Credits: Sky News
A few days before visiting NATO’s cyber defence centre, journalists were asked to submit their passport details and the serial numbers of every electronic device they planned to bring with them.
The cyber defence centre is officially known as the NATO Communications and Information Agency, or NCIA. Militaries love acronyms. It is co-located at a military base in Casteau just north of the Belgian city of Mons SHAPE, or the Supreme Headquarters Allied Powers Europe.
Security procedures at SHAPE are military standard. Photography is prohibited everywhere on site. The journalists were forbidden from travelling anywhere without a chaperone, and roads with entrances to the base have even been scrubbed from Google Street View presumably to prevent would-be attackers from performing low-cost reconnaissance of the site.
Cyber security is still relatively new for NATO, or the North Atlantic Treaty Organisation, which will celebrate its 70th anniversary this year.
The treaty itself was signed on 4 April 1949 by 12 countries following the Second World War in the face of an expansionist USSR, and the alliance now has 30 member states including the newly joined North Macedonia.
Its key purpose is the principle of collective defence, underlined by Article 5 of the treaty which establishes that an attack against one ally is considered an attack against all.
Jens Stoltenberg, NATO’s secretary general, has warned that cyberattacks are capable of triggering Article 5, although there are specific concerns about the standard of attribution needed to declare war over such an attack.
Speaking to Sky News at NATO’s headquarters in Brussels, the organisation’s assistant secretary general for emerging security challenges Dr Antonio Missoroli said that the threshold for when a cyber attack would be considered an act of war has been kept deliberately vague by the alliance, to allow for greater political flexibility in dealing with such an attack.
Of course, simply declaring war isn’t the purpose of the alliance. NATO is committed to defence and securing NATO networks is the core job of the NCIA.
The organisation covers more than 60 different locations, from its political headquarters in Brussels through to military commands and the sites of NATO operations in Afghanistan.
The team there deals with 500 incidents on a monthly basis, with an incident defined as a computer network event which requires human intervention.
The kinds of intervention vary as Christophe Vandeplas, a cyber security analyst at the NCIA’s rapid response room, flagged to Sky News.
The room itself lies past hallways, the longest one named after former US president Dwight Eisenhower, the first supreme commander of NATO – a position which has always been held by US military generals.
There were no iris scanners or armed guards past this corridor, however, just an old-fashioned sign-in sheet with a pen sellotaped to a piece of string.
Journalists were walked past the cryptographic vault, or at least the first of four combination-lock protected doors which led to a Faraday cage of a room holding every cryptographic key used by NATO.
Surreal health and safety posters hung beside security awareness posters warning staff to keep an eye out for anything which seemed as if it shouldn’t be there.
Inside, a commercial threat intelligence feed showed reports on a wall-mounted monitor from an American cyber security company of new malware threats which the organisation needed to be aware of.
Were the journalists not in the room other dashboards would be displaying military intelligence from NATO allies. At the time, they showed alerts from a UK telecommunications firm and a so-called “real time” attack map of the sort popularly mocked up by a number of cyber security companies.
In this case the map belonged to Fortinet. The staff claimed it wasn’t completely useless, although it was confessed to be “eye candy” for the journalists present.
“It tells us what Fortinet is detecting,” explained Ian West, the chief of cyber security at NCIA.
“What we’re interested in is the unseen material,” said Mr Vandeplas, a civilian who had previously worked for the Belgian ministry of defence.
Mr Vandeplas wore business casual clothes, as did Mr West and Dr Missoroli. Many of the staff present however were from NATO member state militaries, including Germany, Turkey, the UK, and Italy within the NCIA.
The dominant cyber threat actors that NATO needs to worry about tend to be the dominant actors in other domains as well.
Russia and China have both exercised well-resourced cyber capabilities in recent years, while Iranian hackers have also been identified targeting the computers of national security interests.
After recognising cyber space as a domain equal to land, sea, and air, NATO established what it called the Cyber Operations Centre, or CyOC, in Mons.
Although it won’t be fully operational until 2023, the CyOC will have 70-staff analysing hacking threats and attacks on NATO’s networks, which are key logistically to all operations in the field.
Clothing depended entirely on whether the staff were military personnel or not, but Sky News didn’t spot anyone wearing a faded NASA t-shirt.
Over the last two years, NATO’s cyber security analysts have identified more than 300 zero-day vulnerabilities in popular software, essentially new vulnerabilities so-called because there have been zero days since their discovery for the vendor to attempt to fix them.
When these vulnerabilities are identified by governments such as the US and UK, they go through an equities process in which the states decide whether they would be more valuable to hold on to and use for hacking, or if it would be more important to disclose those vulnerabilities to the vendor so they could be patched.
According to Mr West, NATO always discloses the vulnerabilities it discovers because of the organisation’s defensive remit.
This is an interesting interpretation of the role of computer network exploitation, or CNE, within international law.
It suggests that NATO regards CNE as a fundamentally aggressive activity, similar to breaching physical territory with a tank or ship.
NATO’s staff in Belgium explained to Sky News that the organisation does not want to hold such capabilities itself – preferring them to remain the sovereign capability of its member states.
This is not the same as saying the organisation disapproved of them.
Six ally states have volunteered their offensive cyber capabilities to the alliance. The US, the UK, France, and the Netherlands are widely known to have exceptional signals intelligence agencies and skilled government hackers capable of breaking into target networks.
The other two nations – Estonia and Denmark – also possess considerable talents and are interestingly expressing significant confidence by offering them as part of any NATO response through CyOC.
Russia and China signed a cyber security pact in 2015 and have spent years seeking to control the spread of networked computers domestically, whether in Russia’s case through corruption of private companies or in the case of China through the so-called Great Firewall.
Both states have also engaged in military co-operation, performing joint naval exercises in the Baltic Sea where NATO also holds its annual training operations.
The cyber security agreement mainly established non-aggression between the two countries, both of which are regularly accused of supporting attacks against western nations.
However, the agreement also stressed the concept of “cyber sovereignty” – in which their respective governments could control and monitor everything that their citizens had access to online.
There is no indication of an offensive capability being shared between Russia and China in the way that the six NATO allies have offered their capabilities to the alliance.
However, if that were to change, NATO’s cyber space operations centre aims to be at the front line.