1

Ethan S. BurgerVisiting Professor, Vilnius UniversityFulbright Senior Legal SpecialistDecember 7, 2016

Cybersecurity in Baltics After the USA Presidential Election: A Bridge Too Far?

Institute of International Relations and Political ScienceVilnius University

Modern Conflict?Modern Conflict?

2

The Trigger for the Cyber-Attack The Trigger for the Cyber-Attack on Estoniaon Estonia

3

Key NATO Cybersecurity DatesKey NATO Cybersecurity Dates

2004 – Baltic States (Estonia, Latvia and Lithuania) join NATO. Estonia proposes the concept for a cyber defense centre to NATO.

2006 – Supreme Allied Commander approves concept.

2007 – Cyber attack against Estonia.

2008 – Russian ‘hybrid’ attack against Georgia.2014-16 – Russian cyber-aggression (Crimea, Donbass, grid) against Ukraine (and Ukraine’s cyber-responses)

2016 – NATO recognises ‘Cyberspace’ as a ‘Domain of Operations’ at Warsaw Summit.

2016 – reaffirms the applicability of international law and NATO’s defensive mandate for cyberspace and members pledge to further develop NATO/EU cyber defensive capabilities/cooperation.

4

NATO SummaryNATO SummaryThe North Atlantic Treaty Organization (NATO), a military alliance of countries from Europe and North America promising collective defence. Currently numbering 26 nations, NATO was formed initially to counter the Soviet Union and its allies and has searched for a new identity in the post-Cold War world.

The principle of collective defence is at the very heart of NATO’s founding treaty. The centre piece of the NATO treaty is Article 5, promising collective security:

"an armed attack against one or more of them in Europe or North America shall be considered an attack against them all; and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.“

5

NATO’s Disquieting Truth NATO’s Disquieting Truth Article 5 does not require states to do anything other than consult. NATO plans are just that plans.

U.S. forces are in Europe as a “tripwire,” that is, to place troops in ‘harms way’.

Nonetheless, France had limited confidence in the U.S. (nuclear) umbrella, and therefore developed its ‘force de frappe.’

Query: How will the U.S. and other states respond to a ‘cyber’ only attack?

A hybrid attack? While a cyber-only attack is likely to be a ‘use of force’ under U.N. Charter Article 2.4, can it be regarded as initiating an ’armed conflict’ under UN Charter Article 51?

6

The Bear at the GateThe Bear at the Gate

7

NATO Members’ CybersecurityNATO Members’ Cybersecurity

Cyber is a matter for national-governments. NATO has undertaken a comprehensive review of existing national organisational models for ensuring cyber security as a part of national security in NATO Nations. This study outlines the division of cyber security tasks and responsibilities between different agencies, describes their mandate, tasks and competence, as well as coordination among them.

In particular, the study describes the mandates of political and strategic management; operational cyber security capabilities and cyber incident management; military cyber defence; and cyber aspects of crisis prevention and crisis management. It also offers a summary of the national information society setting and e-government initiatives as well as the national cyber security atrategy objectives in order to clarify the context for the organisational approach in a particular nation.

See https://ccdcoe.org/national-cyber-security-organisation.html

8

Baltic Countries’ National Baltic Countries’ National Cybersecurity StrategiesCybersecurity Strategies

Estonia (National security and defence strategies, National Security Concept of Estonia (2010) Original | English, National Defence Strategy (2010) Original | English, National cyber security strategy, Cyber Security Strategy (2014) Original | English).

Latvia (National security and defence strategies, The State Defence Concept (2012) Original | English, The National Security Concept (2011) Original | English National cyber security strategy, Latvian cyber security strategy for the period 2014 to 2018 (2014) Original | English, National legislation, Law on the Security of Information Technologies (2010) Original | English).

Lithuania (National Security and defence strategies, National Security Strategy (2012) Original | English, The Military Strategy of the Republic of Lithuania (2012) Original | English, National cyber security strategy, Programme for the Development of Electronic Information Security for 2011–2019 (2011) Original | English, National legislation, Cybersecurity Act (2014) Original | English).

9

NATO Cyber-Defense HighlightsNATO Cyber-Defense HighlightsState and non-state actors can use cyber attacks in the context of military operations. In recent events, cyber attacks have been part of hybrid warfare. NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s core tasks of collective defence, crisis management and cooperative security. NATO needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats and attacks it faces.

Cyber defence is part of NATO’s core task of collective defence. NATO has affirmed that international law applies in cyberspace. NATO is responsible for the protection of its own networks. In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of

operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. Allies are and remain responsible for the protection of their national networks, which need to be

compatible with NATO’s and with each other’s. NATO enhances its capabilities for cyber education, training and exercises. Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating

and recovering from cyber attacks. NATO signed a Technical Arrangement on cyber defence cooperation with the European Union in

February 2016. NATO is intensifying its cooperation with industry, via the NATO Industry Cyber Partnership.

10

NATO Policy on Cyber DefenceNATO Policy on Cyber Defence

“To keep pace with the rapidly changing threat landscape and maintain a robust cyber defence, NATO adopted an enhanced policy and action plan, which was endorsed by Allies at the Wales Summit in September 2014. The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry. The top priority is the protection of the communications systems owned and operated by the Alliance.”

11

Developing the NATO cyber Developing the NATO cyber defence capabilitydefence capability

“The NATO Computer Incident Response Capability (NCIRC) protects NATO’s own networks by providing centralised and round-the-clock cyber defence support to the various NATO sites. This capability is expected to evolve on a continual basis, to maintain pace with the rapidly changing threat and technology environment.”

“To facilitate an Alliance-wide and common approach to cyber defence capability development, NATO also defines targets for Allied countries’ implementation of national cyber defence capabilities via the NATO Defence Planning Process. In 2017, further cyber defence capability targets will be agreed.?

12

Rand’s “Reinforcing Deterrence on Rand’s “Reinforcing Deterrence on NATO’s Eastern Flank” (1 of 2)NATO’s Eastern Flank” (1 of 2)

A rapid assault on the Baltic region would leave NATO with few attractive options, including a massive risky counterattack, threatening a nuclear weapons option or simply allowing the Russian to annex the countries.

1. After a lengthy mobilization. deploy a massive counterattack force which would likely result in a drawn-out, deadly battle.

2. Threaten a nuclear option, a scenario which seems unlikely if not completely unrealistic in light of the U.S. strategy to decrease nuclear arsenals and discourage the prospect of using nuclear weapons.

3. NATO could simply be to concede the Baltic states and immerse the alliance into a much more intense Cold War posture. Such an option would naturally not be welcomed by many of the residents of these states and would, without question, leave the NATO alliance weakened if not partially fractured.

13

Rand’s “Reinforcing Deterrence on Rand’s “Reinforcing Deterrence on NATO’s Eastern Flank” (2 of 2)NATO’s Eastern Flank” (2 of 2)

The absence of short-range air defenses in the U.S. units, and the minimal defenses in the other NATO units, means that many of these attacks encountered resistance only from NATO combat air patrols, which are like to be overwhelmed by sheer numbers. The result would be heavy losses to several NATO battalions and the disruption of the counterattack.”

Latvia, Lithuania and Estonia could be likely Russian targets because all three countries are in close proximity to Russia and spent many years as part of the former Soviet Union.

Also like Ukraine, Estonia and Latvia are home to sizable ethnic Russian populations that have been at best unevenly integrated into the two countries’ post-independence political and social mainstreams and that give Russia a self-justification for meddling in Estonian and Latvian affairs.

While the Pentagon’s European Reassurance Initiative (ERI) calls for additional funds, forces and force rotations through Europe whether the funding is approved is uncertain.

The Pentagon is seeking $3.4 Billion ERI request does call for an increased force presence in Europe as well as “fires,” “pre-positioned stocks” and “headquarters” support for NATO forces.

14

NATO Couldn't Repel Russian NATO Couldn't Repel Russian Invasion of the Baltic StatesInvasion of the Baltic States

Military analysts believe that Russian forces could conquer the capitals of Baltic states Latvia, Lithuania and Estonia within 36 to 60 hours.

NATO forces had found numerous deficiencies during the recent "Anaconda" military exercise in Poland. Heavy military equipment could not be moved fast enough from western to eastern Europe in time in the event of an attack.

NATO’s command, control, communications, and intelligence not secure against cyber attacks. The Anaconda maneuver included troops from more than 20 NATO member states but was officially a Polish national exercise.

Some countries, like France and Germany, thought it would be too provocative toward Russia to call it a NATO exercise".

15

One ScenarioOne Scenario

16

Recent News AnalysesRecent News AnalysesWhat If Russia Invaded the Baltics—and Donald Trump Was President ... www.theatlantic.com/international/archive/2016/...nato-trump.../492938/

A former NATO general imagines a frightening scenario.Baltic States Nervous Over Trump's Attitude Toward Russia : NPRwww.npr.org/.../baltic-states-nervous-over-trumps-attitude-toward-russia

NATO members Lithuania, Latvia and Estonia are anxious over President-elect Donald Trump's criticism of NATO and comments about forging ...In Trump, NATO Faces a Challenge – WSJ www.wsj.com/articles/in-trump-nato-faces-a-challenge-1478690705

If Mr. Trump tries to reorient the alliance's stance on Russia, NATO ... including American soldiers, to the Baltic States and Poland next year.Will Russia Declare War On Europe? Northern Europe, Baltics ...www.ibtimes.com/will-russia-declare-war-europe-northern-europe-baltic...

Northern Europe, Baltics Concerned Over 'Unknowns' Of Trump ... role in the High North and the Baltic Sea, and the U.S. funding of NATO.NATO Seeks Clarity on Trump's Campaign Statements - VOA Newswww.voanews.com/a/trump-nato-russia-baltic/3591287.html

17

55thth Columnists or Reliable Citizens? Columnists or Reliable Citizens?

18

Trump on CyberTrump on CyberTrump's Incoherent Ideas About 'the Cyber' - The Atlanticwww.theatlantic.com/technology/archive/.../trumps...cyber/501839/

How A Trump Presidency Will Erode Cyber Privacy And National ...www.forbes.com/.../how-a-trump-presidency-will-erode-cyber-privacy-...

Trump Cyber Security Team and Policy Slow to Take Shape - Fortunefortune.com/.../trump-cyber-security-team-and-policy-slow-to-take-shap...

Trump's transition has not announced cyber security policy or staffing, which could make the U.S. vulnerable and worsen a talent shortfall.www.theverge.com/.../transcript-here-are-words-trump-just-used-to-talk-...

Cybersecurity in President Trump's America: The first 100 days ...www.techrepublic.com/.../cybersecurity-in-president-trumps-america-the...

It would take months to know what the Trump administration's cybersecurity policy will be. Cyber-defense experts weigh in with advice and best ...Trump: “The security aspect of cyber is very, very tough” | Ars Technicaarstechnica.com/.../clinton-cyber-warfare-will-be-one-of-the-greatest-ch...

19

The Obama Administration and the Baltic States The Obama Administration and the Baltic States August 23, 2016August 23, 2016

(https://www.whitehouse.gov/the-press-office/2016/08/23/fact-sheet-united-states-(https://www.whitehouse.gov/the-press-office/2016/08/23/fact-sheet-united-states-and-estonia-latvia-and-lithuania-%E2%80%93-nato-allies)and-estonia-latvia-and-lithuania-%E2%80%93-nato-allies)

FACT SHEET: The United States and Estonia, Latvia, and Lithuania – NATO Allies and Global Partners

Defense and Security CooperationNATO Allies.Collective Security.Security Assistance:.The State Partnership Program.Afghanistan.Counter-ISIL Coalition.Global Development Cooperation.Eastern Partnership.Economic Cooperation.Trade.Educational and Professional Cooperation.Exchange Programs: Since 1991, the United States has awarded Fulbright fellowships to nearly 600 outstanding scholars, students, and professionals from Baltic States and (500 U.S. Fulbright students and scholars)Cultural Heritage Celebrations.Cultural Festivals.

20

NATO is a Political AllianceNATO is a Political AllianceNATO in a sense is more of a political than a military alliance. National security is far broader than purely military affairs. There are many policy documents that will serve as critical planning guidance in the future, the most recent being:

[The U.S.] Commission on Enhancing National Cybersecurity, December 1, 2016, Report on Securing and Growing the Digital Economy.

Another document worth examining will be NATO’s “Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare,” (2017).

21

Contact InformationContact Information

Ethan S. Burger, Esq.Fulbright Legal Specialist, Washington, D.C.Vilnius University // Washington College of Lawethansb@post.harvard.eduburger@American.eduesb34@georgetown.edu1-917-291-3362

22