You have downloaded a document from

The Central and Eastern European Online Library

The joined archive of hundreds of Central-, East- and South-East-European publishers,

research institutes, and various content providers

Book: INTERNATIONAL SCIENTIFIC CONFERENCE STRATEGIES XXI

INTERNATIONAL SCIENTIFIC CONFERENCE STRATEGIES XXI
Location: Romania
Author(s): Eugen Valeriu Popa
Title: CYBER DEFENCE IN THE NORTH-ATLANTIC TREATY ORGANISATION: STRUCTURES
AND TRENDS
CYBER DEFENCE IN THE NORTH-ATLANTIC TREATY ORGANISATION: STRUCTURES
AND TRENDS
URL: https://www.ceeol.com/search/chapter-detail?id=467088
CEEOL copyright 2017
STRATEGIES XXI International Scientific Conference
Complex and Dynamic Nature of the Security Environment

CYBER DEFENCE IN THE NORTH-ATLANTIC TREATY

ORGANISATION: STRUCTURES AND TRENDS
Eugen Valeriu POPA
Lieutenant Colonel (Ret.), PhD Student, “Carol I” National Defence University,
Bucharest, Romania. E-mail: eugenvaleriu@gmail.com

Abstract: Cyber security became a matter of interest and global importance once with
the globalization of communications networks, infrastructures component of information
technologies, as well as economic, political and military systems increasingly using cyber
systems in the decisional-making processes. Cyberspace is the new field of war that lately
joined the traditional arenas of battle, meaning land, maritime, air and space. In the
framework of the North-Atlantic Treaty Organization (NATO) Summit in Wales (September 4,
2014), the Enhanced NATO Policy on Cyber Defence was adopted; it rises cyber defence to
the level of strategic component of NATO concept of collective defence.
Starting from these aspects, our scientific initiative has as goal to present structures and
main trends on cyber defence within NATO.

Keywords: North-Atlantic Treaty Organization, cyber defence, structures, trends,

capabilities

Introduction

Globalization phenomenon, with Internet as one of main mechanisms of manifestation,

has given to the individuals, organizations and nations new spaces to exert their power game
to reach the own levels of ambitions. Thus, cyberspace became a fertile field to solve some
institutional, social, economic, educational problems but it is also an environment
increasingly integrating in the others environments where the war is dwelt, respectively land,
air, maritime, space.
Moreover, the manifestation of globalization effects is the main factor for the fast
demarcation of cyber security by its rapid transition from a mostly technical discipline to a
strategic concept with coagulation trends worldwide. In this context, NATO proved is aware
about the greatest share of vulnerabilities generated by the cyber environment and the greater
sophistication of the cyber attacks over its member states, as well over the Alliance
infrastructure. Nowadays, given the importance given to this virtual environment, cyber
defence was declared one of main directions of action of collective defence1.
In order to approach this new dimension of conflict, but also to get an advantage to the
potential attackers, NATO created its own specific structures to exploit this opportunity and to
prevent vulnerabilities involved by the use of communication and informatics technologies in
a volatile security environment.

1
Cyber defence, 27 iulie 2016, available online at: http://www.nato.int/cps/en/natohq/topics_78170.htm accesed
on 05.09.2016.

323

CEEOL copyright 2017

CEEOL copyright 2017
Center for Defence Security Strategic Studies/"Carol I" National Defence University
Nov. 24-25, 2016, Bucharest, Romania

1. NATO structures involved in cyber defence

The evolution of cyber defence concepts in the NATO framework are strongly
influenced by the nations disposing of technological advantages of own defence industries as
the United States of America, the United Kingdom or France.
Thus the diverse approaches, from the one centred on the origin and characteristic of
the attacker or oriented on the concept of critical infrastructure specific for the US, the one
oriented on combating hybrid threats and the concept of cyber defence organizing based on
flexible command structures „Cyber Future Force”2 type focused on the achievement of
immediate tactical objectives subordinated to the tactical component responsible of the
objective – characteristic of cyber defence of British Armed Forces -, or France’s approach
constructing a core authority – National Agency for the Security of Informational Systems
(Agence Nationale pour la Sécurité des Systèmes d’Information)3, subordinated to the General
Secretary for Security and Defence, all of those determined the concomitant apparition in
NATO of some structures for cyber defence which although in theory can seem contradictory,
practise proved their efficiency. For example, we mention the implementation to the level of
NATO Computer Incident Response Capability – NCIRC4 of “Cyber Red Team”5 concept,
deriving from the British cyber defence strategy and defined by the British Ministry of
Defence as “…a team formed with the objective to submit to an organization plans,
programs, ideas and hypothesis for thorough analysis and to challenge … will offer to the
end-users (commandant, leader or manager) with an initial value more robust for decision
making”6 and migrating to “Cyber Rangers”7, characteristic to US Department of Defence.
If the operations of a “Red Team” are characterized by penetration actions against
some ICT infrastructures and associates together the same field of production and operation
on each ICT system, by contrast the operations of a “Cyber Rangers” team defined by DOD
as “…testing, evaluation of concepts, policies and technologies in the cyberspace…”8, is
based on building some simulated environments where actions of the adversaries are mimed
and attacks are virtually executed.
Although both teams are multidisciplinary and have similar structures, the first have
only mobile capabilities and the latter are fixed and often organized around some laboratories.
Still the practice have shown that by cooperation in the framework of a tactical operation of
the both types of teams, the added intelligence value is extremely valuable, the concept of

2
House of Commons - Defence Committee - Sixth Report of Session 2012–13, Published on 9 January 2013 by
Authority of the House of Commons London: The Stationery Office Limited, available online at:
http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/106.pdf, accessed on 05.06.2016.
3
Patrice Tromparent, French Cyberdefence Policy, Delegation for Strategic Affairs Ministry of Defense Paris,
France presentation for 2012 4th International Conference on Cyber Conflict, available online at:
https://ccdcoe.org/cycon/2012/proceedings/d2r3s2_tromparent.pdf, accessed on 05.06.2016.
4
NATO Wales Summit Guide, available online at: http://www.nato.int/nato_static_fl2014/assets/pdf/
pdf_publications/20141008_140108SummitGuideWales2014-eng.pdf accessed on la 05.06.2016..
5
UK Ministry of Defence, Red Teaming Guide, dated January 2013 - The Development, Concepts and Doctrine,
Centre Shrivenham SWINDON, Wiltshire, SN6 8RF, available online at: https://www.gov.uk/
government/uploads/system/uploads/attachment_data/file/142533/20130301_red_teaming_ed2.pdf, accessed on
05.06.2016.
6
Ibidem, p. 9.
7
Todd Arnlod, Rob Harrison, Gregory Conti, Professionalizing the Army’s Cyber Officer Force, United States
Military Academy, West Point NY 10996, available online at: http://www.westpoint.edu/acc/SiteAssets/
SitePages/Reports/PACOF.pdf, accessed on 05.06.2016.
8
Department of Defense Strategy for Operating in Cyberspace, US DoD, 2011, available online at:
http://csrc.nist.gov/groups/SMA/ispab/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf, accessed on
05.06.2016.

324

CEEOL copyright 2017

CEEOL copyright 2017
STRATEGIES XXI International Scientific Conference
Complex and Dynamic Nature of the Security Environment

these mixed teams, called “NATO Rapid Reaction Team”9 is more used in the late decade of
years.
Diversity of cyber capabilities uses represents one of the great challenges NATO has
in defining its role in cyber defence. Thus, NATO strategists identified two categories of
cyber attacks where the organization can have determinant role10:
1. Cyber espionage indifferently is executed on the operational or strategic levels, can
compromise ICT systems confidentiality, and also the confidentiality of systems for
information collecting, thus revealing military secrets and sensitive information to the
adversaries.
2. Sabotage done by cyber means or with dominant cyber component can have
important physical effects, particularly when systems of weapons, military decision-making
systems, logistical systems or telecommunications systems are aimed and such are damaged
including decisional command and control, but also civil systems as the critical
infrastructures.
Along with the protection of own ICT infrastructures, NATO is the organization
granting particular concern to the personnel cyber protection, to all the levels and in all fields.
In the late years, following the analysis of the attacks over the NATO critical infrastructures,
the social engineering component of the “Advanced Persistent Threat - APT11 particularly
regarded NATO personnel, by trials to involve it in extortion of money or different frauds for
financial gains, as preliminary phase in undergoing above mentioned types of attacks.
The analysis of cyber incidents on diverse NATO structures lead to two conclusions:
1. Until now, the most dangerous adversaries of NATO in the cyber field are the nation
states; although in the last year there were identified a series of attacks presumed to come
from the hackers groups sympathisers of ISIS12, they have not the intended success. Such,
although intelligence systems reported in the late years that despite the increase of offensive
capacity in the organized crime networks which could be used in the future by non-state
actors as terrorists, private organizations specialized in extremely sophisticated espionage acts
and sabotage in the cyber field, they need capacities, a level of knowledge and understanding
of NATO technical systems and a determination generated by a report cost – benefit to the
level of a nation-state.
2. Until now, although over NATO infrastructures there were not produced kinetic or
physical damages determined by terrorist actions with major cyber component, cyber attacks
technology evolves continuously, component elements of cost – benefit analysis become
increasingly complicated and reactive to the change of international security environment,
thus terrorist attacks with determinant cyber component remain serious threat against
information security or even against NATO communications infrastructure.
These conclusions, along with the analysis of attacks against public and private
infrastructure of Estonia in May 2007, determined the defence ministers of the allied countries
that in the meeting in June 2007 from Brussels to adopt a series of measures in order to grow
the cyber resilience of NATO structures as a whole on three main directions of activity.

9
NATO Rapid Reaction Team to fight cyber attack, 13 martie 2012, available online at: http://www.nato.int/
cps/en/natolive/news_85161.htm, accessed on 05.06.2016.
10
Cezar Vasilescu, Cyber Attacks: Emerging Threats to the 21st Century Critical Information Infrastructures,
aprilie 2012, available online at: http://www.defenceandstrategy.eu/filemanager/files/file.php?file=73464
accessed on 05.06.2016.
11
Defence Against Terrorism Review, Vol. 3, No. 2, Fall 2010, COE-DAT, pp. 23-36, available online at:
http://www.coedat.nato.int/publication/datr/volume6/03How_Cyberterrorists_Could_Be_Living_Inside_Your_S
ystems.pdf, accessed on 05.06.2016.
12
Benjamin Runkle, Is the Islamic State a Cyber Threat?, 9 septembrie 2015, available online at:
http://warontherocks.com/2015/09/is-the-islamic-state-a-cyber-threat/, accessed on 05.06.2016.

325

CEEOL copyright 2017

CEEOL copyright 2017
Center for Defence Security Strategic Studies/"Carol I" National Defence University
Nov. 24-25, 2016, Bucharest, Romania

The first direction of research: coordination and assistance for cyber defence is in this
moment implemented by military, political and technical authorities of NATO concomitantly
with the ones implemented by component nations and based on experience and expertise of
component nations with technological advantages. An important aspect of this direction was
the settlement of Cyber Defence Management Authority – CDMA13, with exclusive missions
to coordinate cyber defence in the whole Alliance, this body being coordinated by the Council
of Management Authority for Cyber Defence that comprises political, military, operational
and technical NATO leaders with responsibilities in the cyber defence field.
The second direction of research: CDMA represents the most important organization
of NATO offering advice to the North Atlantic Council and to the member states in strategic
issues related to the cyber defence.
The third direction of research: before the attacks in Estonia in 2007, NATO cyber
defence efforts greatly focused on the protection of communication systems owned and
operated by the Alliance. Following the attacks in Estonia, there was shown that a massive
attack over the critical infrastructure of a member state nor only can imply an Article 5 type
reaction but can also disturb the logistical and operational flows of the Alliance and these
concluding in the extension of NATO defence focus to the national level, on the combating
and also prevention components. Although until now in all the strategic documents of the
Alliance is underlined that the allies themselves have main responsibility for the security of
their own ICT systems and their information, on the core level of NATO, there were
developed assistance mechanisms for the allies requesting support to protect their ICT
systems, including when cyber attacks occur, by the intervention of Rapid Reaction Team –
RRT14 composed by maximum 6 national or NATO experts, as the type or characteristics of
the missions require.
As concerns the research/development and training direction of specialized personnel
in the cyber defence field in Tallinn a centre of research was established in 2003 and in 2008
gained NATO accreditation as excellence centre and was named NATO Excellence Centre for
Cooperation in Cyber Defence – CCDCOE, which nowadays has research/development
attributions but also training attributions for NATO or sponsor nations personnel (Czech
Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Holland,
Poland, Slovakia, Spain, Turkey, United Kingdom of Great Britain and United States of
America).
In the middle of 2002 year, the implementation of Cyber Defence Program was
approved by the North-Atlantic Council and afterwards was implemented in three phases:
2003-2006 - NCIRC request and operating and settlement of its provisory operation
capabilities; 2006-2012 – bringing to optimum operational level to NCIRC at the end of 2012;
2012-present – identification of requirements and resources necessary to attenuate and
eliminate vulnerabilities in the cyber field, regarding to include CDMA in the development by
the specialized industrial sectors of the component countries of some technologies to be
available on all the security space of NATO.
Besides CCDCOE and CDMA, NATO Communications and Information Systems
Services Agency – NCSA15 is responsible to protect communication systems with four main
tasks: ICT support for NATO operations: ICT support for NATO exercises; ICT support for
NATO Major Staffs; to provide support for the implementation of new ICT systems and

13
173 DSCFC 09 E BIS - NATO and Cyber Defence, available online at: http://www.nato
pa.int/default.asp?SHORTCUT=1782, accessed on 05.06.2016.
14
Men in black – NATO’s cybermen, 24 aprilie 2015, available online at: http://www.nato.int/cps/en/natolive/
news_118855.htm, accessed on 05.06.2016.
15
Connecting Forces, NATO Communications and Information Agency, available online at:
https://www.ncia.nato.int/About/Pages/About-the-NCI-Agency.aspx, accessed on 05.06.2016.

326

CEEOL copyright 2017

CEEOL copyright 2017
STRATEGIES XXI International Scientific Conference
Complex and Dynamic Nature of the Security Environment

projects at the Alliance level. The functional structure of NATO cyber defence capabilities is
illustrated in Figure no. 1.
Supplementary, NCIRC has the responsibility to evaluate NATO security networks, to
detect and to response by countermeasures to any cyber attack over a NATO infrastructure or
associated to it; „NCIRC experts have the missions to support system administrators to block
the informatics attacks, to limit their deterioration and to fix software errors classified as
vulnerabilities and making possible such kind of attacks”16.
In this structure, CDMA is the single authority on the defence against cyber attacks,
being responsible of the initiation and coordination of each effort, but the NATO cyber
defence actions between the members and external organizations take place in CDCSC. On
the other hand, NCIRC is the department with technical and operational capabilities of
intervention and is responsible for the development, implementation and maintenance of
cyber defence services of the Alliance.

CYBER DEFENCE MANAGEMENT AUTHORITY

(CDMA)

CYBER DEFENCE COORDINATION

AND DEFENCE CENTRE (CDCSC)

NATO COMPUTER INCIDENT RESPONSE

CAPABILITY (NCIRC - TC)

NATO COMMUNICATION SERVICES AGENCY

(NCSA)

Figure no. 1 Functional structure for NATO cyber defence17

Although following 2008 cyber defence capabilities have remarkably improved,

security analysts warns over the fact that the organization will not be able to rapidly and
efficiently answer to advanced cyber threats18 firstly because there is no common definition of
critical infrastructures given by the member states and their commonly protection is hard to
16
Transatlantic Policy Briefs, Coming to Terms with a New Treat: NATO and Cyber Security, p. 3, January
2013, available online at: http://www.cepolicy.org/sites/cepolicy.org/files/attachments/08_-_tpb_cyber_
terlikowski_vyskoc11.pdf, accessed on 05.06.2016.
17
Allied Command Operations Comprehensive Operations Planning Directive COPD Interim V1.0, available
online at: https://info.publicintelligence.net/NATO-COPD.pdf, accessed on 05.06.2016.
18
Jarno Limnel, NATO’s September Summit Must Confront Cyber Threats, 11 august 2014, available online at:
http://breakingdefense.com/2014/08/natos-september-summit-must-confront-cyber-threats/, accessed on
05.06.2016.

327

CEEOL copyright 2017

CEEOL copyright 2017
Center for Defence Security Strategic Studies/"Carol I" National Defence University
Nov. 24-25, 2016, Bucharest, Romania

accomplish not only because of political aspects but also because of technological or social
aspects existing conceptual and technological discrepancies in the ICT infrastructure building
among the member states of the Alliance, as is, for example, the difference in approach of
USA, Germany and France. Another aspect with negative impact over the implementation of
common defence principle in the ICT infrastructures area is that despite some political or
diplomatic declaration inside the Alliance, the component states use for their cyber protection
information, technologies and capabilities that creates them a strategic advantage and many
times they prefer to keep these capabilities classified from any other else and, secondly, the
decision making factors are afraid of revealing these capabilities to a potential enemy can
become vulnerable in front of a potential attack. On the other hand, the NATO partnership
policy with the defence industry and the integration in the defence flow of the academic
environment of the member states, promoted in the late decade, brought significant
enhancements not only to the used technologies but also as regards the training of specialists
in cyber security, which in the end lead to the creation of a level of trust between the defence
industry and the structures of the Alliance with responsibilities in the cyber defence field.

2. Evolution trends of NATO cyber defence capabilities

Transformation is defined by NATO as “a continuous and pro-active process on the

development and integration of some innovator, doctrine and capabilities concepts in order to
improve the efficiency and interoperability of military forces”19 and includes requirements on
the capacities defining for the multinational operations of the future, as well as education and
formation program in order to allow the allies to implement their future concepts and
capacities.
In order to renew the relevance of the Alliance in the post-ISAF environment,
transformation was, probably, the more disputed subject for NATO and its allies in the late
years. The Allied Commandment for Transformation of NATO (ACT) is localized in
Virginia, United States of America and is responsible for the NATO transformation processes,
including for those in the cyber defence area. Although the late years reports have shown that
NATO allies are more technologically advanced than their potential adversaries, the same
analyses show this advantage will not persist in the future, because more and more nations
can be potential enemies of the Alliance tend to increasingly focus on the development of
their defensive and offensive cyber capacities.
One of the priorities the Alliance focused and will continue to focus is the increase of
CCDCOE capacities and capabilities in Tallinn, which although from technical perspective is
not an institution, it provides based on the NATO doctrine and strategy for cyber defence and
aspire “...to become main source of expertise in the cooperative cyber defence field”20.
A major challenge for NATO is the fact that its own internal systems are connected to
a series of national systems, and these are increasingly interdependent in development and
interconnection. In order to protect NATO systems, there exist the need to make a detailed
cartography not only of these systems, many of them component of national critical
infrastructures of the respective countries. Although such action is requested insistently on the
CDMA level, for its operating a political decision to the Alliance’s level is needed.

19
What is Transformation? - An Introduction to Allied Command Transformation, NATO UNCLASSIFIED –
PUBLICLY DISCLOSED, January 2015, available online at: http://www.ieee.es/Galerias/fichero/Otras
Publicaciones/Internacional/2015/NATO_Introduction_AlliedCommand_Transformation_Jan2015.pdf, accessed
on 05.06.2016.
20
Myriam Dunn Cavelty, Cyber-Allies, Strengths and weaknesses of NATO’s cyberdefense posture, ETH Zurich
- Center for Security Studies, February 2012, available online at: http://papers.ssrn.com/sol3/
Delivery.cfm/SSRN_ID1997153_code1782288.pdf?abstractid=1997153&mirid=1, accessed on 05.06.2016.

328

CEEOL copyright 2017

CEEOL copyright 2017
STRATEGIES XXI International Scientific Conference
Complex and Dynamic Nature of the Security Environment

Another major challenge that will influence in the future how NATO capabilities
develops is the issue of the gap existing between the smaller and greater nations, the latest
aiming to enlarge NATO role in certain specific problems. In the cyberspace this phenomenon
manifests by the will of smaller countries with limited resources to benefit from NATO
defensive cyber capacities and even to extend them, but countries as US, UK, France and
Germany owed to the fact they invest great deal of money in own systems of cyber defence
field, and therefore are reluctant to redirect money in NATO missions and projects doubling
the already existing capacities.
The debate on the balance of tasks in NATO, although overcome the cyber defence
framework will be in the future the most influential element owed to the dynamics of stability
the Alliance has to confront as well because of growth of cyber component in the global
threats of security, and thus owed to this unbalance, the Alliance risks to become “a
multilevel organization wherein only part of the members have cyber capabilities of battle
and want to use them”21.

Conclusions

Although cyber attacks were considered to be asymmetric threats since the Riga
Summit in 2006, hardly following the attacks over Estonia in 2007 NATO achieved the fact
that “cyber war, as is often called, refers inclusively to a campaign supported by cyber
operations concerted against IT infrastructures of target-state, and this leads to the mass-
destruction of websites by using spam and malware infections”22.
In the late decade, NATO became an organization actively contributing in all the
spaces to the global security, standing mainly as an alliance with Euro-Atlantic vocation
and maintaining unchanged the collective defence principle, stipulated in the Article 5
provisions of North-Atlantic Treaty. As a political-military organization, it bases its activity
on a strategic concept made up by a structure of doctrinaire ideas and a mechanism defining
the goals and means of their achievement for defined periods of time.

BIBLIOGRAPHY:

1. Döge, Jenny, Cyber Warfare, Challenges for the Applicability of the Traditional
Laws of War Regime, Archiv des Völkerrechts, volume 48, number 4, December
2010.
2. http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/106.
pdf
3. https://ccdcoe.org/cycon/2012/proceedings/d2r3s2_tromparent.pdf
4. http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_publications/20141008_140
108SummitGuideWales2014-eng.pdf
5. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/142
533/20130301_red_teaming_ed2.pdf
6. http://www.westpoint.edu/acc/SiteAssets/SitePages/Reports/PACOF.pdf
7. http://csrc.nist.gov/groups/SMA/ispab/documents/DOD-Strategy-for-Operating-
in-Cyberspace.pdf

21
Transcript of Defense Secretary Gates’s Speech on NATO’s Future, Brussels, June 2011, available online at:
http://blogs.wsj.com/washwire/2011/06/10/transcript-of-defense-secretary-gatess-speech-on-natos-future/,
accessed on 05.06.2016.
22
Döge, Jenny, Cyber Warfare, Challenges for the Applicability of the Traditional Laws of War Regime,
Archive des Völkerrechts, Volume 48, Number 4, December 2010, p. 489.

329

CEEOL copyright 2017

CEEOL copyright 2017
Center for Defence Security Strategic Studies/"Carol I" National Defence University
Nov. 24-25, 2016, Bucharest, Romania

8. http://www.nato.int/cps/en/natolive/news_85161.htm
9. http://www.defenceandstrategy.eu/filemanager/files/file.php?file=73464
10. http://www.coedat.nato.int/publication/datr/volume6/03How_Cyberterrorists_Cou
ld_Be_Living_Inside_Your_Systems.pd
11. http://warontherocks.com/2015/09/is-the-islamic-state-a-cyber-threat/
12. http://www.nato pa.int/default.asp?SHORTCUT=1782
13. http://www.nato.int/cps/en/natolive/news_118855.htm
14. https://www.ncia.nato.int/About/Pages/About-the-NCI-Agency.aspx ,
http://www.cepolicy.org/sites/cepolicy.org/files/attachments/08_-
_tpb_cyber_terlikowski_vyskoc11.pdf
15. https://info.publicintelligence.net/NATO-COPD.pdf,
16. http://breakingdefense.com/2014/08/natos-september-summit-must-confront-
cyber-threats/,
17. http://www.ieee.es/Galerias/fichero/OtrasPublicaciones/Internacional/2015/NAT
O_Introduction_AlliedCommand_Transformation_Jan2015.pdf
18. http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID1997153_code1782288.pdf?ab
stractid=1997153&mirid=1
19. http://blogs.wsj.com/washwire/2011/06/10/transcript-of-defense-secretary-gatess-
speech-on-natos-future/.

330

CEEOL copyright 2017