By Peter Round, Managing Director of PKR Solutions, Bedale
Divide and rule is an old principle and we don’t have to look farto find leaders using the principle. We are living in an increasingly challenging security environment, which is forcing Europe to rethink its posture, role and strategies in defence and security.
Is there already an undeclared digital war?
Looking at some recent cyberattacks, Ukraine’s electricity grid, the German Parliament, German hospitals, DNS-services of the US West Coast and hacking of servers in the US elections, we can see that vital institutions for the functioning of the internet itself, critical services, infrastructures and society at large are no longer safe; they will be attacked whereever there is a possibility. Are we already in an undeclared digital war? The EU Global Strategy (EUGS) recognizes these challenges and the European Defence Action Plan (EDAP) aims to boost R&T and capability development for Defence in the European Union. Cyber is now a domain of warfare. Germany has cyber and information- space as a service like the Army and NATO has cyber as a domain of operations; cyber is crosscutting and pervasive and affects all the other domains. Weapon systems are packed with digital devices, these are connected to the global information grid and have very different levels of protection, which means varying degrees of vulnerability. Digitally ring-fencing our military systems is not an option. We must design systems in a way that they can function even if compromised. Military technology will soon be semi-autonomous, autonomous or robotic. This causes challenges for on-board systems as well as C2 and data links. Technology is most secure when security is one of the design criteria from the earliest stages.
A risk-based approach to be followed
We cannot stop cyberattacks, we have to follow a risk-based approach but today we still have:
• Fragmentation (no or limited information exchange),
• Compartmentalisation (“Thank goodness it was them and not me”),
• Distorted perception (believing in the inherent secrecy of our own systems…all the while knowing COTS components are transparent to the ‘dark side’).
Cyberspace today is characterised by “insecurity by design”. We have to change perceptions and attitudes to stop this getting worse. ‘Thinking cyber’ along entire value chains is key for effective cyberresilience. In the military, all command echelons need to be cyber-aware, but even that is not sufficient. ‘Thinking cyber’ has to be societal. This is reflected in the 2013 comprehensive EU Cybersecurity Strategy.
Sovereignty is not an argument
I often hear “cyber is very sensitive and is a sovereignty issue, we cannot cooperate.” How frustrating this is! While I can read about military capabilities in the press, the presence of a soldier on a private sector cyber course is too sensitive to share with friends! Sovereignty is not an argument for lack of cooperation in cyber. Clearly nobody can assume a Nation State’s responsibility for protecting and defending their information and infrastructures. But there are many different ways to establish the required capabilities and defending effectively. Going alone is not an option, the cyberworld moves so fast that Member States will not be able to establish, maintain and use a cyberdefence capability effectively without cooperation.
A chain is only as strong as its weakest link and if we are to operate as coalitions then the capable will be affected by the weaknesses of others. We need to think ‘trust’ not ‘sovereignty’. Over the last five years EDA has built an environment to foster and increase trust and to identify common interests and requirements. In keeping with the mandate of the Agency, it supports Member States in building up and maintaining their national cyberdefence capabilities. Pooling and Sharing has also established a framework for doing more together without losing any sovereignty. The decision to cooperate, and with whom and how far, is clearly a sovereign one, which should be taken with trust and common interest as guiding principles.
Responding to orchestrated attacks
Today, our strategic approach must be able to counter coordinated and orchestrated adversaries who may employ both symmetric and asymmetric tactics and techniques around a common strategy (Hybrid). Orchestrated campaigns need orchestrated responses based on reliable indicators and warnings. What I want to stress is that cyberspace, even as a domain in its own right, should not be regarded in isolation but
as a set of new means – good and bad. Like in the air a war cannot be won in cyberspace alone. We must act three dimensions (Civil-Military, Military-Military, and Public-Private) to improve cooperation and Pooling & Sharing. We should strive in both cyber and hybrid to reach solutions where the strength of one entity is able to complement the limitations of another. Europe must also ensure its global competitiveness; we need to keep European Defence and the European Industrial Base competitive and relevant.
Thinking beyond defence
To maintain this ability thinking beyond defence is crucial for resilience. We are taking the right steps:
• the Cyber Contractual PPP (Cyber cPPP) which has a value of € 1.8 billion over three years;
• the research elements of the EDAP: the European Commission is planning a substantial investment in defence research in the period 2021-2027;
• the Capability Development elements of EDAP.
How defence will benefit from Cyber cPPP and the amount of cyber in the EDAP windows is still to come.
The EU Global Strategy has opened an interesting dialogue on Defence in Brussels. So don’t just “think cyber” but “think integrated cyber”. Cyber can never stand alone.
The cPPP on cybersecurity
As part of the EU Cybersecurity Strategy, the European Commission and the European Cyber Security Organisation (ECSO) signed a contractual Public-Private Partnership (cPPP) on 5 July 2016. The aim of the partnership is to foster cooperation between public and private actors at early stages of the research and innovation process in order to allow people in Europe to access innovative and trustworthy European solutions (ICT products, services and software). The cPPP will be instrumental in structuring and coordinating digital security industrial resources in Europe. It will include a wide range of actors, from innovative SMEs to producers of components and equipment, critical infrastructure operators and research institutes, brought together under the umbrella of ECSO. The EU will invest up to €450 million in this partnership, under its research and innovation programme Horizon 2020. Cybersecurity market players are expected to invest three times more.
Peter Round is Managing Director of PKR Solutions, an International defence relations consultancy.
Until recently he was Director of Capability, Armament & Technology at the European Defence Agency (EDA). After graduating in defence from Kings College, London, Peter Round joined the Royal Air Force in 1979 and became Air Commodore. He completed Joint Advanced Command and Staff Training in 1999 and served in various leading positions in UK supported UN operations, in particular Southern Iraq, Afghanistan, the Balkans. After a tour on the Policy Director’s staff in the MOD, he became the UK National Liaison Representative to NATO Supreme Allied Commander Transformation in Norfolk, Virginia, and joined EDA in 2012.