The 21st century is a dicey time for the North Atlantic Treaty Organisation. Not only is it under assault politically, by an American President who seems only weakly committed to the principles of collective security, but also digitally, as new cyberthreats become just as challenging as anything involving tanks, guns and planes.
So how is the alliance adapting to meet the challenges of this century? To find out we spoke to Ian Goslin, whose job title is "Head of UK" at Airbus CyberSecurity. Prior to this he worked in the Royal Air Force, heading up the technical team that looks after the RAF’s network. In other words, he knows his stuff. Here’s how our Q&A played out.
Giz: Let's start by looking back. When do you think cyber concerns started to be taken seriously at NATO. Is this a long-held thing from the early days of the internet or is it a more recent thing that they’ve realised they need to catch up on?
Ian: I think, drawing upon my own experience when I was serving in the military that this actually, cyber has always been recognised. As a communicator within the military, as we started to join our networks up, it increasingly became clear that whilst giving great benefit in terms of military capability, it was also a threat surface that could be attacked by people. As far back as the early 2000s I was involved in conversations and discussions and even seminars within NATO to discuss the future cyber threat. It wasn’t perhaps as rich a conversation as it would be today but that was then probably because the understanding of the full spectrum perhaps wasn’t as rich as it out to be. And perhaps we didn’t have at that time enough cyber specialists. What we had then were communication specialists and I think that transition from being a communication specialist to a cyber specialist was something that was not only peculiar to the militaries within NATO but also industry itself. So I think NATO is very much a reflection of society and industry and commerce as it had developed over that period.
Giz: What would you say NATO’s posture on cyber is now, if you can sum it up in those sorts of terms?
Ian: I think that NATO has a positive cyber posture and I think that it’s an improving cyber posture. Like many organisations it has been impacted at times and it has responded. The real challenge within NATO is that NATO is by its very nature a combined effort of a number of nations brought together against a common cause. And so you have the NATO core, which I think recognises the need to improve and increase its cyber position, but you also have the individual nations and the individual nations are, again, when you look at them not just as military nations but as economic nations, have varying capability and resource available to them, and they are perhaps not all operating and improving at the same speed.
What NATO is doing, which I think is a very positive thing, is it is looking to support and accelerate the cyber posture of those countries that are perhaps not as well advanced as some. So if you did a comparison perhaps from the people at the top - the US, the UK - and some of the ones that are further down the stack, there would be a difference. But it is, the gap is closing all the time and I think the initiative NATO is taking are helping to see that happen. And also, when you consider it, it’s in the interests of the stronger players to get the lesser players up to the same speed because you’re only as strong as your weakest part of your whole, so again, this is why I think it is increasingly on the agenda and they’re taking the right steps forward.
Defining The Battlefield
Giz: Thinking of cyber in military terms raises dozens of seemingly complex questions: How do we figure out where is the cyber battlefield and who are the combatants? How do we define between say what is a discrete hacking attack as a crime versus an act of cyber war? How do we figure out who are the civilians and who are the military people? What counts as military hardware..? It seems like an entire mess of ambiguities.
Ian: And I think you’ve hit upon a real dilemma in the concept of cyber being a battlefield. When you look at the other spheres of warfare, you look at land, sea, and even space, it is usually clear as to who the combatants are and how the attack factors are coming. The internet and cyber by its nature has a ambiguity and a complexity in terms of getting to a position or who is doing what to whom that is not as obvious as in those other spheres.
And I think this is one of the elements that, again, I think all nation states and all military coalitions are going to have to face is how do you ensure that when you apportion blame you have apportioned that blame in the right place. There’s an awful lot that can be done in terms of forensics to actually track where an attack factor came from but by the same token, as you’re well aware, there’s an awful lot that can be done to obscure that trail back to the perpetrator. And then it’s further exacerbated by the fact that quite often, nation states will use proxy actors to actually initiate some of their attacks.
The other thing which I think is a defining element of cyberspace as a battlefield is the nature of the attacks. When you’re in a military organisation it is often about coercion, influence and direct attack in terms of your armoury. In terms of the cyberspace, there are much more subtle levers that you could pull by undermining organisations and nations that range from loss of confidence right the way through to economic problem associated with attacks, which are very difficult to even point at being a precursor to any form, to warfare.
Giz: Do you think it would be a legitimate thing to invoke Article 5 after a massive cyber attack? (This is the rule which means an attack on one is an attack on all - so all NATO members must respond if it is invoked.) For instance, in 2007 Russia cyberattacked Estonia and took out all of its systems for a few days, could they have invoked Article 5 after that do you think?
Ian: I think that proving that it was Russia would be a very difficult piece. Again it’s back to this concept of ambiguity and I think that until we get in a position where we can remove that ambiguity or the impact is such that it begins to undermine a nation state, we’re a long way from invoking Article Five against a cyber attack.
Giz: Do you think it could be a proportional response to have an actual military response to a cyber attack? For instance would taking out fibre optic cables under the sea be a legitimate act in response to a cyber threat?
Ian: I think a nation state will have to make decisions about what it perceives to be a legitimate response. I don’t think it’s for me to actually say what is a legitimate response would be. But I think there is likely to be a number of scenarios that nations have in terms of their war-gaming approach, and they’re now war-gaming in the cyber domain as well as in more traditional domains of warfare, that would look at a full spectrum response from quite minor to major. And that would be naive if we didn’t believe that nation state are looking at that part of the environment in terms of future battle space.
Who are the Baddies?
Giz: Are state actors still the primary concern here or should we be worrying about other groups?
Ian: I think that no matter where an attack comes from, you have to be prepared to defend. And I think that the future is a world away, even if that future is only tomorrow. It’s very difficult to say what we think the greatest worry should come from because I think that would be dictated by the socio-economic, political environment that everybody finds themselves in.
But there is no doubt that at the lowest end it is very easy to hack from your bedroom with a very simple connection to the internet and some rudimentary tools, you don’t even have to be a particularly talented hacker to create damage against systems that are perhaps not properly protected, and similarly it has to be recognised that as you move through the spectrum, through hacktivists who are coordinated through to again coordinated crime and quite large criminal actors, that the capability increases as you go forward to a position where you finally end up with a nation state actor, which by nature will have far greater resource and economy behind it to be able to launch the most sophisticated of attacks. So it’s a matter of ensuring that that whole spectrum is protected against and that a proportional response is planned against any such attacks.
Giz: Thinking about the current headlines around Russian hacking of the American election really highlights the importance of cybersecurity. Do you think NATO has a cyber advantage over Russia? And if so, how big an advantage is that?
Ian: I think that each of the nations within the NATO alliance has capability, I think that aggregated capability is quite impressive and if we look at the full spectrum of members of NATO you can quite rightly assume that some of the players have absolute top-end capability to both defend and respond should they be attacked. You only have to look at America and the fact that they have a cyber command [as a fully-fledged branch of the armed forces] that gives you an indication of that.
Giz: Following the recent terrorist attacks here, talk has turned once again to the idea of banning encryption, or forcing tech companies to insert backdoors into their services. How does this fit into the cyber warfare landscape? And what about inadvertent backdoors - like the recent WannaCry attack which hit the NHS?
Ian: I think like all things you need to understand what the threat is to be able to defend against it. So quite often at lot of these [WannaCry-style] exploits will be held and understood and considered and probed by the major people, it’s an every-changing landscape and the only way to stay ahead of it is to continuously both understand the threat and almost reinforce the threat so that you in turn are able to reinforce your ability to defend and perhaps more importantly respond, because it’s very easy to believe that you can defend against anything and everything and the reality is that’s never the case.
So as well as trying to put up the most strong defence, you must also ensure that you have a rapid response capability that allows you to respond quickly so that you can limit damage and respond accordingly.
Giz: Do you think we have to worry in terms of military situations about troops on the ground and their understanding of cyber security and the like? During the invasion of Ukraine the Russian troops or Russian proxies were exposed as Russian-backed by Russian soldiers posting to Instagram, from their own phones, and the geolocation marking them as being inside Ukraine. So do you need to worry about how cyber-literate people on the ground are?
Ian: When you were describing that I couldn’t help but smile actually. The only reason I say that is because steps to educate the troops were taken when we moved into Afghanistan. So during my time in Afghanistan every soldier that came into theatre was given a briefing particularly with regards to the use of social media and their own personal phones.
So there is a recognitions that you have to look at the full spectrum of warfare and ensure that at every level, people have a basic understanding of cyber, and perhaps more importantly that the systems that are deployed into such environments, the most sensible cyber hygiene elements are all in place. So you know the backups are in place, there’s a regular back-up that’s disconnected, the fact that there’s up-to-date patching, that the operators are aware and understand what they can and can’t click on in emails that may or may not come in, and also actually check the source of where it comes from. Because again, back to something I mentioned earlier, you’re only as strong as your weakest link so you need to make sure that every link has a resilience to it. And I think that cyber-resilience is perhaps the biggest thing that you can build into any fighting force going forward.
Giz: Two more quick questions for you hopefully. What do you think is the biggest future threat in terms of cyber that NATO needs to be worrying about?
Ian: I think the biggest threat is actually apathy. I think that there must be a continued focus on ensuring that we recognise the need to always improve and update our cyber capability, that we build cyber-resilience into every element of a military fighting force, right the way from the individual soldier who has an understanding, through to the platforms that we deploy to ensure that their cyber security and the protection of them is understood so that they can be the most effective capability when they’re deployed, rather than being hampered or side-lined because of a cyber attack. So I think apathy. We need to make sure that we keep this to the forefront.
Ian Goslin is Head of UK, Airbus CyberSecurity.