NATO Discussion on Cyber Security Capacity Building is Sorely Needed
With cyber security among the topics to be discussed at the Warsaw Summit starting tomorrow, there is a clear effort by NATO members to address the growing threat of cyber attacks. However, given the growing number of major hacking incidents and fears over Russian aggression in cyberspace, the United States has been slow to support foreign allies in strengthening their cyber security even though some U.S. efforts are increasing.
NATO recently announced that cyberspace would likely be recognized as a domain of warfare that can invoke an article 5 reaction at the Warsaw Summit. This is largely a response to growing Russian cyber capabilities. Reacting to Russia’s increasingly aggressive use of cyber weapons, NATO has developed a doctrine of “active defense” in approaching cyber security. Speaking in Brussels on July 4th, NATO general secretary Jens Stoltenberg outlined broad objectives for increasing cyber capacity: increased collective resilience against cyber attacks and plans to establish a new cyber intelligence division within NATO headquarters. According to Breaking Defense, leaders at Warsaw will discuss how governments can improve cooperation of cyber defenses so that countries with strong cyber frameworks can “help less capable nations get the required cyber capabilities in place.”
There is a pressing need for an updated cyber. In recent months Germany’s lower house of parliament suffered a data breach that shut down computer systems for days and a cyber attack on a power grid in Ukraine caused massive blackouts, cutting power to 103 cities and towns. NATO was clear that the alliance considered the attack against Ukraine by Russian hackers as clear “intent to attack critical infrastructure.” The cyber attack in Ukraine demonstrates the far-reaching effects of cyber crime as a threat to citizen security and the ways in which allies with weak cyber capacity and NATO countries themselves can be targeted. 
A recent study by the RAND Corporation said U.S. government officials and leaders have begun to acknowledge the pressing need for more cyber security capacity building because there is increased awareness that the United States is weakened by a partner country’s lack of cyber capacity. Helping build partner cyber capacity is essential because “U.S. forces overseas ‘rely on our partners for critical infrastructure in their countries: energy, power, telecommunications and water.”
Thus far the U.S.’s contribution to cyber security abroad has been limited. The U.S. Foreign Military Training report for 2014-2015 states the United States planned to spend only about $2.5 million on military training devoted to improving cyber security capabilities in 2015. This aid was spread across 31 countries, with most recipient countries receiving less than $10,000 in military training. This number is paltry compared to the amount the United States spends on other areas of military training such as improving foreign militaries to manage their resources more effectively or for English language training.
Exporting cyber security capabilities abroad is not without risks. As with other types of security assistance, the U.S. must be attentive to how recipient countries use aid. According to TechUK, a major exporter of cyber security products, digital capabilities including surveillance and reconnaissance, analytics, social media analysis and forensics can be used by state authorities to infringe on right to privacy and freedom of expression if not used legitimately and proportionately.
Governments misusing cyber capabilities for repressive means is apparent in the case of Central Asia, where both the U.S. and NATO have acute security concerns because of the region’s proximity to Afghanistan. Countries in Central Asia have notoriously weak Internet freedoms. Authorities in Kazakhstan will routinely block publications and news sources, citing the fight against extremism as a blanket defense of their actions. Central Asian states have often looked abroad to overcome lack of domestic technological capabilities. In 2012 the Swedish-Finnish owned telecommunications company TeliaSonera sold security services in Azerbaijan and Tajikistan real-time access to telephone calls, data, and text messages and in 2014 the Milan-based group Hacking Team sold sophisticated computer spyware to security services in Uzbekistan, which could be used to suppress dissident activity by human rights activists.
Governments of some NATO countries have also been linked to questionable spyware. A report by the Toronto-based group Citizen Lab found that the German software company FinFisher sold malware to Bahraini government that was used to suppress dissident activity in 2011. FinFisher also has command and control servers in Bulgaria, Canada, Czech Republic, Estonia, Germany, Hungary, Latvia, Lithuania, the Netherlands, Turkey, United Kingdom and the United States. Additionally, Citizen Lab found evidence that government agencies in Hungary, Italy, Poland and Turkey are all former or current users of Hacking Team’s sophisticated spyware. This is unsettling considering that countries like Turkey have a history of suppressing dissidents and restricting freedom of speech.
In developing cyber doctrine at the Warsaw Summit, the U.S. and NATO members should discuss how increased cyber capabilities have the potential to be abused by governments. Multiple organizations offer models for positive and human rights conscious cyber security capacity building. A London based organization TechUK helps exporters of cyber security products and capabilities assess risk based on possible human rights violations and abuses. Another group, the Global Cyber Security Capacity Centre at the University of Oxford, offers a model for countries to self-assess their cyber security capacity and then identifies donors or exporters of cyber security products and services that could assist them in meet their needs. Recipient countries are investigated on the basis of their human rights record and subsequent use of cyber products in order to ensure these capabilities are not being abused. Aspects of these models of cyber security assistance could be incorporated into cyber security doctrine on a government-to-government basis.
As world leaders at the Warsaw Summit discuss defensive cyber deterrence in regards to Russian aggression, the United States has an opportunity to work with NATO partners in strengthening the defenses of countries at risk to help mitigate this threat. As part of the discussion in Warsaw, states must not only discuss the needed technological capacity to counter these threats, but also the key laws, policies, and protections needed to protect human rights and freedoms. A discussion on a comprehensive cyber doctrine that tailors assistance to help ensure that foreign governments do not misuse cyber capabilities would be fruitful.
Eloise Goldsmith is an intern at the Security Assistance Monitor where she covers security issues in Central Eurasia.