Earlier today, the Atlantic Council hosted a panel discussion on NATO’s developing role in cyber defense and security. Participants included IBM’s NATO and European Defence Leader Leendert Van Bochoven, IBM’s Vice President Security Counsel & Chief Privacy Officer Harriet P. Pearson, and the Director of the Atlantic Council’s Cyber Statecraft Initiative, Jason Healey. Barry Pavel, the Director-Designate and Arnold Kanter Chair of the Brent Scowcroft Center on International Security at the Atlantic Council, moderated the event.
The event highlighted the Atlantic Council’s recent publication, NATO’s Cyber Capabilities: Yesterday, Today, and Tomorrow, which the council hopes will provide guidance to NATO at its upcoming summit in Chicago later this year.
Bochoven provided a brief introduction in which he noted that cybersecurity is one of NATO’s top priorities, and that as member states continue to connect information systems to industrial systems and other platforms, we must be able to defend those connected systems properly. Healey echoed this point, also noting that the alliance’s goal should be on “the basics,” and defending and securing NATO systems before broadening the focus to helping member states secure their individual systems.
Pearson spoke of NATO’s general cyber strategy, noting that the institution needs to provide a tight linkage between the operations side and the strategic side of cyber matters, and on the strategic side to have a long term focus. Collaboration is also key – not just in terms of member states working together but also cooperation between NATO and the private sector.
Asked what their single most important recommendation would be for NATO, each provided similar answers. Healey suggested the organization must be able to “unpack” the complex issues into simpler components that can be reasonably dealt with, as opposed to becoming mired in abstract discussions on “unsolvable problems” that ultimately lead nowhere. Pearson offered that leadership needs to clearly establish the reality in which NATO operates, and set key areas for the organization to focus on and take action. Bochoven said setting clear terminology for current and future efforts is essential, pointing to the phrase “full operational capacity” as an example of a misnomer that muddles the understanding of NATO’s progress in this area.
In response to an audience question on the subject of public private partnerships, Healey cautioned that NATO and government officials need to ask at the offset, “what do we want to accomplish?” so as to not lead to only marginally beneficial results because of a lack of clarity on those desired outcomes. Bochoven also pointed out that these partnerships need to have two-way value, so that there is a strong incentive on the part of the private sector to actively participate.
On the matter of information sharing, Pearson said the rate and pace of collaboration needs to pick up considerably, and at the same time transform from solely post-hoc sharing about cyber incidents to a system that incorporates anticipatory sharing, that can yield more valuable results. Ideally these relationships and sharing practices are devised before a major incident and not on the fly, Healey added, also noting that NATO countries need to be more willing to declassify information so it can actually benefit the private sector, citing the example of malware signatures.
Healey made an interesting comment that fits within some of the broader discussions taking place in the midst of Congress taking action on cybersecurity legislation, stating that we’re not teaching “cyber-mindedness.” He explained further by noting that during his time in the Air Force, airmen were taught about past battles and leadership, strategy, etc. to hone “air mindedness,” and that so far we’ve failed to do so for cyber. An interesting project might be to see what efforts to encourage cyber-mindedness have been taken so far, and evaluate those efforts as leadership on both sides of the Atlantic seeks to answer these important strategic questions on cybersecurity.
Next week, ACUS will be hosting an event on the history of US military cyber units, all of which were precursors to the recently stood up US Cyber Command.