NATO and its role in internet security – geopolitics of intenet security governance?  20.3.11

“The threat is there to see and if the worst were to happen…” (Donald Rumsfeld, Feb 2003)

Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.

Menaces, threats, risks, dangers require responses, yet which? Military and strategy circles have for years tried to establish their role in “cybersecurity”. NATO, and first and foremost military circles in the US, have pushed cyber security for years. US Vice Secretary of Defence has constantly stressed the necessity for NATO to build up cyberwarfare capacities since he took office in early 2009. After the Estonian 2007 cyberattacks, NATO set up it Cooperative Cyber Defence Center of Excellence in beautiful Tallinn, Estonia.

The polity of internet security governance

The Centre is first of all a research institute that works on legal issues just as well as it explores potential scenarios of cyber warfare and the overall institutional design of internet security. Eneken Tikk concluded a brief paper on that, called “Global Cyber Security – Thinking About The Niche for NATO“. According to her analysis, NATO’s role in the busy organisational architecture of internet security and its place next to other “international cyber security organisations” should be in dealing with cyber warfare and cyber terrorism as her illustrative matrix shows:

Tikk states that “for NATO, the challenge will be to exploit and fit into the already existing, somewhat fragmented, cyber security organization implemented by nations.” NATO’s unique contribution should lie in contributing to provide input for the task of “Cyber armed attack response” as her following matrix shows:

NATO’s role therein

But how would this translate to the operational level? What actually should these organisations be responsible for? Which problem should they address that so far is orphaned and makes real internet security threats? NATO’s secretary general, Anders Fogh Rasmussen quoted it as a “new form of permanent low-intensive warfare” (n-tv.de). While it is unclear what he referred to, an Estonian security expert recently linked permanently ongoing DDoS attacks to the notion of cyberwar. (3Sat.de, in German, but sequences with English speaking persons are subtitled and not dubbed.) In the very same TV programme, Estonian’s secretary of defence describes his cyber army, a concept which was received by some with raised eyebrows.

At the Munich Security Conference in February, internet security was planned to be one of the top topics, until it was relegated by the upheavals in the MENA region. Munich security conference is a remarkable institution by itself. No decision making, only talks by military top dogs from military, politics, diplomacy and foreign politicy/securtiy think tanks and selected academics. Only talks, hence no decisions on internet security. It hosted a range of remarkable discussions, most noteworthy among them the 2003 showdown between Rumsfeld and then German Minster of Foreign Affairs Fischer (“and excuse me, I am not convinced”, Telegraph.co.uk).

A month later, NATO defense minsters “shape cyber defense policy”, as DefenseNews headlined last week by copying the underlying message of the NATO press release:

“Computer Incident Response Centre is being brought up to full operational capacity by 2012. This means investing in equipment and creating cyber response teams to systematically help member states that request assistance, the official said.” And: “The concept also refers to the need to integrate cyber threats into NATO’s defense planning. Defense ministers are expected to approve a renewed NATO cyber defense policy and establish a strategy at their next meeting in June.” (DefenseNews)

With the usual vague terms, NATO included the cyber dimension into its Strategic Concept last year in its Lisbon meeting. The “security environment” as perceived by NATO would require such provisions:

“Cyber attacks are becoming more frequent, more organised and more costly in the damage that they inflict on government administrations, businesses, economies and potentially also transportation and supply networks and other critical infrastructure; they can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability. Foreign militaries and intelligence services, organised criminals, terrorist and/or extremist groups can each be the source of such attacks.”

To address looming security concerns, NATO will:

“develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyber-defence capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations.” (NATO, Strategic Concept for the Defence and Security, Lisbon, Nov 2010)

Communities and the ICT industry as security aides

But how could this practically work, given that large infrastructures basically are owned by private enterprises? The initial assumption amongst many presumably is: it ain’t work. So, getting back to Stuxnet, the stance of the industry understandably comes across pretty laid-back. A board member of the German Bitkom, the association of the internationally rather neglectable German IT industry told in a recent interview (in German): “Stuxnet is a wake-up call – what we now need is security-engineering, not activism in sight of a threat of cyber-war”. A wake-up that, from the industry’s perspective, allows to stay in given institutional beds just a little bit longer.

National and international security organisations (think of police, military, departments of justice and interior etc) however perceive the situation influenced by their organisation’s agenda. They tend to ask existing internet security actors to pioneer new ways – ways that for better or worse include the trotted paths of security provisioned by states and international organisations. Tikk’s paper rightfully observes issues that haven’t been addressed so far by the current institutional design of internet security; she also rightfully observes gaps in “horizontal, cross-organisational coordination and responses”. But is a hierarchical organisation in the secretive military realm the appropriate organisation to solve these horizontal coordination problems? My initial assumption would be: I can’t think of any organisation that is less suited for the job given that much of internet security provisioning requires networked collaboration based on at least partial openness. But then: states are actors in the internet security governance field, they have their national security concerns based on internet-borne threats.

The fundamental question in internet security governance currently and in the years to come is who’s going to transform whom: traditional security organisations the internet security community or vice versa.

How could an security organisation be responsible for or dominate something it does not control? A look into Richard Clarke’s recent World Wide War helps illuminating it. To ensure the proper defence of national information security infrastructures, Clarke calls for coercing the private sector into securing the cybersphere and built resilience into their system design and network architectures.

While Clarke’s book certainly helps to reframe the discourse on internet security governance and aims at increasing the acceptance of a massive state-driven shift of control for the sake of general security, the Estonia government and its Ministry of Defence have already taken steps that could be interpreted as rather drastic. Estonia is notorious for its all-encompassing and innovate usage of the internet. Besides, its role in internet security governance is quite interesting. Only a couple of weeks ago in the run-up to the latest Nato summit, its head of stated called for for an extended mandate and build-up of capabilities for NATO in the field of cyber security.

Geopolitics to meet operational internet security?

But obviously, there is a conflict among NATO members to which degree responsibilities should be transferred to NATO. The Estonian press release on the meeting between President Toomas Hendrik Ilves and US Cyber Force Commander and NSA director Keith B. Alexander said: “President Ilves described NATO only focusing on defence systems of the alliance and its allies for the purposes of cyber defence as “short-sighted”. Instead:

“We have no other choice today – NATO must enhance the importance of cyber defence in joint activities, operative planning, the drafting of emergency plans and management level, including, for example, the organisation of cyber exercise.” (president.ee)

It reads as if Estonia wanted to slip under some kind of “informational umbrella” and the US might actually be able to offer something akin to it, but not every NATO member would be willing to transfer their informational responsibilities to the NATO. (Estonia: NATO needs an extensive cyber shield) Responsibility of NATO solely or primarily for protecting its very own networks must be the lowest common denominator among NATO allies and a sign of diverging internet security interests. Any transfer of competencies beyond that, be it global monitoring capacities or supranational incident response facilities, is presumably related to considerations belonging to a field called: the geopolitics of internet security governance.