Implications For the Resilience of The NATO Cyber and Information Space
By Georgi Atanasov, Subject Matter Expert in Bulgarian ministry of defense
In the changed security environment states are seeking to achieve their strategic goals as quickly as possible and with fewer resources. This mindset is gradually gaining popularity among the military and national security decision-makers who would grab every opportunity to achieve more with less. This growing appetite for speed and cost-effectiveness is reflected at a military level, where increasingly the battlefield shifts to cyber and information space as this environment offers unique opportunities to impose cost on adversaries at the speed of light, with impunity and zero casualties.
That is why, NATO must remain vigilant and aware that cyberspace is dangerously insecure and the allies’ safety can be jeopardized through this man-made operational domain. The security of the alliance’s cyberspace is surprisingly fragile and often it could be compromised as a result of human error. The latter is almost impossible to avoid unless we fully implement artificial intelligence for cyber security at all levels and therefore, we need to begin focusing on building cyber resilience.
Open, democratic societies are much more vulnerable to attack as we offer unrestricted access to cyber and information space. For instance, government employees occupying specific network and system admin positions often take advantage of teleworking and this makes them an attractive target of social engineering attacks which can be a weak spot for National security. The most sensitive sectors are defense, foreign policy, and critical energy infrastructure. In the foreign affairs and defense context, unauthorized access to sensitive information residing on the MoD/MFA computers will compromise sensitive national and NATO/EU information. It will harm the national interest, the interests of our allies, and the collective defense. This otherwise effective health measure increases the opportunities for a state or non-state actor to exploit the information space by deploying fake news, videos, and false statements on the MFA/MoD website instead of the real news and sabotaging our foreign policy posture.
Another even more dangerous scenario would be an attack on our nuclear power plant. This type of attack can occur by using Stuxnet-like malware introduced to the nuclear power plant management system by an infected USB flash drive plugged into a computer in the internal network. If successful, such an attack would threaten our national security and the security of our neighbors. It may also undermine the thrust in nuclear energy in Europe and have economic ramifications.
NATO member states must adapt to the new environment where teleworking will likely become a new normal for government institutions. We need to strike the right balance between being a modern and mature digital society, and actively using cyberspace while safeguarding our national security and the security of our allies. To achieve a durable long-term solution our approach should be comprehensive and address the root causes of the problem.
Although raising cyber awareness of NATO employees and adopting best practices is a solid approach, it is not pursuing lasting results because it does not affect the adversary’s motivation to engage in unauthorized use of cyberspace. Thus, a more durable, long-term solution would be to target the adversary’s willingness to attack. We can significantly reduce the incentives for malicious exploitation of cyberspace by strengthening our cyber resilience and capacity to recover.
As it grows, cyberspace becomes a more accessible medium for asymmetric malicious attacks against government institutions and critical infrastructure. Thus, it becomes a breeding ground for new threats to allied cyber and information space. COVID 19 caused a boom in teleworking and many government employees started to work remotely from their homes. Although these measures remain efficient against the spread of viral infections, they have an adverse effect in cyberspace by creating opportunities for spreading computer viruses and aiding unauthorized access to government-owned networks. Therefore, teleworking of government employees on certain essential network admin and system administration positions constitutes a significant cyber threat to the security of NATO cyberspace. The most critical domains in this regard are defense, foreign policy, and the energy sector, in which a significant disruption of services could result in major and even catastrophic consequences.
The main methods of gaining unauthorized access to government networks include spear phishing campaigns, malware attacks, compromising systems through social engineering, or manipulation of legitimate user accounts. A cyber breach of our government networks would provide an opportunity for a rogue state or non-state actor to manipulate government websites or send fake messages or even fake videos.
In the defense sector, a civilian or military network/system administrator working from home could become a target of interest for the adversary’s intelligence services. With creative social engineering, and the use of a password-cracking tool, for instance, BackTrack 5, any individual working for ill-intended actors may be able to pick up the administrator’s credentials and obtain access to sensitive information residing on the government computers. This scenario constitutes a confidentiality breach and will compromise sensitive information – national and NATO/EU and will harm the national interest, the interest of our allies, and the collective defense.
By hacking into the Ministry of Foreign Affairs network, the adversary could compromise the data integrity by deploying fake news, videos, and false statements on the MFA website instead of the real news and sabotage our foreign policy posture. Even worse would be a scenario where the foreign state actor seeks to embroil one ally into a dispute or conflict with its neighbors, partners, and allies in the EU and NATO. They may take advantage of foundational narratives. By manipulating a foreign minister’s statement published on the MFA website, and making unfavorable remarks about a neighbor or any other ally in NATO, an attacker could trigger a crisis and significantly harm our bilateral, regional, and even transatlantic relations.
The source of information is of utmost importance to appeal to a larger target audience. In this case, if the source is the Ministry of Defense (MoD) or Ministry of Foreign Affairs (MFA), the false information will be taken at face value. It will then be hard to explain to our citizens that what the institutions announced on their websites has been manipulated. In terms of data availability, the attacker could block any access to the MFA’s website by launching a so-called Denial of Service (DoS) attack against the MFA webserver. This attack could use free software known as Low Orbit Ion Cannon (LOIC), which sends millions of requests to the server and renders the server overflown and inaccessible to other users. As the attacker had obtained all the network and system administration privileges, he could also access the server and delete the entire website.
Another even more dangerous scenario would be an attack on a nuclear power plant. The cyber-attack on Iranian nuclear facilities in 2010 was based on malware known as Stuxnet. This malware was so sophisticated that it was called by some authors a “digital ghost.” It was reportedly delivered to Iran’s nuclear facility via a thumb drive. The malware hijacks the information on the screen and displays that all parameters of the systems are within accepted normal parameters while unbeknown to the operators, it sends random commands to processes. This example demonstrates manipulation and misrepresentation of data which in terms of the CIA (Confidentiality, Integrity, and Availability) triad, constitutes a breach of data integrity. The attack demonstrated that even the most heavily protected, air-gapped Supervisory Control and Data Acquisition (SCADA) systems are vulnerable from the inside. An air gap is a security measure that isolates a digital device component or private local area network (LAN) from other devices and networks, including the public internet. An air gap is also known as an air wall and the strategy of using air gaps to protect critical data is also known as security by isolation.
Similarly, nowadays, more than a decade later, if an infected USB flash drive is plugged into a computer belonging to an ally’s nuclear power plant SCADA system, the Stuxnet scenario can happen with its nuclear power plant with a likely more advanced worm. It will jeopardize not only its national security but also the security of its neighbors. It also has the potential to undermine the thrust in nuclear energy in Europe and hurt the European economy. Similar intrusions are also likely to occur in other critical infrastructure sites such as the Metropolitan management systems and Oil refineries on territories of NATO member states.
Although it might seem very far-fetched, these scenarios are highly likely to occur. The threat is genuine as teleworking is currently gaining popularity. It expands the opportunities for unauthorized access to government cyberspace. The more government employees work from home, the more opportunities for malignant individuals or state actors to hack into employees’ home networks and obtain their corporate credentials. The threat is complex because it exploits known cyberspace vulnerabilities to exploit cyberspace and the information environment and can have both tangible and intangible reputational damage. It will have internal economic and external political implications, affecting the economy and foreign policy posture.
An attack against a nuclear power plan would be the most dangerous one. The threat associated with it can be classified as critical since “modification or destruction of computers that control physical processes can lead to cascading effects (including collateral effects) in the physical domains.” Unauthorized access to the MoD or MFA networks and exfiltration of sensitive national and NATO/EU information can be considered major threats to collective security. Not only does it jeopardize the collective defense of the alliance, but it also crosses over to the information space and degrades a NATO member-state foreign policy posture, undermining the cohesion of NATO and the EU and the transatlantic relations.
Recommended action and way ahead
NATO member states should strive to grow from basic information security and cyber hygiene to a modern mature society capable of withstanding cyber threats across all spheres of life. Therefore, our strategy should focus on investing in developing capacity in information and cyberspace. Our approach should be holistic and comprehensive. It should include hardening the cyber and informational aspects of national security posture while at the same time using strategic communications to counter misinformation.
NATO should seek to implement what is known as “zero trust” architecture in all networks and improve its layered security to ensure cyber resilience and business continuity at all levels. Zero trust is a security approach that assumes that all users, even internal users inside the network are malicious and must be verified.
We must adapt to the new digital environment where teleworking will likely become a new normal for government institutions. At the same time, we need to find the right balance between being a modern and mature digital society actively using cyberspace while safeguarding national security and the security of our allies.
Since the security is only as good as its weakest link, one approach is to address the weakest link in the security architecture – the human factor. To effectively prevent unauthorized access to our government networks, we need to raise cyber awareness of our employees by constant training and adoption of best practices. Our citizens should become aware of social engineering attempts and become more vigilant regarding phishing e-mails. Although this is a solid approach to hardening the security of our networks, the vulnerability will always be there.
A more sustainable, durable, and long-term solution is to invest in strengthening our cyber resilience and capability to recover at all levels. This strategic approach can be achieved by creating more redundancy in our infrastructure. We will affect the adversary’s incentive to attack as they realize that their efforts would have no effect. This course of action would significantly reduce the motivations for unauthorized access to the cyber and information space against government institutions. It implies an increased financial burden but addresses the root causes of the problem – the adversary’s willingness to attack. Therefore, the benefits will outweigh the potential losses.
The spectrum of cyber threats will continue to widen in the foreseeable future, and more and more government institutions will likely become victims of successful cyber-attacks. As Robert Mueller, FBI Director, 2012 puts it, “There are only two types of companies: those that have been hacked, and those that will be.” Therefore, we need to harden our government networks’ security at all levels by investing in human skills and more secure infrastructure as well as to adopt a more long-term approach by increasing our cyber resilience against these threats and becoming better prepared.
About the Author
Georgi Atanasov, staff officer in Bulgarian MoD.
He is a graduate of Varna Naval Academy, currently serving as a senior subject matter expert in strategic defense planning, Bulgarian MoD. Georgi is expert in effective use of cyberspace for strategic advantage and national security. Has a significant strategic-level experience in NATO and the EU defense related projects. He is Certified CCNA Security and holds a master degree from the College of information and cyber space, National Defense University in Washington, USA. Georgi can be reached online at LinkedIn: https://www.linkedin.com/in/georgi-atanasov-99329668