States must counter the problem of cyber attacks irrespective of their relative influence in global affairs. As a practical matter, policy makers must contend with the reality that the cyber dimension signifies a complex threat. Prescribing a ‘one size fits all’ solution to address cyber threats is counter-productive and short-sighted, as strategies must be tailored to address specific threats and needs. Small states are particularly vulnerable to cyber attacks. In the international system, small states are those that face a distinct set of challenges in combatting cyber threats due to the relative small size of their population, human resource capacity, limited domestic IT capability, small size of the economy, or resource availability for funding cyber security.
A state must protect a multitude of digital networks and critical infrastructure to insulate themselves against the possibility of large-scale cyber attacks. The limited financial resources of the state must be apportioned to protect and defend a broad array of digital assets, including the mission-critical commercial Internet, critical infrastructure (airport control towers, banking networks, utilities etc.), and military/defence networks. This can be quite a challenge for resource starved states with enormous social and developmental needs.
Outlined below are established methods small states could utilize to effectively make up for their limited cyber security investment capabilities.
Audit and Assess Cyber Threats
Auditing the current state of existing network resources and assets should be the starting point for national security planners. A well-coordinated cyber threat assessment audit at the national level would quickly reveal the ‘chinks in the armour’ in a state’s network infrastructure. A comprehensive threat matrix, juxtaposed against data emanating from cyber attacks experienced by the state, would help identify the nature, type, frequency and origin of those attacks. By encouraging collaboration between private network operators and the government, through public-private partnerships and working with IT governance organizations, like ISACA, small states would be in a better position to address their most critical cyber security challenges. Small states should address their weakness in technical capacity by investing in human capital, engaging in cooperative projects with other likeminded countries, enrolling their security practitioners into training modules at institutes like SANS, and learning best practices from other small states like Estonia, who are spearheading cyber defence in Europe and projecting themselves as a major cyber power. The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is another shining example of how cyber security best practices and expertise can be shared among likeminded states through cooperative platforms.
In today’s dynamic cyber threat environment, states need to guard against an array of persistent cyber threats. These threats pose a plethora of risks to national security with differing characteristics that need to be tackled diligently and expeditiously. Therefore, policy makers should perform a cost-benefit analysis of risks and allocate resources to the problems that demand the most attention. In an age of austerity and limited resource availability, risk assessment and mitigation are paramount.
Offence vs. Defence
Small states should not get carried away by the current lure of ‘active defence’ cyber strategies which are underpinned by offensive military doctrines. The U.S. Department of Defense defines ‘active defence’ as “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” An active defence cyber strategy is a proactive approach to defence that involves preventing a cyber attack before it hits the defending line of a network and neutralizing the threat before it can be carried out by an adversary. In short, active defence involves cyber operations directed against specific threats, while passive defence is concentrated on protecting cyber assets. The best example of an active defence strategy is that of the Department of Homeland Security (DHS), which works with the private sector and other critical infrastructure providers in supporting them with active defence tools and training. While ‘active defence’ is not full-scale offence, the strategic, legal, financial and ethical implications of adopting such strategies need to be fully understood before giving them due consideration for implementation. Cyber defence strategies that entail fewer risks of retaliatory counterattacks may be a better alternative, given the resource constraints faced by small states. In defending their networks against adversaries, small states simply do not possess the military muscle to climb a conflict escalation ladder.
Securing the National Digital Infrastructure
In an era of ubiquitous connectivity and global communications, the national digital infrastructure is among the most precious asset of small states. Much of their digital commerce, communications, and banking transactions rely on a robust and safe network infrastructure that must be consistently available. With their limited resources, small states must devise novel approaches to network modernization by keeping abreast of emerging Internet technologies and investing in cyber security tools, while reducing the costs incurred in protecting legacy networks. The first significant step to ensuring the cyber security of the national digital infrastructure is to establish an emergency cyber incidence response unit to monitor, report, and respond to cyber attacks. For example, both New Zealand and Canada have established a Computer Emergency Response Team (CERT) to support the private sector and other government agencies in rapidly responding to cyber attacks. These countries also augment their cyber expertise through their participation in ‘Five Eyes’, a formal cooperative network between the U.S., Canada, UK, Australia and New Zealand created for the purpose of intelligence sharing.
Bolstering National Cyber Expertise
Small states need to invest in building domestic cyber capacity. While network traffic monitoring tools could be procured as commercial ‘off-the shelf’ products, investments in cyber manpower capabilities are an essential component of capacity building. This is a particularly difficult challenge to overcome since recruiting and training highly skilled cyber professionals remains a challenge even for large and well-resourced cyber powers. Inculcating a cooperative framework with other likeminded cyber powers is a strategic imperative; initiating and sustaining a constant dialogue with both regional and global powers is critical to ensure that small states are exposed to the most up-to-date cyber practices. Moreover, since cyber technologies are essentially dual-use by design and are developed by private companies, it is essential to exploit the fullest potential of these technologies by sharing their capabilities with the military.
Why it’s Important
Lethal cyber attacks can emanate from all corners of the Internet and from a range of state and non-state actors. A small state’s cyber security is as likely to be threatened by malicious actors as a larger one’s. This was the case with the small Baltic state of Estonia. On April 27th, 2007, Estonia’s banking system came to a halt when a cyber attack, later attributed to Russia, virtually brought the country to its knees. Estonia is a classic case study of how a low-level ‘denial of service’ cyber attack could impact the economic edifice of a small, yet highly digitized, society.
Small states need a distinctly strategic, systematic policy framework to address burgeoning cyber challenges. A full-scale cyber attack against critical infrastructure could cripple small states, posing an existential threat to their security. Many small states are ill-prepared to tackle this threat within their current strategic repertoire. This has been largely due to the limited nature of their resources. Such an excuse is no longer viable though, as their national security has become just as interlinked with their digital infrastructure as a larger state’s.
Photo: Surveillance Cameras Mounted on Wall (2017), via Pexels. Public Domain.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.