New Challenges - Better Capabilities

My name is Tomáš Valášek, I am director of foreign policy and defence at the Centre for European Reform in London and also a member of the Board of the Slovak Atlantic Comission, which has put together this conference and it is my pleasure to chair our second panel of the day on cyber security as a challenge for NATO. Last Friday, on a very cold, sleepy morning in Luxemburg, twelve men and women, the Experts Committee writing the new Strategic Concept got together for the first time to start works on a document. They all have to seek compromise and consensus on quite a few controversial issues, but possibly, none will be as complicated and as thorny as  whether to expand the scope and definition of Article 5, the clause that obligates the Allies to come to one another’s aid if attacked. The difficulty is, we do not know what an attack really means these days. I mean, during the Cold war it was obvious, Article 6 of the Atlantic Charter says, or the Atlantic treaty says, it is an armed attack on the territory of NATO member states and we all figured that means when thousands of the Russian tanks rolling or when you see hundreds of missiles streaking across the skies. That is an attack we need to act. By 2009 things are simply not that simple anymore. What the attacks, cyber attacks on Estonia in 2007 have proved, is, that you can cripple the economy of a country with severely effect at the economy of a country using nothing more than computers. And therefore, couple of concerned governments, the Estonian one, represented here by defence minister first and foremost, but other governments as well have put the issue on NATO‘s Agenda. Should we expand the scope of Article 5 to include cyber attacks? Should the Allies be obligated to act if one of them comes under an attack? Now, no country has had, as I mentioned, as personal and direct, and bitter experience with the subject, as Estonia, which in 2007 came under such cyber attack after of course the events surrounding the memorial to Russian soldiers. It is therefore no coincidence, that we have not one, but two Estonian panelists in this group of experts, who will help us illuminate the issue and let me introduce them in the order in which they will speak. On my far right, geographically, not politically, His Excellency Jaak Aaviksoo, Minister of Defence of Estonia, on my immediate right, Major General Glynne Hines, Director of the NATO C3 Staff, on my immediate left Colonel Ilmar Tamm, director of the Cooperative Cyber Defence Centre of Excellency in Tallin, and on my far left again geographically, not politically, it is Lieutenant Colonel Robert Kosla, manager for national security advance industry at Microsoft‘s Central Headquarters for Central and Eastern Europe in Munich. Gentlemen, I hope that we can shed more light on the Article 5 cyber security issue today. I personally would love to know how serious threats cyber attacks are and of course, the minister will speak from personal experience on the subject. What are the defences, what do we do? Obviously, we can defend by strengthening our software, but should we think of deterrence and retaliation as well as the tools in our arsenal? And what is the role for NATO? NATO is first and foremost a military alliance, so what can it do and what has it already done to help deter and also defend against cyber attacks. So with no further due, your Excellency, could I ask you to kick off the proceedings?

Thank you. First, let me start with thanking the organizers for the invitation and the opportunity to address this to the audience. I would like to start from a short reflection on spaces. I think, going back in history, I do not know how many thousands years we end up in land-based conflicts only. Seas came next. With enemies arriving on our shores and we had to defend ourselves, arriving from nowhere. Let’s reflect how the Americans welcomed the first European colonizers. The next space we conquered was air and it was immediately used for both military as well as for defence. We have been a kind of expanding in space when thinking about security and national security. The virtual reality, the cyber space, the interlinked computers, the networks, the servers - they are now spread all over the world around starting from research network and ending up so deeply embedded in modern societies that we sometimes forget about how dependent we have become on all of those structures and services with all those virtual spaces. And of course as national in the very beginning we never thought it may become a threat to our personal security and forget about national security. Of course we knew the experience of our computers being stuck or different service being down even if most of us have experiences with viruses or bugs in our computers. But when you personally experience the situation where literally you feel that not only your computer is down but the services you have used, the banks, the online news are down, the emergency number is not working. Then you are a kind of scared, become feeling uncomfortable. This is no more a personal threat, a minor mistake, a bug, problem, but you kind of feel threatened in abstract sense of the word. What is going on? And you start asking question: “Why is that happening? Who is in charge? Who is responsible for it going on? In a few steps you end up in asking question on the national level. Well, it was not that tragic in April and May 2007 but we got the message that we are moving in that direction. And this experience has been picked up by the Estonian government, but also by a number of other governments, even of NATO. The paper on that issue was quite a big number of national concepts concerning and addressing cyber defence issues. So I think we have almost agreed that cyber defence, cyber threats, cyber attacks and last but not least imaginary, cyber wars are relevant issues to be addressed in NATO and not only in NATO. We are willing to incorporate these concepts into our strategic concept, into our routines, our competence and capability building initiatives and a number of other documents. What is characteristic is, that the statement by RAND Corporation, which produced lately a monograph for US Air Force that addresses the complex and challenging nature of cyber space in a very precise and I think a fitting matter, saying cyber space is its own medium with its own rules. It is a very special medium. A number of concepts concerning security related ideas break down, they cannot be used in the case of cyber space. And I am trying to reflect a little bit in that direction. One specific feature of cyber space and cyber attacks is the fact, that they are not enabled through the generation of force, but rather by the exploitation of the enemies’ vulnerabilities. We are forbidden to do things, we have not been able to repair, we have not been able to patch the loopholes and so on and so forth. Again of course the areas can be corrected, but the fast development of the technology creates new and new holes and possibilities for attacks. So, differently I think from physical space, new threats, new challenges are constantly created by the advancement of technology. We can never feel safe enough. So there is a little bit of a mystical nature with the threats in cyber space. Differently I think from a physical space we are much more used to. Furthermore, cyber space is more ambiguous about who attacked, why attacked, about what they achieved or did they achieve all together anything? Maybe those attacks were not meant to attack anybody, but were made just for fun. We do not know. In a number of cases we do not know. In principal, but not only in principal, an individual hacker can mobilize million computers and not only in theory. Why did they do that? We usually do not know. There is a number of very specific questions, very specific topics we have to discuss, we have faced and are going to face in the future.  Let me say in a few words about the recent macro-trends that we have noticed, to shape the subject we are going to discuss on this panel. First, we live in a year of a rampant cyber war capability development; what was impossible or even unthinkable a few years ago is possible today. What we also see is that cyber crime is sponsored not only by private firms for private interests and private gains, but also by state, possibly. Attacks have become carefully directed, with desired effects and with hidden motivations. Malware are spread through innocent websites ran by ignorant owners. Statistically, there are at least two cyber terrorists in this room, potentially, because 2 percent of persons on computer are statistically inflicted with malware that can be used in cyber attacks. Check up, when you go back on. There will be news that even on conferences, on memory sticks, on conferences on cyber security, malware has been distributed by some joking partners of the conference. So again, there are surprises, here and there and we can never feel safe. Cryptography is increasingly entering civil sphere to defend yourself from leak of information. Automated attack networks, botnets are manipulated, semi-commercially made it available for different interested partners. Assuming that we will know, that we are under a cyber attack or find out about it soon enough a number of questions are made up in the air. Will we know who did it, who attacked us and can we forcefully link third-party attackers with state sponsors or with states who knowingly tolerate freelance or third party hostile operatives? That is the question of attribution. And this attribution is a problem both ways. When you want to attribute the attack to somebody, to make him responsible or the other way round, if somebody claims their responsibility, how can you find out whether he is right or wrong? A number of questions, and fundamentally, all the log files, all kind of information. Theoretically, it is almost impossible since there are no physical finger and footprints that we are used to take as trustworthy evidence, ever produced in virtual space. So we have to develop conceptually new approaches, defining what do we mean under beyond reasonable doubt in cyber space. What do we mean by beyond reasonable doubt? It looks like a dog, barks like a dog and acts as a cyber terrorist.

Even the examples that we have right now, given the possibilities for deception, manipulation, third party and three lands operators, it is extremely difficult to identify the true source and architect of sophisticated attacks in a way, that would lend itself to legal prosecution. So it is not only military or political decision, but in order to act effectively, we have to be able to attribute the attackers so that be as ground in legal prosecution. Why did they attack and what are they trying to achieve? And did they achieve it? It is a question of motivation and it’s intrinsically related to the second question and how can we retaliate and what are the tresholds for national or even allied response? If we can see that we will never reach certifiable digital clarity in the previous questions, especially as to the true identity of the attackers, we will lower our standards of proof or will we not explicitly regulate retaliation? Again, the question of beyond reasonable doubt and propotional reaction. Deterrence - should we have an explicit deterrence policy in order to rule for deterrence to be effective? Is cyber deterrence inherently possible, given its ambiguous nature and constantly present element of deception. Again, as my personal inside into this question, I would say that the meaning of deterrence in cyber space is again too ambiguous to carry any relevance. And as it is also impossible to disarm your possible opponent, the only relevant policy approach seems to be that of cyber defence. Again, this is something why I hope the participants of the panel can shed some extra light. Nevertheless, despite all the unanswered questions that explained positive background developments to share, before those attacks in 2007 in Estonia, interstate information system protection and military cyber defence were issues that suffered from chronical lack of attention. Now it’s an issue that commons great political respect and the nerds that are finally being listed are being incorporated to solving the problems. As a former, at least professor of physics I find these cultural valuing real knowledge. Integrating the cyber specialists into our military and civil structures is clearly a powerful step forward. However, for Estonia, that host the NATO Cyber Defence Centre of Excellence, where we have a representative on the panel, as well as other states and interstates organizations dealing with cyber space issues, has various implications. Some of which are less positive than others, for instatnce, lack of coordination - in cyber defence coordinaton between different agencies responsible for different aspects of cyber defence is vitally important. We know that the ballistic missiles give us half an hour time, sometimes more, sometimes less. Cyber attacks give us miliseconds. The defence lines have to be in place and ready to act in real time. There is a fundamentally different approach which needs a networked structure already in place long before the real attack takes place. For NATO, of course, this is a well-known problem. We already think along the comprehensive approach but cannot yet act upon it. To be working with EU in Balkan and Afganisthan or with UN elsewhere, cyber space in this sense demands a real comprehensive understanding of political strategy from the very beginning. And in that respect I think it’s a wise approach that on the NATO level we have said that cyber defences have first and foremost a national responsibility with all its complications on the national level. But, importantly, there is a strong coordinative need on the level of NATO and that is why the Cyber Defence Centre of Excellence is called Cooperative Cyber Defence Centre of Excellence, with the emphasis on cooperative. We need definitely more cooperation. Comprehensive approach, more cooperation on national and international level - this is a concept of total defence. Total defence has to be based on the public awareness, one of the most important issues.

The topic of international regulation, legal, started from conceptual adressing the issue of cyber threats and cyber attacks. We have to work on the Council of Europe convention of cyber crime. But that is definitely not enough. Without truly global coverage, too big loopholes remain in adressing cyber defence in legal terms. What are the implications of all this for NATO? I think, we shouldn’t  move that fast and start from Article 5 and cyber attacks. When we really feel that cyber attacks can be considered as an armed attack, I think the politicians as well as the military are able to decide. But for the time being, let us leave the cyber defence on national levels with the responsible agencies and try to coordinate both within NATO as well as in the international coordination. There is no need, I think, and even no possibility for the cyber Maginot line built by NATO partners along imaginable cyber space waters. And last but not least, the biggest challenge fot NATO for the time being seems to be Afganistan, Al-Qaeda and Taliban. Maybe they are better equipped for fighting in cyber space than we are. At least in the respect of public communication, they do. Their possible cooperation with other terrorists and criminal organizations hold potential that could become ever more threaten for us. Cyber jihad is not a matter to laugh about. So, ladies and gentlemen, I think this is a topic that needs our attention. We have got a long way over the last two or three years. Most surprises are ahead to come. I wish this panel a healthy discussion and I am ready to contribute further into the discussion. Thank you for attention.

Thank you Your Excellency. I think it’s fair to say that we heard more questions than answers. So if I may, let me start pressing you, Your Excellency, for one ore two answers. I’ll begin if I may, with the quotes and I’ll quote you and something you had written on cyber defence a while back. You have written not long ago that cyber attacks targeting sensitive sites, like power and water utilities should be considered a threat on a same par with the 19th and 20th century practice of besieging enemy ports. Now, one interpretation of the statement is that a cyber attack is an act of war. Can you explain what you meant by that? Because you have also just told us that perhaps national approaches rather than any mediate Article 5 response is the way to go.

Imagine your ports threatened by enemy activity. I think you not only feel threatened, but you interpret as an act of aggression against your country, economy, your freedom of movement. Times are advanced and we have become as depentent on e-services as we were five hundred of two hundred or a hundred years ago on maritime trade. If a society cannot function in cyber space, can modern society function at all? So it’s not a threat, an emotional act of hostility. It is a real attack to the sovereignity of a country. Well, of course, it all depends on scale and a real impact and so on and so forth. So I won’t go that far and tell that this was what happened in Estonia or in different forms in cases of other attacks some countries have known, but at least we have to be aware of this possibility. We have to be ready to react if that one day takes place. So that was my thinking behind that statement and I still stick to my statement some time again.

Fair enough, thank you. Can I ask Colonel Tamm, staying with the Estonian team for the time being, to perhaps give us a little more detail on what really happened in June 2007? What did cyber attacks made in practice? We talk about it as a threat, as a scare, as a potentionally crippling element that might hurt the economic interest of a country, but, what did really happen in 2007? And can you also enlighten the paradox, that the more advanced and the more networked and the more wired countries are, and Estonia is truly among the most e-connected countries in the world, in some ways the more vulnerable they become. So what exactly are the vulnerabilities, what exactly happened in 2007 and what can and what is the Centre of Excellence doing to help defend against future attacks and possibly deter such attacks in the first place?

Thank you, Mr. chairman, first I would like to thank for the invitation by the Slovak Atlantic Commission. Sitting here in Estonian millitary uniform, actually, I am representing seven countries and not only Estonia. Seven countries from the NATO members have decided to establish Cyber Defence Centre of Excellence and our primary focus is actually not very operational. We try to analyze the incident and I think that partially came out as a one of the hot topics you try to solve here. You all concentrate on the effects, what will be the worst case, what will happen. Rather the problem what we need to solve is to find the cause and try to take action on the eliminating this cause and that’s not necessary, only the patching the networks, you may actually do some diplomatic ways, some other economic ways which help you to react, so those things we need to keep in mind. My background is communication officer and I felt many times like an IT whom you say “Go and fix it”. But in cyber space I think it’s far beyond. Coming back to the Estonian case I wasn’t in Estonia this time, I was in Germany. I was one on the NATO officers working in LAN component command in Heidelberg. So I felt some kind of surprised, trying to get access to my bank account and couldn’t get access, couldn’t get the news and then I’ve seen some small interviews by BBC and German TVs and I start realizing that something’s going on, more what you can see on TV, on the street and something goes on on the network. Well, I’m not politician and I would argue that it was the first cyber war. I would say it wasn’t war, we haven’t seen cyber war yet. From my side, war could be in cyber space for developed state actors against each other, two or more, that in my mind could constitute cyber war and I also believe cyber war itself will be never ever conducted, it will be a part of other operation campaigns that will make sense to conduct in this way. In Estonian case, afteraction reports and analysis we have learned many lessons I think the first and most urgent lessons: Do not disconnect your systems when you have attack because you’re losing the evidence. You don’t have nothing to analyze and you don’t have any good files to give for the investigation. And without those evidence you know what happens, you can not actually blame anyone, you cannot point the finger. So it happened in Estonia but it was the first reaction that normally happens and you cannot blame IT specialists and say “try to fix it, try to preserve the system as much as possible“. If we look what really matters, we could identify it really as a consequence of the political tensions and there was more or less emotional wave in cyber space. There was no specifical sophisticated attack tools needed. It was pretty easy to follow and in the forums and blogs you go and hit the hyperlink and you are a part of the game. That’s what in the first phase happened. But then, of course, the media and the rest of the world is starting also publicise that something is going on, but potencial non-state actors and whoever was behind those incidents. So you can read news and see it has some impact. So the second face actually started to select more valuable targets and when I am coming to valuable targets, you don’t have to look military, we’re looking on civilian infrastructure. And those infrastructures in Estonia were hit mainly via banks. And that actually brings how you should look in future the private-public sector cooperation, how you can then make sure that private sector wants to share the data without fear of losing the customers because you don’t want to lose the credibility that my bank was under attack and I lost many milions Estonian crowns because of impossibility of the transactions during the two-hours time. So those things come as a bussiness confidentiality issues. So other governmental sites of course were also hit and defaced. But in my opinion, I think the Estonian case just shows one way how we can deal with the huge disturbance. But it’s not really constituting like cyber war. However lots of lessons learned, in future that minister of defence pointed out coordinaton. That’s very important. The coordination in country with different agencies as well outside of the country, because once our IT specialists were able to identify the sources and you don’t know who is behind it, but you can see IPs, botnets sometimes just infected computers and users are not aware of the computer is part of the botnet but you need to have somebody from respective nation who helps to filter out those computers and mitigate or close down. So that requires extensive coordination and you don’t have much time, in same time you have to fix the system and bring it back. So keyword, I fully agree, is cooperation and how to build the defence and technically, I would argue that we will find number of tools, number of commercial companies, venders and offers on the market, whatever you want to have, to protect any potential cyber attack or cyber incident. But it is rather problem how to implement those things and what are the legal consequences if we go after someone and attribution which was brought up, that’s the biggest challenge, how you can do it what you can do.

Can I stop you while you are in the subject? As a practical matter, the minister has reminded us and you have confirmed, it is very difficult to finger the perpetrators of the cyber attacks. Because they don’t leave their return address. As a matter of rule, it is my understanding, they use the third-party computers, infected computers of completely innocent, unsuspecting people. Is it ever possible, even if the servers of the Estonian banks had not been shut down in 2007, would it ever be technically possible to conclusively finger and actually find enough evidence, convincing evidence to ever convict the original perpetrators or are we simply condemned to live in a world where cyber attacks will be perpetrated and will never be able to ever conclusively say who was behind it. It is my understanding thar the only person ever convicted of the Estonian attacks was in fact an Estonian citizen, even though your government obviously suspected that the sources were elsewhere, but could not find evidence. If we can never find evidence, then it probably makes no sense to speak of retaliation, possibly not even of deterrence. Because how can you retaliate against somebody you don’t know, how can you deter someone, if that someone knows you will be never able to conclusively link the attacker to the target. So will we ever know, is it ever possible technically, to establish who is behind cyber attacks?

You’re putting a very tough question and you expect I know the answer. In Estonian case I can just provide my personal view. I think we cannot find, because it is a time scale between what happened and now, we lost momentum, so whatever we had, we had, and you cannot just  gain more. If there is someone else coming up and stood up and says“ I have more evidence“, I am willing to share this evidence and those can be sent to the investigation and eventually brought up to cold case. But this should be seen as lessons learned, so what capabilities need to be improved and what we need to put in place and how the NATO role comes in, so that’s something we have to keep in mind. As a Centre‘s position, yes, we are credited by NATO, but we are not in NATO command structure, which gives us the freedom to think out of the box, but at the same time we of course have to use this claimer. Our recommendation is not NATO official policy, as long as NATO nations haven’t agreed. But during this work, we have identified 4 areas which we think in cyber defence we have to really go more in detail. So the first one is the concept and strategy. So you could say that basic concepts and strategy we talk in cyber defence, all other military domains we don’t talk about defence without offence. So you have to know also offensive means, offensive tools, otherwise defence you try to build up comes sort of meaningless. You don’t know what you defend against. So all the concepts and strategies fot the future NATO probably have to include also offensive aspects. How you can do it, that’s a different question and probably ends up in political dispute, but we have to take this action sooner or later. The second field, on which we in centre also concentrate, we have named tactical environment. It has been in the previous session noted that environment has changed, that we also noticed that environment which comes more technical, needs attention. And we need to understand what types of tools are there, what help us to do the work. So it comes in practical way, monitoring and detection, so we know that we can identify the fingerprints and can see what is the false alarm and what is not. Third one we have identified is critical information infrastructure protection. This is quite a well-known term and normally it is associated with the civilian infrastructure. So one might wonder if NATO has any role, but I would say during the crisis management exercises we don’t discuss if it is NATO role or not. So take same approach if it happens, this could be as a crisis management and you need to have coordinaton and NATO has to have some sort of tools and mechanism in place how to do it. And we see the playground for the sort of exercises on this field. And last but not least which is most controversial, most difficult is legal policy. Centre has created this small capability as a legal task team. Our people are looking for different national regulations. We’ve seen good initiatives after 2007 done by number of nations including Estonia started, UK and even non-NATO nations. And that becomes very critical when we go and talk to partners in cyber defence area. It is again my personal view, we have to treat very carefully who is the partner and who wants to be a partner, because those things have to be very clear that we share the common interests and we know that we are on the same side, otherwise all the legal consequences, we put things on the paper, we agree upon them, but when it comes to time that now it’s the real case, the partner disappears and doesn’t follow any rules. So I think it’s everything based on how to built better trust first and with that you can move forward. So at this point I will stop my monologue and word further as well.

Thank you. I thank you particularly for your thoughts and observations on what happened in Estonia. I’ve been told that NATO public diplomacy divison produced a special DVD “Six colours“ which goes over the events of 2007 Estonia, so for those of you who are interested and would like to find out more about the events, those DVD will be available outside.

We brought up NATO, which Major-General Hines seems like a good transition to be new into debate. What is the special responsibility for NATO, especially since again the traditional military tools like retaliation and deterrence in the traditional sense may not apply to cyber attack? So what special responsibility does NATO have and how do you work with others? We are goning to bring the industry angle soon, but how do you work with others, perhaps the European Union? I mean, it isn’t obvious that all of the answers when in comes to for example raising the threshold for how safe and secure some of the critical infrastructure should be. It is not obvious that all of the answers lie with NATO. So are you also working with other institutions to spread best practices and ways of conduct?

Obviously I cannot speak on behalf of the European Union, however, we do cooperate, NATO does cooperate with the European Union capabilities group to share lessons learned, experiences and some of the capability development work in the area of cyber defence. The work to-date within the NATO as a body, in the field of cyber, has really only been kicked off in the last two years as a result of 2007 incidents in Estonia. Particularly at that time we have been talking about the issues on cyber, but not necessarily a lot of progress in that area had been made. And it was really the 2007 attacks that got NATO energized to adress the cyber issues and it started off with discussions on what should be NATO policy on cyber and what should that policy include. The policy was signed off by the North Atlantic Council in early 2008 so we gave into this policy this lesson that is two years old, but it does share the responsibility for cyber defence between the nations and NATO. The onus is on nations to protect their own networks and on NATO to protect the networks for which NATO is responsible. And that mount to a number of networks, classified networks at NATO’s presence on the Internet. In addition to the work that was done on the policy, we recognize that there was an importance on having an arrangement for sharing information, not only sharing information within NATO and among NATO nations, but also for engaging the partners. And we’ve done that. There is a lot of interest through the partners for more information-sharing and we are sharing information with the APC partners and obviously with the European Union through capability development work that we are doing.

Tomáš Valášek:

What does it mean in practice? What happens if you get a phone call from the Estonians, or the Latvians, or the Slovaks, or the Americans saying - we think our servers are under attack, what do you do?

Maj. Gen. Glynne Hines:

On the practical side we have something called The computer-internet response capability. And that capability is in the NATO structure. There is expertise there, that is available to respond either provide phone advice, some immediate advice, that is actually a form for the sharing of information but can also dispatch a very limited capability to a nation who believes they require assistance to provide some of that assistance, but it’s important to recognize this is a very basic capability, that’s only been created over the last year and is still only in terms of operational capability. The full operational capability has hot been realized yet and will not be realized for some time as both people and financial resources are  against the challenges. But the capability does exist to respond the nations. What we’re also working on are means by which nations can ask other nations or by which we can coordinate from the centre how we can tap into other nations to go to the aid of the individual nations. So the capabilities we have are in their infancy but they are getting better. I think it’s important to emphasize that there are number of schools within the organization as to how serious the cyber threat is. People will tell us that the cyber threat is not necessarily as serious as some of us would like to have you believe. I can assure you that NATO systems are under attack everyday. The results of those attacks, fortunately right now, have not been severe. Through our cyber defence activities we have been able to defend against most of the attacks or have been able to mitigate the impact of attacks. The challenges that we will see in the future, I would suppose that most people are familiar with the NATO networking enable capability work and the challenges that we will see in the future are really challenges, that force us, should be forcing us to put more emphasis on cyber defence because we’re trying to put more emphasis on networking. The challenges that we will see in the future are really challenges that force us,  should be forcing us to put more emphasis on cyber defense because we´re trying to put more emphasis on networking, the networks  or inteconnecting all of the forces of the Alliance. So as we reach out  and interconnect their networks and become more interruptible  in an operational sense and all of our operations today are information led or intelligence led operations as we reach out and connect more networks to each other our vulnerabilities grow exponentially and therefore the need to protect themselves, protect NATO’s networks also grows on the flip side of that is the individual nations responsibility to protect their networks plus protect their networks from being the source of, or a bridge into NATO systems, of an  attack but also to protect their networks from NATO shouldn’t attack be successful against the NATO’s system and to provide that level of defense.

Tomáš Valášek:

Thank you. While on the subjects let me bring in the industry representative into this, because of course Microsoft besides is kindly sponsoring this conference for which we are grateful,  is better known for providing operating systems which power vast majority of the world’s computers and you´re about the role of new version of Seven very soon. What is the industries responsibility in all this particularly accompany as important an essential as Microsoft to the whole business? And obviously these guys are trying to do their best, to protect their systems, to share best practices for when their services are attacked. But what can the industry do to make sure that the services aren’t attacked in the first place? And are you in touch? How good is the cooperation between the industry and the government?

Lt. Col. (Ret.) Robert Kosla:

First of all, thank you very much for invitation to this very important event and the position that panel on cyber defense is taking during this event. It proves that it is really important issue. My background is related to information security. I spent more than 14 years working for military, working for government. I was responsible for evaluation, accreditation of systems, certification of cryptosystems. I worked 10 years within NATO as national representative to Infosec subcommittee and informational assurance subcommittee so I could observe it from NATO side and from last year when I was retired. I could observe it from the dark side of the power that is called Microsoft and I can admit that for many years Microsoft was for me the biggest troublemaker because I was responsible for systems accreditation and vote systems have been not secure. You could observe, of course, two different families of operating systems. One was strictly designed for military use and other commercial systems have been not used for secret or classified environments. And the situation started to change in the middle of 2004-2005. There was a special branch, special worldwide team created within Microsoft that is composed of former military, former intelligence, former police, former officers that started to be ambassadors of the services within the corporation and try to make aware of our products group that developed the software that are not only commercial, it’s not only functionality but also security and it must be taken into consideration from the beginning. So the industry, of course, that’s the common interest because venders would like to make a business. They will not make a business if they sell products that nobody is interested in because those products are not secure. Of course, there are many comparisons and discussions about liability, insurance on how the software is working but what we can observe right now is the tendency that operating systems and the new software, new applications are designed the way to meet military and governmental requirements. We can observe that from the beginning, from the design face military and government agencies are involved in design and functional parts of the environment preparation. Microsoft started in 2003, started government security program that provides the full access to source codes for governments and military organizations, NATO is also contributor of that program and other program that was started for governments it was security cooperation program. It’s very good base for the discussion about the needs of the government, of course, typical implementation of commercial off-the-shelf philosophy that was started in 2000 by national security agency in US. It was very interesting discussion 3 weeks ago and director Scheffer, information assurance director from NSA stressed that, of course, no government, no military has now enough budget to develop tools, to develop environment themselves so it must be the close cooperation with venders from the beginning, from the early stage and I think the most important, especially most important for Vista, for Office 2007, that was the first time when NATO, actually NATO actively participated in security settings development for that. We mention here, there was a question how to identify who is attacking us, of course, who is our enemy, of course, there is different motivation. You have some political motivation like it was I think true for attacks against Estonia, you have also the crime underground because that’s the biggest part of the cyber attacks or network attacks against business, against political enemies, of course, it’s started from activism just using internet for distributing our ideas, our views. Then it was supported by hacking tools so groups started to attack against political enemies and destroy their information resources and, of course, the next step was, in that classification, cyber terrorism to make an impact on the nations, to make an impact on the state organizations to promote ideas, to disturb the activities of the countries. Of course, the situation is not so bad. Year by year we have more advanced technical measures and it’s not so right now that criminals or attackers are anonymous in the networks. The biggest problem, there was a question how to collect evidences, how to analyze them, how to identify who is the real attacker actually or very often hiding by the proxis located in different countries. The biggest problem is that we can track technically who performed the attack. The problem is to protect the evidences and very often evidences are located in the countries that are not fully cooperating with other countries that would like to track those facts. Of course, last week and that was very good coincidence, last week I spent the full weekend in “Radmont”. That was an event arranged for law enforcement agencies-the annual event arranged by Microsoft. There was a special law enforcement track for secret service, for police forces, there were 450 attendees from more than 40 countries so there was a lot of key studies how the botnets can be tracked, how the evidences have been collected and there is very good and very important trend that Central and Eastern Europe, responsible for that was viewed in the past as completely dark part of the world that you could not collect any evidence, you could not take into the court the crime, the criminal. It’s started to be more cooperative so there have been a few cases described  related to Romania. It’s very good cooperation between Romanian loan enforcement and US: FBI and secret service so the criminals have been identified, the evidences have been collected and those persons have been taken into jail so successfully the case was closed. And other examples have been related to huge botnets tracked by one of  loan enforcement agencies that was multinational cooperation and that was very good I think one of the first evidences of close cooperation with Russian security service. FSB received some information, took a real action against those criminals trying to identify them and that was the real case. So I think there are three main things that must be covered. One, of course, legal another organizational and the third technical. From legal point of view Minister said about the conventional cybercrime. That was very good step of council of Europe but the problem is that it was initially signed by 50 countries but ratified only by 25 countries so 50% of countries really ratified that convention. Of course, that’s general. It must be supported by some procedures, it must be supported by criminal law and equal procedures in the countries. I was responsible for Schengen information system implementation in Poland so I think that could be an idea to create something like Schengen information system for sharing information about cybercrimes, about evidences, about methods of protection, methods of attack, vulnerabilities and I think that very good example of cooperation not only between government and industry but within industry even between competitors, vendors of the software, different software platforms was “Conficker” case. The attack of Conficker that’s very sophisticated malware that I think no agency, no antivirus vendor could do it himself. So it was created multinational Conficker working group. And the result of that cooperation was first-the deep analysis of the Conficker background, the Conficker technical part, there was tool free of charge available how to identify if my system was attacked or is not under control and third thing, of course, the analysis of the mechanism that may be used in the next editions of Conficker because that was identified A, B and C version but, of course, there have been some D and E but, of course, that deep analysis proved that even Conficker is not free of errors, of mistakes or even designed of such aggressive tools, is not free of bugs.

Tomáš Valášek:

Well, thank you for the encouraging news because I think there is an important point that in some ways the defenses may be catching up with the offences which is, of course, the time fashioned dilemma. Perhaps, one of the questions you raised and I hope to get it into questions and answers is the extent to which the governments and the politicians actually aware of the threats and catching up with the severity of them. But I don’t want to impose my own questions we have at least 3 questioners that I see in front of me. I also want to bring it in the various offices Brno and Banska Bystrica. But let me begin with Hans Binnendijk in the front row. May I ask you introduce themselves?

Hans Binnendijk:

I would like to take 2 minutes in suggest a conceptual framework for how NATO might think, about its role in the cybertech business. And I want to suggest that it might think in terms in 3 categories. The first category is everyday attacks. These are nuisance attacks, criminal attacks and even espionage. And we’ll know that more motivations are there. But these are everyday attacks and I want to suggest that most of the responsibility for dealing with this attacks lies in the commercial sector lies with nations and if NATO itself, its networks are under attack, its responsibility is to defend our networks. The second category is different. In this category I would say the motivation is political. The motivation is political intimidation. This is what we saw in Estonia. Whether it’s a denial service attack or some other method, the propose of the attack is political intimidation. Here I think NATO becomes more engaged. It’s not Article 5 in my view. But since it is political motivation NATO has to think not only about helping that countries defend itselves but possibly sanctions or other things because even if it is not 100 percent attribution we generally know what’s happening. The third category is much more serious in this sense. I think that’s the third category that’s close to Article 5. These would be attacks on major systems when you take down energy grids with all of the consequences. There is an attack on a military network itself so you disable the ability of a military force to operate. Or if you attack those systems at a military requires to mobilize. In this case should get close to the Article 5. So as we suggest that as way to think about cyber attacks and NATOs responsibilities.

Tomáš Valášek:

Thank you, what I would like do is to take questions three at the time. I will take one more question from the audience but first I would like to turn to some of our students. We heard from the Minister I believe that statistically there are a few hackers in the audience. So I wonder if we had possibly few among the students. But even if you’re not.. I’m being told that Brno is ready. May I take one question from the students in Brno?

Question (Brno):

Hello, I have a question regarding the cyber defense corporations between nations. How would the form structure look like as a matter of fact that is necessary to consider different law regulations and in this way what would be easier? To cooperate among individual nations on cyber defense programs or get a out-of-nation structure? Thank you.

Tomáš Valášek:

Thank you very much. Let me take one more question or I would like to turn to the audience now. I saw two more questions in the front row. Can I begin with the question right here?

Janusz Onyszkiewicz:

Well, thank you. We were discussing the cyber attacks but basically we limit ourselves to the attacks on the software. What about attacks on the hardware? Wheteher we have remind is the ability of terrorists or some other groups to attack the computers by setting up devices producing electromagnetic pulse which could be result of explosion or nuclear explosion, which could really disrupt the whole system. That probably is easy to handle but nevertheless I think that some kind of coordination, some kind of role of I would say settings some standards from NATO would be very much in place. So I would like to have your comment on that.

Tomáš Valášek:

I have at least three more questioners in my list. I have questions from Varšava, question from Banská Bystrica and mister Eckart von Klaeden. May I allow the panelists very quickly to respond to some of these questions? Not necessarily all but who would like to come back on suggestions we heard earlier?

Maj. Gen. Glynne Hines:

If I can jump I guess for the first comment and certainly Hans the three categories you suggest absolutely make sense. I would offer that we are doing category one right now. The routine with standard operating procedures that allow that do that to defend theirselves and it’s once we get the category two and category three. That would start to become the basis for obviously consultation. Consultation will require not necesarily an inmediate enemy response but those make perfect sense. The question from students on cyber defense - working with the nations. And this is where it gets extremely challenging as we heard from one of other speakers about the legal framework. Every nation has its own legal framework for cyber, every nation has its own legal basis for burden of proof of if anyone wanted to do anything about anybody he was launching a cyber attack or if we want to do any forensic and determing what, where it started and who did what. So,clearly all our work nations is take into account nations sovereignty when it comes to what does the nation determine, if it was an attack, what has the nation done about an attack and at the same time working through the NATO bodies to actively provide some support but also to provide some means of consultation and advice afte r it.

Tomáš Valášek:

Thank you. Your excelency, as a senior politician on this panel. Does the classification that Hans Binnendijk outlined make sense? Is that something Estonia could embrace as a part of the Strategic Concept perhaps?

H.E. Jaak Aaviksoo:

Well, I think that’s fully OK. I think on practical level this is less going on. There’s no NATO envolment. There are structures in place when NATO networks are attacked etc. Then there are national solutions. As for these political motivated things when there are only cyber attacks not correlated with other types of attacks. Then I think that is all true and correct. I just like to point to the fact that in the case of the Russsia-Georgia conflict we practically had 4 spaces involved that was land, see, air and cyber. There was a truly joint operation and well coordinated in time and space etc. So cyber has been integrated also to conventional warfare already. So this somehow is out of that classification. But truly when never there is kinetic damage involved. Directly or indirectly as a result of a cyber attack that comes close to what we mean by armed attack. Because the kinetic damage is something that we interpret as armed attack whatever the arm then is. So I fully agree and that I think it might be the approach adopted in the Strategic Concept.

Tomáš Valášek:

Thank you. We have roughly 15 minutes left. I would like to do at least one more round of questions. I had a question from the audience. Mr. Eckart von Klaeden first.

Eckart von Klaeden:

As far as I have followed the debate about cyberwar I think this discussion is very innovative about the new threats and all is going on on the net. But on the other hand, the debate is very traditional about Article 5 because the idea is more or less that is two-state-linked attack, state-to-state conflict and if you remember that the one and only case where we had Article 5 was a civil target within abused plane by so-called civil terrorists and justification for invasion in Afghanistan was that the Taliban provided the ground for these terrorists. I think we should also think about what this means for our debate. I would call it asymmetric cyber where I think it’s in a way doubling this issue. But nevertheless what does it mean for instance if some states provide infrastructure to criminals for, for instance, child pornography, for terrorists. What kind of sanctions could be taken? Could it be possible to use preemptive strikes against those states to force them to do something against those terrorists or those criminals? I think there’s a lot of territorial integrity in the net in that sense. I think there’s a lot of room to discuss about this link, a sort of combine the Article 5 debate regarding asymmetric warfare with the cyber debate could be an interesting point.

Tomáš Valášek:

Very good question and , of course, the analogies is here with Afghanistan where in the rational in 2001 was when after Al-Quaeda as well as Taliban for hosting Al-Quaeda when not only after the perpetrators but also after the government and its regime that effectively sheltered them. Should we apply the same logic to cyber attacks? Before we get to the answers I have 2 more questions. I understand that the first one is from Banská Bystrica. Is that correct?

Good afternoon, my name is Diana Andraščíková. I have a question for our panelists. So what do you think, should state be held legally and politically responsible for cyber attacks? If these attacks may cause negative consequences on territories of other states?

Tomáš Valášek:

Thank you. In some ways it is very similar question to what we just heard. Presumably they would apply to both situations where states are attacking as well as when states are in fact sheltering those attacking. I have a question in Warsaw. Warsaw, it’s your turn.

Is it possible for the NATO countries to provide the adequate level of security? What actually is the adequate level of security and how might deterrence look like exactly?

Tomáš Valášek:

Thank you, very good question. In some ways we have addressed to first two points ready but we haven’t really touched the deterrence so perhaps that’s what we can return in questions. I will make an exception to my own rule we have about ten  minutes left which really doesn’t enough time for another round but I do see at least one more question the audience I would like to take and then I’ll give the forum and microphone back to our panelists. Marshall Billingslea on my list.

Marshall Billingslea:

Thank you. I think that Hans gave a very good framework this morning with four Rs. I am not sure that I am comfortable with the typology he set out just now in terms how NATO should proceed in cyber events. I think that we see a lot of incidences very difficult to separate, different kinds, different lines of the activity information  gathering activities from prepsrstion of networks for future pontential attacks. We see botnets, their use for private purposes that then are also used by government organizations on occasion. I think, what I would like to see this is heading. It is for the Minister to perhaps suggest how he sees  the Estonian Center evolving? The role that he see is the Center  playing both for Estonia but ultimately where the vision is going to take that scenario in the NATO structure? Will it remain an MOU organization outside of this structure or perhaps there is better vision for to assume more important role inside the structure? The other point which I would like to have time the touch on the day I would comment for discussion is the fact that our defense industries themselves are just as much a target if not more the target these days then are Defense Ministries and therefore working with them is also going to be an essential line of activity. Thanks again.

Tomáš Valášek:

Thank you Marshall and, of course, Marshall in his modesty didn’t mention he is a Former Assitant Secretary General NATO for Defense Investment. Gentlemen, we have about five to ten minutes to answer what is quite a lot of questions. I will repeat it very quickly besides the one is that Marshall just raised the question on what should we do, should we hold government responsible for attacks that are perpetuated as well as possibly hosting or not doing enough to prevent attacks emanating from their countries. Let us not also forget Mr. Onyszkiewicz’s question which still hasn’t been answered. What do we do about attacks on that have an impact on physical infrastructure? What do we do when actual physical infrastructure, presumably power plants and utilities are being attacked? Can I ask the panel to answer in reverse order in which they were spoken?