we need exercises specifically focused on planning, executing and coordinating operations in a degraded environment; it’s not unheard of as senior Russian officials insisted on doing just this after they discovered that their junior officers became too dependent on modern IT/CIS and were no longer able to conduct ‘low tech’ war.10
Integration with Other Domains
The second high-level aim is to integrate Cyberspace into a coordinated, cross-domain approach in the planning and execution of Joint Air Operations; this is not going to happen overnight. It is generally well-known that those personnel working in the Cyberspace Domain support air operations. Less understood is that the converse is equally true and accepting this could indeed represent a shift in culture. Until this shift is achieved, there will remain a requirement to actively ensure commanders at all levels, and their staff, are continually kept appraised of the operational dependencies on Cyberspace and the related risks to the mission, as well as the importance of both mitigation measures and responses. Though the Air Force’s historical advantages were speed, reach and precision when compared to the other traditional Domains, effects in and through Cyberspace can be delivered faster, further and with greater precision. But, as we strive to achieve joint effects, we must avoid such comparisons that serve to distinguish Domains. Rather, it must be determined where and how these unique characteristics of Cyberspace can be brought to bear in concert with the other Domains to achieve the greatest impact, the greatest advantage in terms of gaining superiority and in freedom of movement, whether within a Joint Operations Area (JOA), a larger Area of Interest (AOI), or the global commons in general. This is a greater challenge today given the modern capabilities of near-peer states. In turn, Air, Land, Maritime and/or Special Operations Force assets must also be considered for defending assets/capabilities of the Cyberspace Domain when possible and appropriate. A typical scenario to demonstrate where this might be applicable is when the source of attacks through Cyberspace against NATO can be reliably pinpointed to a structure housing a data centre or a server farm within enemy territory. The Joint Force Commander in this instance might consider using [or employing] Air Forces to launch a kinetic strike to destroy the systems in order to stop the attacks. Another potential scenario could include where a combatant is identified as a key agent in the C2 structure continually directing/coordinating attacks on [or against] NATO in/through Cyberspace. This agent could legitimately be considered for assessment and inclusion in the commander’s targeting cycle by any number of means available to them in order to stop, or at least delay, further attacks against NATO. The V&S acknowledges that, if the only, or most appropriate, response is assessed to be offensive effects through Cyberspace, this integration must include a mechanism for NATO to seamlessly incorporate sovereign capabilities provided voluntarily by allies – in other words the ability to leverage a member nation’s offensive capability via Cyberspace when necessary, but not develop or generate offensive effects itself. After all, NATO remains a defensive Alliance and currently has no plan to develop its own offensive capabilities for the Cyberspace Domain.11
Readiness: Train as You May Have to Fight
The V&S stresses the importance of having highly educated and well-trained forces employed in the Cyberspace Domain. Along with member nations developing and training their own personnel, NATO must ensure realistic and challenging exercises, not only for the Cyberspace experts (such as ‘Locked Shields’ and ‘Cyber Coalition’12), but ensure that the Cyberspace Domain is a key part of its major exercises, fully integrated with the other Domains. NATO is not unlike member nations when it comes to exercises, the combatant commands of which often ‘conduct training in a relatively benign cyber environment which is unlikely to exist … [that] provide the warfighter with a false sense of confidence about the scope and magnitude of the cyber attacks facing the Department’.13 Exercise Trident Javelin 2017 was a breakthrough exercise in this respect, where the Cyberspace Domain achieved a great deal of prominence, and progress was also made in Exercise Trident Juncture 2018 where responses to Cyberspace incidents included a broad view of the entire Theatre and focused on Mission Assurance. But, this momentum must be maintained. Work is still required to better represent Cyberspace as a Domain and improve the Commander’s understanding of the nature of Cyberspace operations and the implications of the integration in military operations.
Readiness: Alliance Teamwork
The V&S is intended to be comprehensive, to span the entire Alliance. There’s no sense in having a few or even one member nation not aligned with this strategy since the security of the systems spanning NATO will only be as strong as its weakest link. The ‘Cyber Defence Pledge’14 agreed to at the Warsaw Summit, is addressing the requirement for member nations to defend their own networks, military systems and critical infrastructure. Still, there are mechanisms in place now to facilitate mutual support if/when required (such as the NCIA-provided, Cyber Defence NATO Rapid Reaction Team) and NATO will work towards achieving greater coordination and linkages with member nations’ incident and response options including intelligence sharing, military-civilian cooperation and collaboration with industry and academia. Member nations are encouraged to invest domestically to grow and develop talent at home and in order to assist NATO with addressing shortages of Cyberspace experts in the NATO Force Structure (NFS). Alliance nations will employ the NATO Defence Planning Process (NDPP) to guide the development of Cyberspace capabilities to meet NATO’s requirements, once again leveraging the knowledge of industry, academic and civilian stakeholders by fostering unity of effort.
Centralized C2 of Cyber Forces
The second of the V&S’ two guiding principles in the pursuit of adequate self-defence is that ‘coordination of cyberspace operations … is best centralized’.15 It should come as no surprise to Airmen that the structure for the most effective C2 over operations in the Cyberspace Domain would emulate the time-tested structure of that in the Air Domain where the span of control over forces is best exercised through the Joint Forces Air Component Commander. Similarly, the creation of the Cyberspace Operations Centre (CyOC)16, as part of the adapted NATO Command Structure, will establish the equivalent of the Cyber Component staff for the theatre. It will strengthen defences by providing operationally-focused ‘incident management, situational awareness and Command and Control’17 and facilitate integrating the Cyberspace Domain into planning, execution and coordination of exercises and operations.18 CyOC staff will liaise with Nations and coordinate the integration of sovereign Cyberspace effects provided voluntarily by Allies in AOM. This level of integration demands a high level of situational awareness of our own networks/systems. Having a clear picture of the state of Alliance Cyberspace, its defences and C2 platforms in order to coordinate activities is a must and will be accomplished through Cyberspace Situational Awareness Tools. Considering investment/procurement, getting the right tools for the job is critical to achieving the proper Situational Awareness and must be done without the complications that have hounded and delayed other large programmes in the recent past; without it, centralized C2 of Cyberspace forces will be irrelevant and the consequences severe.
Digitization and hyper-connectivity of our society in this Internet era presents a challenging battlefield for NATO. The Alliance must protect its information, networks and systems during peacetime, crisis and conflict. The potential targets are wide-ranging and span the entire spectrum of our modern, digital society (civilian and military), strikes against which can achieve operational and strategic effects while remaining below the traditional thresholds for crisis and conflict. The direction and guidance in the V&S applies not only for those formulating the appropriate doctrine and policy, but for those that influence planning operations and exercises in the Joint Air Environment and for the successful execution of AOM and other core tasks. Commanders must be provided the authorities and resources to carry out the associated tasks along with the tools necessary to provide the appropriate SA. To this end, the V&S is a sound flight plan to support the development of Cyberspace doctrine, policy and capabilities in a multi-domain approach that serves to maximize the potential of Cyberspace Forces. With this in mind, the V&S will only be successful with the full support of the member nations and their personnel in all levels of command.
Another important milestone will be reached when the official NATO Cyberspace Doctrine is approved by the NAC. While the AJP 3.20 Cyberspace Operations Doctrine was drafted in January 2016, it is in its third iteration and it is hoped we will see this ratified before the end of 2019. Though drafted before the V&S, in its current form, AJP 3.20 reflects the V&S’s key elements.