Published by The Lawfare Institute
in Cooperation With
In May 2008, the U.S. Department of Defense and the German Ministry of Defence signed a memorandum of understanding concerning “Cooperation on Information Assurance and Computer Network Defense.” Computer network defense (CND) refers to actions taken on computer networks to monitor and protect those networks. It is not the only memorandum the U.S. Department of Defense has signed with allies on cyber defense.
In late 2016, U.S. Cyber Command operators wiped Islamic State propaganda material off a server located in Germany. The German government was notified in some fashion but not asked for advance consent, causing much frustration. While U.S. Cyber Command’s reported action may have violated Germany’s sovereignty, it didn’t explicitly violate the memorandum. It wasn’t an act of CND; it was a computer network attack (CNA), seeking to disrupt, deny, degrade or destroy.
This reveals an uneasy situation within cyber cooperation: Allies do not agree on the appropriate procedures and boundaries for offensive cyber operations. More specifically, there is no agreement on when military cyber organizations can gain access to systems and networks in allied territory to disrupt adversarial activity. As I have argued previously, this issue may end up causing significant loss in allies’ trust and confidence. My proposed solution: NATO allies should establish memoranda of understanding on offensive cyber effects operations in systems or networks based in allied territory.
Objectives of Out-of-Network Operations in Allied Networks
Allied states may operate in each other’s systems or networks in at least three ways: as an observer, gathering intelligence on adversarial activity in others’ networks; as a passerby, transiting through allied systems and networks to access a certain adversarial target; or as a disrupter, seeking to cause friction for an adversary’s operation within an ally’s network or system. The German case discussed above is the only publicly known case of a state acting as a disrupter in an allied network. But we can expect that more of these cases will be publicly disclosed in the future.
It has now been widely discussed that the U.S. Cyber Command has undergone a significant shift in strategic thinking away from deterrence toward persistent engagement and defend forward. Following these recent changes in strategic thinking, U.S. Cyber Command seeks to cause friction “wherever the adversary maneuvers,” operating “globally, continuously and seamlessly.” In a similar vein, NSA director and Cyber Command head Gen. Paul Nakasone writes in an article for Joint Force Quarterly: “We must … maneuver seamlessly across the interconnected battlespace, globally, as close as possible to adversaries and their operations, and continuously shape the battlespace to create operational advantage for us while denying the same to our adversaries.”
While one may expect adversaries to maneuver in allied networks, the U.S. is currently the only NATO state that makes causing friction in allied networks a necessary and explicit component of its strategy. Other military cyber organizations could follow in the near future.
And we already see countries moving in this direction. On Aug. 1, the Communications Security Establishment Act (CSE) came into force in Canada. According to the Canadian government, “CSE could be authorized to proactively stop or impede foreign cyber threats before they damage Canadian systems or information holdings, and conduct online operations to advance national objectives.” The Canadian government does not explicitly talk in its latest strategy about the need to operate “globally, continuously and seamlessly” or to cause friction “wherever the adversary maneuvers.” In that regard, it needs to do more strategic thinking—as other countries do—on the exact role of cyber operations on allied networks in the military context.
But the proposed memorandum of understanding on cyber offense addresses exactly this possibility.
The Goal of the Memorandum of Understanding
The goal of the proposed memorandum is to reduce discord among the allies; enhance trust, transparency and confidence between allies; and improve the effectiveness of disrupting and deterring adversaries’ operations in cyberspace.
The scope of the memorandum should include (a) developing a common notification equity framework for out-of-network operations that seek to achieve cyber effects in allied systems or networks; (b) identifying procedures for communicating the consideration and conduct of offensive cyber effects operations between states against systems or networks in allied territory; and (c) identifying technical solutions and administrative documentation required for the continuous exchange of information on offensive cyber operations.
In writing the memorandum, states first and foremost should agree on the equities involved in permitting signatories to conduct cyber effect operations in each other’s networks—and the relative weight of those equities. Equities that should be considered include (a) the ability of an actor to take action to negate known threats on or to the other parties’ networks and systems; (b) the likelihood that an action will negate known threats; (c) the imminence and scale of the threat; (d) the risk of collateral damage; (e) whether the computer system or network is government owned or privately owned; and (f) the certainty that the system or network will be used to achieve strategic effects by the adversary.
There are three open questions about the memorandum of understanding.
I. Should the Proposed Memorandum Be NATO-Wide or Bilateral?
There are benefits of negotiating a NATO-wide agreement, including ensuring it contributes to the defense of all NATO members’ networks and enhances resilience across the alliance. It could also guard against the potential that persistent engagement and defense forward might be exploited by adversaries, as I argued previously:
Adversaries don’t randomly choose which intermediate nodes to direct their operations through. If Russia has the choice to go through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally, or operate through a network that would cause no diplomatic friction for the U.S., what would it prefer? It would make sense for adversaries to operate through the networks of exactly those countries with which the U.S. has a strong relationship but that do not want the U.S. to operate within their networks causing any effects.
But there are constraints on a NATO wide-memorandum, too. To start, not all states are equally willing to share intelligence information. A bilateral agreement would make it easier to tailor the notification equity framework to the specific preferences and capabilities of both governments.
II. Can It Be Used as a Public Signaling Device?
The notification equity framework part of the memorandum of understanding can remain classified. Governments might not get it right the first time. As the framework might need tweaking, immediate public disclosure is risky. But a public version, if crafted carefully, can also help to set the parameters of what Michael Fischerkeller and Richard Harknett call “agreed competition.” That is, it can help clarify where adversaries are allowed and not allowed to go within each other’s networks. If we want stability in cyberspace, this is a mechanism by which to achieve it.
III. Should the Memorandum Also Address Cyber Operations Beyond Allied Networks?
A memorandum of understanding narrow in scope—that is, addressing the allies’ conduct of cyber effect operations taking place only in systems or networks in allied territory—would ignore the negative impact on allied intelligence operations and capabilities beyond these systems and networks.
Military cyber organizations are operating in a global environment historically dominated by intelligence agencies, and the Five Eyes has always been the most dominant actor in cyberspace. But the anglophone intelligence alliance is not the only intelligence actor operating across the world. Recent cases—such as the Dutch ’s General Intelligence and Security Service infiltration into the Russia-based network of the infamous hacking group Cozy Bear—have illustrated the continued global prevalence and value of allies’ intelligence operations beyond the Five Eyes alliance.
If military cyber organizations increasingly take up the role of “disrupter,” it may negatively impact global intelligence collection of allies—particularly those countries that favor long-term access over immediate effect. It will also more likely uncover and burn allied capabilities.
The risks of occurring are higher than one may think as intelligence agencies have a tendency and incentive to target and track the same entities. For example, in late 2014, cybersecurity company Kaspersky Lab reported on the Magnet of Threats. The cybersecurity company discovered a server belonging to a research organization in the Middle East that simultaneously hosted implants for at least five Advanced Persistent Threat (APT) actors: Regin and the Equation Group (English language), Turla and ItaDuke (Russian language), Animal Farm (French language) and Careto (Spanish language). Consider what would have happened if one of those five APT groups had sought to cause a disruptive effect—rather than collect intelligence—against the target in the Middle East. It likely would have resulted in much earlier discovery and analysis by threat intelligence companies (or other actors) exposing the tactics, techniques and procedures (TTPs) of each actor group.
Also, even the anticipation of more cyber effect operations in nonallied networks from one allied state could lead to a change in operations by another state. Indeed, states have shown in the past that the anticipation of early discovery of an operation has led to a change in their TTPs. For example, the National Security Agency (NSA) created an “exploit orchestrator” called FoxAcid, an Internet-enabled system capable of attacking target computers in a variety of different ways, depending on whether it is discovered—or likely to be discovered—in a given network. FoxAcid has a modular design, with flexibility allowing the NSA to swap and replace exploits and run different exploits based on various considerations. Against technically sophisticated targets where the chance of detection is high, FoxAcid would normally choose to run low-value exploits.
Not a Silver Bullet
While I argue that the NATO memorandum of understanding on offensive cyber operations in systems or networks based in allied territory can greatly help in promoting stability and enhancing confidence among allies, it is not a silver bullet. It can only reduce allied concerns rather than mitigate them. Military cyber organizations may still conduct effect-based operations in allied territory without consent, leading allies to assert that their sovereignty has been violated. And there’s another crucial player involved. As Gen. Nakasone noted in the Joint Force Quarterly article, cyberspace is owned largely by the private sector. They deserve a seat at the table as well.