Resilience isn't enough, NATO must be 'proactive' for cyberdefense, warns official

TALLINN, Estonia — NATO allies need to allow their militaries to be proactive in cyberspace to ensure the alliance isn't affected by a cyberattack that could disrupt the deployment of forces if a conflict was to occur, Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, warned on Friday.

The warning follows the North Atlantic Council, NATO's political executive, expressing allies' deep concern about "an intensifying campaign of activities which Russia continues to carry out across the Euro-Atlantic area, including on Alliance territory and through proxies.”

This proactive approach Lifländer endorsed stands in contrast to the strategy of resilience — making it harder for an adversary to compromise the targeted systems and to recover with minimal disruption if a compromise does occur — which is failing to shape adversaries' behavior, the senior NATO official said.

This failure did not mean that resilience wasn't important, added Lifländer at the International Conference on Cyber Conflict (CyCon) in Estonia: “Let me be very honest, when I look at what's happening, quite often it is not the zero-day vulnerabilities that people are using in order to get what they want. The basics need to be done, so resilience is important.

“But taking a longer-term perspective of how to shape behavior, I think more needs to be added to it,” he added, arguing in favor of a more “proactive element” to the alliance's approach to cyber conflict.

The argument for a proactive cyber element in NATO has also been made by Michael Fischerkeller, a researcher at the federally-funded U.S. Institute for Defense Analyses, who published a paper last year warning that regardless of the outcome of the Russia-Ukraine conflict, in its wake NATO allies were likely to be “subject to a significant, perhaps unprecedented, sustained volume of cyber intrusions in a post-armed conflict environment.”

Fischerkeller called for NATO to “adopt policies that optimize member states’ and partners’ aggregate cyber capability and capacity — policies that center on a proactive operational posture inclusive of an operational element that can anticipate, preclude, inhibit, or otherwise constrain Russian cyber efforts in a post-armed conflict environment.”

The Institute for Defence Analyses researcher — alongside the U.S. Cyber Command strategist Emily Goldman and the University of Cincinnati's Richard Harknett — published a book in 2022 called Cyber Persistence Theory that warned the West risked facing a strategic defeat in cyberspace by failing to recognise the domain as a permanently contested environment.

NATO published a strategic concept in 2022 formally recognizing that "cyberspace is contested at all times." As Lifländer described it to Recorded Future News in an interview ahead of the Vilnius summit, the concept was "really not the end of the road but I think the beginning of a longer transformation."

Speaking in Tallinn on Friday, he told the audience: “If you agree with the hypothesis that it's a permanently contested environment, cyberspace, and it's about the long-term operational cycles, it's not necessarily about the digital Pearl Harbor, then I think it's important — and that's why we've been looking at — for the military to be included, to be part of the picture.”

The traditional continuum of peace-crisis-conflict doesn't map particularly well onto the current status of competition, as described by Cyber Persistence Theory, and that risks having a significant impact on NATO operations, said Lifländer.

“There's no magical handover. You cannot automatically assume that the military is going to be there if they haven't been a part of the picture from the get-go.

“When I look at pre-positioning, when I look at what's happening in networks, it's not necessarily given that reception, staging, or onward movement (RSOM) would not be affected," warned Lifländer, referencing the critical logistical sequence needed for a NATO military operation.

“So the military for us needs to be part of the picture, so as to understand the risk, and manage the risk, collectively, in a coordinated fashion, with allies in this regard.”

Lining up allies

Lifländer's argument suggests that a proactive cyber element would be essential for NATO's new cyber center in Belgium. Negotiations regarding the establishment of that center are still ongoing, just weeks away from the Washington summit where allies are expected to announce it, as David van Weel, NATO’s assistant secretary general for innovation, hybrid and cyber, confirmed at CyCon.

“We cannot defend everything, everywhere, all the time,” acknowledged Lifländer, so going forward the critical question was about how allies could shape adversary behavior — while also balancing their own national equities and values.

U.S. Cyber Command’s Emily Goldman also told the audience in Tallinn that shaping adversary behavior was critical, warning that allies were now being impacted by offensive cyber operations that had now become a standard tool in diplomacy and competition, something that was having “strategically consequential effects on the power of the United States, its allies, and partners.”

Lifländer noted that the U.S. was already a vanguard in acknowledging the cyber persistence mindset. The authors of that book were informed by their work at Cyber Command and the National Security Agency ahead of the 2018 roadmap calling for persistent operations.

“There's a role for unilateral action. I think there's also a role for coalitions in this regard, and for bilateral action, and then of course you have the alliance at 32 [members],” added Lifländer.

But aligning the members is likely to be challenging. In Berlin last year, allies expressed support for collective responses to cyberattacks, marking a growing acceptance among allies that new methods are needed to tackle cyberattacks beyond resilience, although comments describing those new methods were very ambiguous.

Under NATO's current doctrine, in peacetime the alliance's joint forces do not undertake cyber operations outside of the defensive space. While there is a framework covering how offensive cyber operations can be integrated into NATO missions — known as the Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) framework — this does not currently cover activities necessary to ensure RSOM.

“When I look at some of the past behavior, past examples, at one point we had quite huge differences of opinion about offensive cyber capabilities to the extent that they were able to split verdicts. We had different opinions and it took us some time to come to grips with it, until the whole concept of sovereign cyber effects provided voluntarily by allies, SCEPVA — oh, what a mouthful — emerged and people became comfortable with it,” said the cyber policy lead.

NATO as a platform “is not going to be a panacea, but I think it's as close as we have to a common platform where we can exchange ideas, best practice, and come to a common agreement as to what is it that we can do collectively,” said Lifländer, “never mind the things that can and should be done individually.”