Assistant Secretary General Peter Flory
Cyber Security and the Spreading Challenges
Mr. Peter Flory
As Ulrich Wolf pointed out, the cyber security panel used to be on the third day, at the bottom of the lineup, and the fact that we have gone up the schedule shows the importance of the issue and the importance that is being assigned to it.
Also, there has been growth in the number of IT companies represented here today. This highlights the fact that information fuels everything in our society, not only warfare but peace as well. Just to focus on some of the top outputs here, this panel has gone from a cyber-defense panel to an information panel, and in terms of focusing on the end game of information and decision superiority, which Bob Lentz mentioned earlier, I wonder how it will come out at the end of the day. Just like in the Wizard of Oz, I wonder if the Information Revolution is a good witch or a bad witch. This is an important question, and a lot of what we are talking about here goes into making sure that it comes out the right way.
THE GROUP OF EXPERTS REPORT AND THE FUTURE SECURITY ENVIRONMENT
To address how NATO as an organization and a group of nations thinks about the value of information and the threats to information, a useful place to start is to look at the Group of Experts report that was put together by a group of distinguished thinkers led by Madeleine Albright. This interesting report is available on the Internet and should not be confused with the new NATO Strategic Concept, which has not yet been written. The report is an extremely important document that was put together with great transparency and an enormous amount of input from the private sector and from citizen groups. It does a pretty good job of framing the issues that the Alliance will try to capture in its Strategic Concept and of identifying some of the considerations and other factors that the Alliance will look at when it grapples with these issues.
Potentially Vulnerable Information Systems. One of the Group of Experts’ points (noted as factor no. 4) is the world’s increased reliance on potentially vulnerable information systems. This is not surprising to anyone at this workshop, but it was not something we thought about a lot in NATO until recently, and it is not something that would necessarily have been picked as having a role in the Strategic Concept.
Implications of the Threats. Referring to the implications of the three threats that have been identified as the most probable—cyber attacks, ballistic missile attacks, and international terrorist attacks—and what NATO should do about them in terms of developing capabilities, there is a section on C4ISR, NATO’s operational glue, that makes us interoperable, agile, and a cohesive whole, so again we see the role of information as a key enabler in our operations. The report also talks about what we need to do to defend our information, to defend our networks, to monitor them, and to train people.
The Concept of Awareness. One thing that is missing but that I hope will be there by the time the final Strategic Concept is written is the concept of awareness. With modern social engineering, all organizations find out how easy it is, even for smart and reasonably cyber-aware people, to make mistakes that can cost at a minimum lots of hours of time and lots of dollars or euros. However, in some of the situations that have been envisioned, giving up that kind of control to your network could lead you to much more catastrophic results.
Deterrence and Cyber Attack. One of the key issues that the Alliance will have to discuss is the question of deterrence and cyber attack. Where does cyber attack fit with respect to NATO’s traditional Article 5 responsibilities? I will read quickly from the Group of Experts report because although I think there are a number of ways in which you could phrase this, this is probably a pretty useful one: “The next significant attack on the Alliance may well come down a fiber optic cable. Already cyber attacks against NATO systems occur frequently but most often below the threshold of political concern. However, the risk of a large-scale attack on NATO’s command and control systems or energy grids could readily warrant consultations under Article 4 and could possibly lead to collective defense measures under Article 5.”
This is fairly straightforward, and there is nothing new there, but it is an important point that is enshrined in the Group of Experts report and it is clearly something that the Alliance will think about as we put together the Strategic Concept. The only thing I would add is that when it says “an attack on NATO’s command and control systems or energy grids” I read that to mean “an attack on nations’ or a member-nation’s command and control grids”—something along the lines of or even more intense than what happened to Estonia a few years ago.
So that will be an issue, and it was already an issue when we put together our cyber-defense policy a couple of years ago after the original Estonia attacks. Nations stepped somewhat cautiously around it at the time and I think it is one of the main things that people who follow cyber defense are looking at to see how the Alliance will treat it in the Strategic Concept. A number of nations are extremely interested in this, and if it is not addressed in the right way in the Strategic Concept, we will miss a serious opportunity.
CHANGING “HUMAN SOFTWARE”
So this is what we are thinking about cyber defense and some of what we are thinking about information. But what are we doing about it? On a policy level, a couple of years ago we adopted the NATO Information Management Policy (NIMP), which enshrines the responsibility to share information along with the responsibility to protect information as a co-equal value. This needed to be done and it is currently being implemented through directives. Ultimately, though, this is a question of human software as much as anything else: People who have been trained to protect information do not necessarily regard sharing information as something that is as important as protecting it, but we did make some important first steps here. In fact, when Allied Command Transformation recently hosted a conference on NATO network-enabled capability, its theme was on information sharing and how to change the human software so that people viewed information not just as something to be hoarded and taken out and admired in the dark of night, but something that is a resource that has to be shared, managed, and protected, of course, but also is subject to a cost-benefit analysis as opposed to just being ritually and reflexively protected.
A few years ago, when General Ton van Loon, who is a workshop participant this year, came to talk to one of my committees about the difficulties of interoperability and sharing information, he said that soldiers will always find a way to get things done. The good news today is that not only do soldiers find ways to get things done, but they do it by reshaping the framework, not by doing it within the framework, and they do not have to worry about getting criticized by the security people.
Some of you may have read about the Afghan Mission Network, which is a revolutionary approach driven by General McChrystal in ISAF for bringing national and NATO networks together so that, for the first time, you can have the unity of command and the unity of effort that are the centerpieces of General McChrystal’s counter-insurgency strategy. As a subset of this issue, the G2 in ISAF, Major General Mike Flynn, wrote a report on intelligence for counter-insurgency. In his report, he highlights how traditional intelligence, the traditional information that we collect, is a necessary but not a sufficient contribution to counter-insurgency warfare, and he stresses the importance of other kinds of information. But what General McChrystal is doing is going to create for the first time the shared situational awareness that we have not had in the Alliance recently and not had in Afghanistan. It is going to be a critical enabler in his ability to conduct his mission.
I want to go back now to the question we talked about earlier: Is the information revolution a good witch or a bad witch? I think this goes to the overall NATO information campaign. One area in which I think the Group of Experts might have injected more insight is the broader question of public diplomacy—NATO’s image, NATO’s role. This is a factor both in terms of operations in Afghanistan and with respect to how NATO is viewed in member-countries—support for defense budgets in member-countries, support for NATO membership in countries that are potentially interested in joining NATO. But one way to look at this question is a variation on the old economic law, Gresham’s Law, which posits that bad money drives out good. Concerning information, I think that the question is, Does good information drive out bad information?
If you look at the question that was posed with respect to Iran, or with respect to extremism generally, or regarding the United States, where various sorts of wild ideas get out on the Internet and obtain credibility for a period of time before ultimately getting debunked, the answer to the question is very important. So I think the first question we must ask is, Does good information drive out bad information? And the second is, If it does, how long does it take? Because before you get to the long term, you have got to get to the short term, and if the short term is going to be a disaster, knowing that theoretically you are ultimately going to win is not very helpful. I tend to be optimistic on this, but I want to throw these questions out there to see what other panelists from the audience think about them.