On February 6 we have the 17. Cyber Intelligence event in Zurich for IT security managers. One of the speakers is the former head of the NATO cyber division Anil Suleyman.
Q1: You have been involved in cyber defence for more than 20 years, in fact you set it all up for NATO. How has the scope and work of that cyber defence unit evolved in all these years?
Evolvement of cyber defence has been simply incredible, even for an insider such as myself, but yet to reach its peak. When I started in 1989, cyber defence (called “system security” then) unit was composed of very few experts, protecting very few IT systems. Today NATO has one of the best global cyber defence capabilities in the world, in terms of diversity, effectiveness and business model. I must admit that this capability development would not have been possible if NATO did not recognize the strategic significance of cyberspace very early in late 90s during its operations in Balkans. Consequently, and since 2002, cyber defence has been an agenda item in every NATO Summit (attended by Presidents and Prime Ministers of NATO Nations and normally held every 2-3 years.) at which NATO Nations have frequently approved the plans proposed to enhance NATO’s Cyber Defence policies and capabilities. Among all international organizations, NATO was the first to move cyber defence from technical discussion item to a strategic political matter. In its most recent policy updates, NATO declared cyberspace as a domain of military operations and approved to stand up a NATO Cyberspace Operations Centre ( https://www.nato.int/docu/review/articles/2019/02/12/natos-role-in-cyberspace/index.html). On most recent cyber defence capability deployment, NATO has announced that it will have a 20 million euro tech refresh investment this year ( https://www.ncia.nato.int/NewsRoom/Pages/20191104-NATO-Agency-releases-Request-for-Quotation-to-refresh-cyber-security-technology.aspx )
Q2: There are voices saying that the war of the future is virtual only as noone expects analog wars to be fought except from terrorist attacks, do you agree with this? And if so, why is still so much more money spend on analog than on cyber war defence?
First of all, it is too optimistic to say that analog (or conventional) wars are over except terrorist attacks. This could well be the feeling in some parts of the world (such as Western Europe or in North America), but quite a few world spots still carry significant risks of conventional warfare. Secondly, I should underline that cyber war (or more correctly; “cyber effects”) and “analog” (or conventional) military capabilities are not two different, comparable alternatives but they more complement each other, so nations will continue to spend money on both of them. Finally, conventional (“analog”) forces are still more effective and offer better deterrence than non-conventional tools and therefore nations will continue to spend more on both of them.
I however agree that conventional wars are now much less likely, and we should all appreciate that, but this does not mean that we are living in a safer world. It is just that nature of threats and risks are different now and targeting more our wellbeing, lifestyle and basic freedoms (instead of targeting our lives unless we live directly inside one of the conflict zones). Last conventional war, where national military forces stood up and fought against each, was Iraq-Iran War from 2000 to 2008 where about 1,5 million lives were lost. Since then, we have been witnessing more non-conventional conflicts where adversaries (state or non-state actors) use campaigns of terrorism, cyber attacks, economic or information warfare, special forces, weapons of mass destruction, etc. to achieve their objectives while keeping hostility levels below the threshold of war (i.e. Hybrid Warfare).
Q3: Can you give us a glimpse into the current challenges and threats you see around right now?
Cyberspace is still a very young, human-created global domain which is rapidly growing and evolving. Cyber threats are inherently following the same pattern, rapidly growing and evolving, and will continue so until a certain level of maturity is achieved in cyberspace. What is disappointing is the lack of progress in international efforts to make cyberspace a safer place for all. Work in UN on states’ norm of behavior in cyberspace has been deadlocked for decades and recently further complicated with the introduction of a second competing proposal. Work in OSCE on confidence building measures in cyberspace (Cyber CBMs) has produced good but limited results. Efforts of EU and NATO is good but regional in nature. Current lack of liability and lack of law enforcement in cyberspace is benefiting only organized crime, terrorist groups and rogue nations. Second disappointment is the fact that increasing number of nations are building offensive cyber capabilities, as use of cyber attacks have proven to be the tool of choice in modern conflicts. Unfortunately cyberspace is rapidly and heavily being weaponized. Instead, nations should focus to complete the international agreements and regulations for safe and trusted use of cyberspace for all, as we enjoy today in other global domains such as airspace, open seas or in space.
Q4: How can private businesses work together or expect support from state-run cyber defence units or even the NATO in case of severe attacks?
Contrary to somewhat pessimistic views that I expressed so far, I am very optimistic about the potentials of cyber partnerships between public and private sectors (PPPs), already well progressed in some nations and organizations, is the most effective short term cooperation model in reducing the cyber risks, until international agreements and regulations for cyberspace are put into global effect.
Private businesses first obviously need to take care of protecting own cyberspace by investing in cyber resilience which would countermeasure majority of cyber attacks. Nevertheless there will always be some cyber attacks, highend ones, where private businesses might need assistance from national cyber defence authorities (e.g. for law enforcement measures against attackers, for forensics, for data recovery or network routing alternatives, threat assessments, etc.).
What is essential for an effective Cyber PPP during an attacks is the existence of predefined procedures which describes how, when and which types of communications and services would be exchanged between the private businesses and national cyber authorities during severe cyber attacks. Second important element of an effective Cyber PPP is to have periodic exercises or tests of agreed procedures.
NATO has historically well established cooperation programs with private businesses ( https://www.nato.int/cps/en/natohq/62249.htm ), and, in recent years, with more emphasis on cyber defence cooperation, i.e. NATO Industry Cyber Partnership ( https://www.ncia.nato.int/NewsRoom/Pages/180523-IPAs_signature_NITEC.aspx). NATO assistance in case of a severe cyber attack can only be sought by governments and through established NATO procedures.
Q5: Would you agree or disagree with this statement: cyber defence will always only catching up with new threats but will never be able to control it due to the nature of the complexity but also due to the “innovations” of the attacking side finding yet always new ways to attack.
Yes I would agree with the first part of the statement that defence side would always be catching up with new threats. However majority of cyber attacks that we see do not really carry much innovation but take advantage of existent, known vulnerabilities. Therefore they can be countermeasured through effective cyber defence. Take ransomware, if an individual or a business is a victim of ransomware it is simply because their data is not properly backed up. What is difficult to defence against alone is high end cyber attacks which are able to take advantage of zero-day vulnerabilities, or assisted by insiders, or those carried out by state threat actors or their proxies. To defend against such cyber attacks close cooperation should be established with relevant with national, private sector and international partners.
Q6: If you agree with 5: how can governments best live with this situation?
First of all, governments must work very closely with private sector (1) to assist each other during severe cyber attacks, (2) to enhance the national legislations and directives on cyberspace, (3) to share cyber incident and threat assessment information and (4) to offer incentives for development of innovative cyber defence solutions. Secondly governments should establish cyber defence cooperation partnerships with other nations and with relevant international organizations to enhance national cyber capabilities on law enforcement, attribution and crisis management during cyber attacks.
Mr Anil joined NATO International staff in June 1989. From 1989 to 2003, Mr. Anil was responsible for the startup and management of NATO’s first operational Cyber Defence capability (i.e. NCIRC) in SHAPE HQ Mons Belgium. In April 2003, Mr. Anil was assigned to the NATO Office of Security in NATO HQ Brussels to lead the cyber defence policy development and to coordinate security aspects of cyber defence within NATO.
In August 2010, Mr. Anil was appointed to manage the newly created Cyber Defence Section of the NATO HQ in Brussels where primary responsibilities of the section included preparation of NATO’s cyber defence policies and action plans for the approval of NATO Nations and to coordinate the implementation of actions plans within NATO and with the relevant stakeholders in nations, international organizations and industry.
Mr. Anil retired from his 27 years of NATO employment in August 2016. Mr. Anil has studied Electrical Engineering in Turkey and Computer Science Master Studies in USA. Before he joined NATO international staff in June 1989, Mr. Anil worked for ITT/ALCATEL group for 10 years in USA and Europe.