The NATO Council of Canada operated by the Atlantic Council of Canada, thanks Dr. Jamie Shea, Cardiff University, and NATO’s Public Diplomacy Division for their work in organizing the Conference “NATO After the Wales Summit”, which took place Sept 2 2014, in the Pierhead building in Cardiff Wales.
The key themes of the conference included cyberspace and maritime security, smart defense, and cooperation in a post-Afghanistan age. The Conference programme can be found online here: http://www.cardiff.ac.uk/cy/wales-summit/programme
Jenny Yang interviewed Dr. Jamie Shea, a NATO Deputy Assistant Secretary General for Emerging Security Challenges. Having been working with NATO since 1980, his previous roles include Director of Policy Planning in the Private Office of the Secretary General, Deputy Assistant Secretary General for External Relations, Public Diplomacy Division, Director of Information and Press, Spokesman of NATO and Deputy Director of Information and Press, Deputy Head and Senior Planning Officer at the Policy Planning and Multilateral Affairs Section of the Political Directorate as well as Assistant to the Secretary General of NATO for Special Projects.
Jenny Yang: During the Summit, reports claim that NATO set to ratify joint pledge on joint defence in the case of a cyberattack. Could you give us more details on this development?
Dr. Jamie Shea: After a long debate in NATO, the allies have decided that Article 5, the collective defense clause in the NATO treaty, can apply to the cyber domain like it would apply to any other form of armed attack. So in other words, a cyber attack, at a certain threshold of severity, could provoke, could trigger a NATO Article 5 collective response.
JY: Wasn’t that something already decided in 2012?
JS: No, it was decided that cyber attacks could be of sufficient gravity to concern later, but the formal link to an Article 5 collective response, which is more concerned with action than response, wasn’t there before this new policy was adopted by the Allies back in June.
JY: Cyber attacks are often calibrated in a way that falls in the grey area (below justifying a military response). How can NATO address the threshold questions with respect to cyber security?
JS: The key thing is to help the Allies individually to be more resilient in dealing with cyber attacks, and there are a lot of things that NATO can do to improve, if you like, the cyber health of the Allies; for example, giving them advice on how to construct their defense military information technology networks, so they learn from the experiences of others, in terms of reducing their attack surfaces, as they modernize their information technology. So NATO is acting again as a forum for best practices, lessons learned from operations are shared. We have in Tallinn, as you undoubtedly know, a Centre of Excellence, which currently involves 12 Allies, 12 Allied nations which develop this kind of know-how, sharing of information, by organizing workshops, seminars, conferences, running exercises and so on. So we act, if you like, as a NATO hub to share this kind of know-how and information.
The second area is using the defense planning process, I referred to this in my talk, to give the Allies collective cyber capability targets, which all of them have agreed to come up to. They all accepted this target, by 2019, to do basic things, like form a National Cyber Internet Response Center, to improve their encryption, to improve, for example, their authentication, their identity online, and to designate points of contact, in other words, to have a proper crisis management structure, because, you know, if there’s a cyber attack, you need to know who, in Ottawa or Washington, who you’re going to call, who is the person you need to have on the other end of the phone, so you can transmit the information, and who can take action nationally. So we’ve started with these targets in the defense planning process. We have also signed memoranda of understanding, bilaterally, between NATO and nearly all of the Allies, on things like crisis management, information sharing, etc., designating contacts and the rest. I mentioned the education, the training exercises, we run every year, for example, a big exercise called Cyber Coalition in Estonia, every year in November, with 400 different operators from Allied governments, who are practicing in how to handle cyber attacks, so that we can normalize procedures. These are just the examples to demonstrate that there is a lot happening. So even though this is below the Article 5 level, we’re helping allies in terms of how they can construct cyber systems, how they recover from a cyber attack, how they handle a cyber attack, early warning, in terms of sharing information about malware which has been detected in Allied systems, and the idea is to gradually, over the time, narrow the gap between the very cyber capable nations, obviously the United States, and those countries which have come into the game, somewhat later and are still dealing with the basics of cyber defense. So in other words we’re not saying to the Allies, unless it’s a massive attack, like Estonia in 2007, unless it’s an Article 5, there’s nothing we can do. We’re not taking that view at all. We’ve got strategies above Article 5 level and below Article 5 level.
JY: In the Group of Eight summit in Northern Ireland, the US and Russia signed a pact to reduce the risk of cyberconflict. How have recent events in Ukraine impacted US-Russia cooperation on cybersecurity?
JS: It’s obviously made the situation more difficult, because these types of activities are always dependent on the overall political atmosphere, in terms of trust and meetings. Again, I can’t speak for the US, because I work for NATO, but obviously, the current political environment is leading to the cancellation of some of these meetings. The US has had some cancellation of meetings with China recently as well. So these are good things to do, but they do depend on overall quality of the political relationship.
JY: Andrey Ivlyev, who writes for the Noviy region news agency: “Over the course of 70 years of well-being, Western leaders have degenerated into banal Chamberlains. The world is waiting for the appearance of a new Churchill.” What are your views on this statement?
JS: Well, I mean, it’s different now. I mean, Churchill emerged as a leader only after the major war had begun. Sometimes, it’s true, that you need different political figures in peacetime and different political figures in war time. Don’t forget about Winston Churchill. The British public liked him until the moment that the WWII ended, and in the election of May 1945, at the end of the war, Churchill, who expected to win, suffered a massive defeat. The Labour Party won, and Clement Attlee, the deputy prime minister, became prime minister. Churchill was out of power until 1951. Lesson: the British public identified Churchill as the man for war time, but they didn’t want him to be a peace time leader. Now at the moment we’re not in the major war, we’re in the period of difficulty and danger, absolutely, but still within a general peace. And therefore, I imagine that you can always discuss the quality of the leadership that you have, but what we basically need are leaders who can be firm, for example vis-à-vis Russia at the moment, but also keep the door open for dialogue, because there is a need for dialogue with Russia, we need to try to de-escalate, we don’t want to push this towards some kind of ultimate break of all of our relations with Russia. That wouldn’t be in Russia’s interest. That wouldn’t be in our interest. Diplomacy today is not always about what you would call black and white leadership, it’s often about complicated maneuvering in terms of balancing interest, and I think you should judge the leaders according to those criteria, I would say, rather than judge today’s leaders vis-à-vis war time leaders like Churchill.
JY: On Aug 27, there were reports that major US banks such as JP Morgan were the target of a massive cyberattack that defence officials suggested may have originated in Russia. Would a cyberattack causing massive economic disruption, but no physical damage warrant retaliation under the right to self defence?
JS: It certainly merits a response. Particularly when you have, for example, persistent threat type of attacks, which are well-organized and conducted over a series of days, and if you have indications that these attacks are coming from one source or one country, certainly there is, in international law, a right to go to that country and request cooperation, particularly data, freezing data capture, and then, subsequently, help with prosecutions, where the perpetrators have been clearly identified. Unfortunately in the world today there are still too many ungoverned spaces where criminal groups can operate, either because the state simply doesn’t care or because the state allows this to happen thinking that these groups could be useful as proxies. That’s the problem with the cyber world, it’s sometimes difficult to know on whose behalf and under whose directions many of these criminal groups are operating. On the other hand, [attacks] like the one recently against JP Morgan obviously shows the need to continue to set the standards for particularly critical industries like banking, or water, or chemicals, or traffic control, standards of protection. The Securities and Exchange Commission in the US, now in New York, has established standards of cyber protection in exchange for certifying and listing on the Securities and Exchange Commision banks. So, increasingly, banks are recognizing that if they want to get insurance, if they want to get a listing, if they want to get a government certificate to do business, a license to operate, they mustn’t only deal with corruption but they also have to come up to certain levels of cyber security as well. And the SEC case is interesting, and now about 75% of the exchanges in the world have also said that they are going to start following the American model of laying down mandatory standards for cyber security
JY: How has the Tallinn manual been the first step towards laying down those global standards?
JS: Well, I think it’s important, because it suggests that we’re not in a totally new area, where none of the old rules apply, and all of the legal concepts have to be rethought. The good news about the Tallinn manual is 99% of existing international law applies to the cyber domain, the concepts of privacy, of copyrights, of transparency, protection of children, child pornography, non-exploitation of people, the criminal side, they apply. Of course, we may have to think of ways in which we could make the law work, obviously, but it’s starting to work, many people have been prosecuted for hacking; there have been many criminal cases in my country, in the UK, in the US, where people who have been identified to be behind the hacking attacks have faced prison sentences. So, this destroys the notion, which is good, that attribution is impossible, you know, they often say: ‘ah, we can never find who did the attacks’. Not true, we can. Attribution has become increasingly possible, and secondly, that legal systems are beginning to be able, technically speaking, to process the evidence gained from cyber and data, and to apply the law, which I think is going to send a powerful signal that hackers are now being effectively brought to justice. I’d like to see more of this but I think it’s an important precedent. The message we have to get out to people is: because something happens in cyberspace doesn’t make it less serious than if it happens in the real world. If you have a child who commits suicide because he or she has been bullied on the social media – genuine cases – that is no less serious than somebody who has suffered bullying and or physical violence in the real world. The fact it happened in cyberspace doesn’t make it less of a serious offense. So I think that this is an important principle. And it’s going to evolve slowly, but it’s starting to happen.