NATO’s Christian-Marc Lifländer on how the alliance can take a ‘proactive’ cyber stance
Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, is concerned whether the West is like the metaphorical frog in hot water amid an increasing number of cyberattacks. Rather than engaging in activities that would halt this increase, he says it seems “we are kind of deterred by ourselves.”
An Estonian who speaks five languages, with a bachelor’s degree in engineering from West Point and a master’s in security studies from Georgetown University, Lifländer began his career in cyber policy with his country’s Ministry of Defence — including for three years at its embassy in the United States — before moving to Brussels more than a decade ago.
Today he is praised as “one of the most experienced and expert individuals at NATO on cyber,” by Paul Chichester, the director for operations at the U.K.’s National Cyber Security Centre and the country’s senior cyber expert with NATO, who also credits Lifländer with making “a unique contribution to the defence of NATO as an enterprise and an alliance.”
Max Smeets, the director of the European Cyber Conflict Research Initiative (ECCRI) and a senior researcher at the center for security studies at ETH Zurich, praised Lifländer’s generosity for “supporting and mentoring the upcoming generation of cyber scholars and practitioners.”
Smeets said the Estonian’s expertise and experience have allowed NATO “to learn from past successes and avoid reinventing the wheel” around the Russian invasion of Ukraine.
Recorded Future News spoke to Lifländer over the phone last month about NATO’s changing approach to cyber, what the allies disagree on, and what will happen if attacks targeting Western states continue to increase. The interview has been edited for length and clarity.
The Record: Speaking at the International Conference on Cyber Conflict in Tallinn, David van Weel — NATO’s assistant secretary general for emerging security challenges — said the alliance was going to endorse a new ‘cyber concept’ at the summit in Vilnius in July. Can you tell us what that will entail?
Christian-Marc Lifländer: At the Vilnius summit, there will be several cyber deliverables. I think what David [van Weel] mentioned is the need to improve national cyber resilience. So there's already an existing tool, the Cyber Defence Pledge, which allies have decided to revamp in this regard. And what we're looking at is no longer something that is just delegated to allies to implement, but is now a tool which for the first time includes national goals, almost minimum requirements, things that everybody needs to have.
Similarly we have attached a maturity model to the instrument, a way for everybody to measure their preparedness, so as to better understand gaps across the alliance, which then can be met by allies helping other allies to get up to that minimum level. So something that has really never been done before and I think that's important.
A second deliverable for us is going to be a virtual cyber incident support capability, otherwise known as the VCISC. So if you think about the first deliverable that I mentioned, the Cyber Defense Pledge, as left of the bang — by which I mean all of the things that need to happen before incidents take place — then VCISC really looks to the right of the bang. If and when the incident has taken place, how can we be useful in helping a stricken ally to recover and mitigate the malicious cyber activity that is happening?
That's a mechanism that really does not mean more NATO, I think it means a way for allies to help other allies, and to do so virtually, also by using industry, and to do so in a flexible and agile kind of a way.
TR: What does it mean to endorse a new cyber concept?
CML: The concept we are putting forward is really not the end of the road but I think the beginning of a longer transformation where we want to bring different players closer together, while respecting everybody's roles and responsibilities, the sovereignty that they have. But there seems to be something about cyber that doesn't really respect organizational boundaries. I mean, you need the technical, the operational, and the political layer to operate better together. So this is exactly what we're trying to achieve here. It means information sharing, it means intelligence sharing, but it also means a better way to react, a better way to shape cyberspace. The results are not expected until next year's summit in Washington. So that's why, to me and to us, it's really a way to start thinking a little bit better of how to be proactive in that space.
Secretary General Jens Stoltenberg at the NATO Cyber Defense Pledge conference in November 2022. IMAGE: NATO
The key thing to understand here is that to us, cyber is always 'on'. So when you're thinking about it, yes, we need to worry about it and build the fire brigades so that if the fire breaks out we're able to put it out, but in some ways it's also about the smoke detectors and focusing on that left of the bang. Remember, the Washington Treaty, Article Three, focuses on the responsibility of allies to defend themselves and there's a whole lot that can be done in order to enable and help allies to do exactly that.
TR: How did the attack on Albania in 2022 contribute to this new concept?
CML: I think the Albanian example is a useful one. It really starts way before the incident itself has occurred. There's this knowledge transfer, there's help when it comes to cyber capacity building, things that can take place in order to deny the benefits for the potential attackers. And then of course, if and when the incident happens, there's really two aspects. One is to help recover, and that needs to be quick, and I would put it to you that many of the things would have to be put in place already before the incident happens, privileges and immunities for example, but also a better understanding of what kind of help and how quickly and under what modalities can it be provided, so as to avoid us having to figure out how to help when the incident has happened.
But then there's also something that can be done using NATO as a political platform. I would put it to you that what the Albanian case demonstrates to us is that cyber can be used, and has been used, for political coercion. And the allies responded. So NATO can, and I think should, be used going forward as a political platform, also at the political level, in order to signal to those that have conducted malicious cyber activities what is okay and what is not okay. And this in support of norms for responsible state behavior.
TR: Another key detail David van Weel raised was the role of the private sector in cyber defense. What is your opinion on that?
CML: I think many of the activities that have taken place in Ukraine demonstrate that without industry it would be very difficult to be successful on the battlefield. By the way, it also tells you that the defender gets a vote, right? It is possible to defend yourself against an adversary as potent and capable as the Russian Federation. So to me Ukraine is a story of hope. That things can be done, if you know what you're doing. And part of that is going to be figuring out how to collaborate and cooperate with industry.
But I think you also need to understand that what we have in Ukraine is not necessarily a sustainable or a scalable business solution. It is not possible, in my opinion, to outsource everything completely to industry and hope that things somehow miraculously will be taken care of. So that's why what we need to focus on is not necessarily formal but certainly flexible arrangements, which allow for industry to make contributions that the public sector can benefit from, and vice versa.
A good example that I would like to use here is the Industry 100 scheme in the United Kingdom, whereby the government, the UK NCSC [National Cyber Security Centre], is able to benefit from those companies that are taking part in the program and vice versa, industry is able to benefit from government information and is able to implement that in their network defense. That's a very flexible arrangement that allows for self-selection, but also improvement over time so that both sides can benefit from that relationship.
TR: Where are NATO allies in disagreement at the moment?
CML: I think what we all agree is that we need to commit to a long term resilience, in other words, we need to deny our adversaries the benefits. So that's why there's such a huge focus on the Cyber Defence Pledge for example. That's why there's such a huge focus on the smoke detectors, to go back to a previous analogy. What we also agree on is that we need to be able to react to and respond to incidents that seem to be occurring more often, much quicker.
NATO headquarters in Belgium switched off its lights in December 2022 in solidarity with Ukraine. Image: NATO
I think the question going forward is really focusing on the question of 'proactive'. What does that mean? In other words, if patching is not going to help us, if just a reactive posture is not going to be really helpful, how can we be more proactive? So that's question number one, what does it mean? And I think the second question then arises almost immediately, and that is how to make use of NATO as part of that proactive mindset. I think that's where a lot of work is still needed.
TR: You said incidents seem to be occurring more often. Why is that?
CML: I’m going to have to speculate here. So there are new technologies and new vulnerabilities that are being exploited, so there's just a whole lot more opportunities for malicious cyber activity. The second [reason] I think is linked to motivation. I think we can be more decisive in imposing costs for many of these malicious cyber activities. I would even say that many of the actors have become quite skilled at operating below the threshold of the use of force. Many have become quite skilled in designing their activities around deterrents. So we have to do more. [With] both of these things — [the] increased opportunities and second, lack of costs imposed on the situation — we're dealing with what I would call the new normal.
TR: What does being more decisive in imposing costs look like?
CML: The key performance indicator here is the change in adversaries’ behavior, right? You do not necessarily get rid of malicious behavior, but you're able to have an effect on perhaps the quantity and the quality of it. In other words, you create perhaps more friction at the technical level by activities such as threat hunting, or defensive cyberspace operations. You make it much more difficult for the adversary to achieve an effect, knowing full well that any advantage that you might enjoy is going to be temporary. I guess, you might call it persistent engagement, so persistently engaging in the networks so as to deny all of these possible benefits, to keep the permanent contestation at the tolerable, manageable level. That, to me, is the answer moving forward. Unless we want to resort to just a reactive defensive posture. If so, I'm afraid that it will be difficult to have an impact on what is happening.
TR: Is there a way of being more decisive that isn’t more of the same, or isn’t in some way escalatory?
CML: What you're trying to do is to have an effect on that particular actor that is conducting malicious cyber activities. But what I sometimes feel is that doing so is viewed almost as escalatory. And then quite often, the actions fall far below those that folks would be entitled to use legally. So sometimes the feeling that I have is that we are kind of deterred by ourselves.
TR: Given that you said attacks are occurring more often, has this response so far failed?
CML: I would say that we can do better in terms of making it more difficult for malicious cyber actors to not only conduct these operations, but to have to have a consequence at the level that you quite often see in public. I think some people refer to what is happening as almost like boiling the frog. And then we become used to this next level of contestation and this becomes the new normal until it's taken to the next level again. That to me is concerning. We should resist it. We shouldn't really become accustomed to that new level of contestation.
If you accept that there's this new level of contestation, if you accept that there's this new normal, then it either can be because we have become accustomed to it and we're willing to accept the risks. In that case, it's not necessarily a failure, but it certainly will have an impact on our quality of life and over time to our competitiveness in a broader sense. Going forward, at what point are we willing to say that we're no longer okay with that new normal? When do we impose or create friction of our own so as to signal that we're resisting that new normal? I think that's the big question going forward.
TR: Perhaps this is my misunderstanding, but NATO has stated that the cyber domain is a permanently contested space. Isn't that already a recognition of the new normal?
CML: NATO’s Strategic Concept makes clear that cyberspace is contested at all times. I think the big question is what level of contestation is okay. It tends to be quite abstract. It's certainly difficult to make the case I think, for cyber, when you compare it to kinetic action, which tends to be much more concrete, much more real, and much more violent in this regard… I think a lot of it focuses on risk. How do we manage risk? Quite often, cyber tends to be a non-rewarded risk. So security tends to be viewed as a cost, not necessarily as a reward.
There's almost a race to the bottom, whereby investments are not necessarily made, capabilities are not necessarily developed, until something happens. So it's almost as though you're going along with this contestation, hoping that you're not really affected until you are. We have to accept that we have a role to play and figure out what is the acceptable level of violence, if I may say so, that we can live with.
TR: Is there also a fear of a 'death by a thousand cuts' scenario, where the volume of activity even below a particular threshold becomes the issue?
CML: I completely agree with the thousand cuts thing. We have come to realize that it's not necessarily the single incident that we should be focusing on, but the cumulative effect over time. So if cyber is always on, if it's used continuously in order to target the sources of national power, then at the end of the day, it could very easily be a simple, perhaps even sort of relatively innocent incident, that breaks the camel's back. But that's a very different way of looking at it. You're no longer focusing on the left or right of bang, you're making it a continuous activity, a continuous contestation.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.