In 2007, Estonia suffered a catastrophic cyberattack that is widely attributed to Russia. Online banking went down, as did most ATMs. Government services were unavailable, civil servants were unable to communicate electronically and media organisations were silenced.
Estonia was then – as it is now – a leading cybersecurity power – yet it still found itself vulnerable. Just over a year later, during Russia’s invasion of Georgia, accompanying cyberattacks had already grown in sophistication since those levelled at Estonia. According to Ian West, head of the Nato Cyber Security Centre, that operation was the first in which cyberwarfare was used in combination with conventional military forces.
The 2007 attack on Estonia “was a watershed moment when the world woke up and saw exactly what cyberattacks could do”, West told New Statesman Spotlight. “Many of us have known for a long time that it is very unlikely that any conflict in the future will not contain cyberattacks.” But 16 years is a long time in technological development: cybersecurity threats have continued to outpace cybersecurity defenders. This week, the UK government affirmed AI as a “strategic threat” for the first time in its national risk register, alongside cyberattacks against critical infrastructure – and another pandemic.
Nato’s most senior cybersecurity official started his career in the Royal Air Force. In 1996, when Nato forces were still deployed in Bosnia and Herzegovina, West, a British citizen, started working for the military alliance. Nato’s Cyber Security Centre is responsible for protecting and defending the organisation’s critical network infrastructure. Its 240 staff are mainly based at the organisation’s headquarters in Belgium.
When Nato was first created, in 1949, its members’ main concern was Soviet tanks rolling across western Europe. But today’s wars, as evident in Russia’s invasion of Ukraine, are occurring simultaneously in the digital realm. “What we’ve seen is a complete blend of kinetic and cyberattacks,” said West, comparing this to hybrid warfare.
Nato deployed its first serious cybersecurity defences in 2004. “We quickly realised that we’re always on the back foot,” West said. Nato, like other organisations, mostly relies on commercially available software and applications – all of which have vulnerabilities. “We’re constantly evolving our defences trying to keep up with the evolving threats.”
Even when you are a major multilateral organisation, cyber-risk tends to be mundane. “A lot of the threats you face on your home computers, other organisations face,” West explained. “We’re all using the same sort of technology.” Threats range from ransomware to denial-of-service attacks on Nato’s more than 100 websites, to creating fake or alternate sites. This “is a great way for attackers to get their message across on their opponents’ infrastructure, and… it’s incredibly embarrassing” for the alliance, West said.
Of course, Nato also has to defend against sophisticated attacks by hostile nation states, whose operatives infiltrate the system to find sensitive information. “Our sensors… capture well over a billion suspicious events every single day on our network, some automated, some manually initiated by attackers,” West said. Every day, around 20-30 of these attacks require an intervention from Nato’s Cyber Security Centre.
Links with the private sector are crucial to the defence against such threats, West believes, with most of Nato’s “capabilities, our intrusion detection sensors, our firewalls and antivirus capabilities… provided by industry”. Nato launched an innovation accelerator, called Diana, on which industry, academia and start-ups develop cybersecurity innovation.
Industry is also, however, the source of offensive capabilities, many of which are available to buy on the dark web, along with the expertise to deploy them “as a service”, West explained. This is an inevitable risk that comes with new technology. “You need to be able to, as best you can… mitigate those risks so that you can use and harness this technology to your advantage.”
The existential risks of artificial intelligence have been catapulted into public consciousness this year, as its inclusion in the UK’s national risk register attests. AI has implications for cyber-risk, too – and West thinks the security community “is a little bit behind” the tech. He wants to see infrastructure and regulation that ensures “AI for good” is encouraged, while “AI for bad” is countered. The former could include using AI to improve cyber defences, something the industry is already developing. West is less concerned with quantum computing and cryptography – innovations that will transform the power of computing exponentially and render existing security useless. Despite the hyperbolic coverage of these, he believes the current challenge of AI is far more urgent.
While relationships with industry have strengthened since West joined Nato, international cooperation on cybersecurity is hamstrung by the fact that some states, such as Russia and China, are sources of cybercrime and attacks. “Coalitions of like-minded nations” are working together on “norms for cyberspace policies”, he said. The UK has been particularly active, West noted.
Cooperation is at the root of how to respond to online threats. West gives the example of the Nato Cyber Security Centre’s malware information-sharing platform. In the past, each member state and agency would be analysing malware themselves and likely duplicating efforts. The platform means they can benefit from what others have gleaned.
This push for collaboration is a matter of survival, not courtesy. “You can rest assured,” said West, “that the people who are attacking us, whether they’re criminals, whether they’re hacktivists, or whether they’re hostile states, they’re working together.”