Karl Ngo, Research Analyst, had the pleasure of interviewing Chelsey Slack, Deputy Head of the Cyber Defence Section at NATO Headquarters. Previously, she worked at Global Affairs Canada. Chelsey earned a Master’s Degree of Philosophy in International Relations from the University of Cambridge, and an undergraduate degree in political science and history form the University of Ottawa. In Part 1 of this interview, she raises the importance of cyber defence, and unpacks the complexities of NATO”s cyber defence approach
What threats are we facing in cyberspace? Why is cyber defence important?
It seems that Canadians can’t open a newspaper – either physically or virtually – these days without seeing a headline related to a cyber incident. Recent reports of breaches at Equifax and Uber highlight the risk for personal data loss. In a report to Parliament in October 2016, the Communications Security Establishment (CSE) noted the detection of 4,571 ‘compromises’ of federal systems due to cyber-attacks in the first nine months of 2016. Across the globe in May 2017, the WannaCry cyber incident saw more than 200 000 systems affected in 150 countries: from hospitals and schools, to telecommunications firms. These incidents are alarming, and highlight an increasingly complex cyber threat landscape that can have tangible consequences for us all.
Technology is at the heart of our highly connected societies. It is also at the heart of our militaries. Armed forces and militaries are not immune and increasingly rely on cyberspace to carry out their missions. NATO is faced with similar challenges as a user of cyberspace. NATO systems register a significant number of suspicious incidents on a daily basis. The majority are dealt with automatically, but some require further analysis and response by experts. Cyber defence is therefore a top priority for NATO, and both the organization and its member states have been taking measures to better protect themselves against cyber-attacks.
With 50 billion devices expected to be connected to the Internet by 2020 – from toasters to air conditioners to cars – interconnectivity will only grow. While cyberspace offers unprecedented benefits to economies and societies, it also presents real challenges to our security and prosperity. That’s why it is important for us all to step up our game when it comes to cyber defence.
Article 5 of NATO can now be triggered by a cyber-attack. What prompted NATO Allies to elevate the cyber threat to that level and what can Canadians take away from that decision?
NATO is a political-military Alliance with a common goal for nearly 70 years of preventing conflict and preserving peace and stability for the nearly 1 billion citizens across the Euro-Atlantic area. The 29 NATO Allies do this by promising to defend one another as part of an ‘all for one, one for all’ commitment known as collective defence.
The same principle applies to NATO’s approach in cyberspace. NATO’s thinking on cyber defence has advanced rapidly in recent years. Cyber defence is no longer viewed as a purely technical issue, but it has become one of political and strategic importance. Back in 2010, NATO’s Strategic Concept first recognised that ‘cyber-attacks…can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability.’ The widespread cyber-attacks disrupting government and banking systems in Estonia in 2007 largely informed this evolution of thinking of the potential vulnerabilities of our increasingly connected and digitized societies. A few years later in 2014, NATO Allies acknowledged that the impact of cyber-attacks ‘could be as harmful to modern societies as a conventional attack’. As a result, cyber defence was recognized as part of NATO’s core task of collective defence – NATO’s fundamental reason for being. At the same time, NATO Allies recognized that international law, including international humanitarian law and the UN Charter, applies in cyberspace. This is important because cyberspace cannot be considered as a ‘wild west’ with no rules. On the contrary, there are laws that govern this space.
Above all, the evolution of NATO’s approach to the complex and rapidly developing issue of cyber defence demonstrates the Alliance’s ability to adapt to address some of the most pressing security challenges of the 21st century. Cyber defence is definitely one of them.
What are NATO’s main priorities for cyber defence?
NATO’s mandate for cyber defence is two-fold: to protect its own networks and to enhance cyber resilience across the Alliance of 29 countries. NATO has a number of tools to do just that, with cyber defence experts working around the clock to detect and protect against cyber-attacks. NATO also possesses Rapid Reaction Teams (RRTs) that can be deployed to respond to potential cyber-attacks against NATO networks or to assist NATO Allies upon request. Information sharing is critical to be better informed and better prepared to address cyber threats. To this end, NATO has several tools at its disposal, such as a Malware Information Sharing Platform, which allows information to be exchanged in real-time. Finally, to ensure skills keep pace with technology, NATO has education, training, and exercise programs, which it continues to develop.
NATO is also adapting the way it operates to ensure that it can be as effective in the cyber domain as it is in the physical world. In 2016, Allies recognized cyberspace as a domain of operations – just like air, land, and sea. What does this mean in concrete terms? It will enable NATO’s military structures to better protect missions and operations from cyber threats. It offers a framework to manage resources, skills, and capabilities, while ensuring that cyber defence is fully reflected in exercises, training activities, and crisis response measures. It is important to note that the recognition of cyberspace as a domain of operations does not change NATO’s mission or mandate, which remains defensive.
As one can see, NATO has taken several steps to remain ahead of the curve when it comes to tackling cyber threats. However, there is no end-point on this journey, which means NATO must continue to invest in strengthening its cyber defences.
How is NATO helping its Allies to enhance their national cyber defences?
For NATO to be more cyber-secure, each of the 29 NATO Allies must play their role to enhance the cyber defences of their own national networks and infrastructures. After all, the Alliance is only as strong as its weakest link, therefore raising the level of cyber preparedness and protection at the national level is an important task. Recognizing this fact, at the 2016 NATO Summit in Warsaw, leaders from NATO Allies committed as part of a Cyber Defence Pledge to strengthening their national cyber defences. Since then, NATO Allies have been actively implementing the Pledge. They have been reporting on the development of national cyber strategies, how they are organised for cyber defence, what investments are being made – both in terms of financial but also human resources, and what cyber-related training and education programs are in place, to name only a few aspects.
Several Allies have reported the Pledge to be a valuable tool to raise awareness among senior leadership concerning the importance of the cyber defence issue, which in turn can help to prioritize investment in this area. It has also helped to facilitate coordination among a diverse number of national stakeholders – from security and defence actors, to law enforcement to critical infrastructure operators. Cyber defence entails a truly whole-of-society approach, which extends from the users of technology, to the developers and operators, all the way up to government leadership who we rely on to craft and implement policies that help to harness the benefits, and limit the risks of cyberspace. The Cyber Defence Pledge contributes to building this national effort for cyber defence.
Chelsey Slack is Deputy Head of the Cyber Defence Section at NATO Headquarters. Previously, she worked at Global Affairs Canada. Chelsey earned a Master’s Degree of Philosophy in International Relations from the University of Cambridge, and an undergraduate degree in political science and history from the University of Ottawa. For this article, she is writing in a purely personal capacity. Any views expressed reflect those solely of the author and do not represent those of, nor should they be attributed to any organisation.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.