Mr. Chair, let me begin by thanking you for inviting me to take part in this committee meeting. Although I am not in the room with you and am participating by video conference, I am very honoured to have the opportunity to address you.
Before I begin my preliminary remarks, I want to express special thanks the High Commission of Canada in the United Kingdom for facilitating this communication today. I am not at NATO headquarters in Brussels, but in London, at the High Commission of Canada in the United Kingdom.
I am speaking French simply to show you that I am fully prepared to respond in English or French to any questions addressed to me during the question period. However, since I can speak English twice as fast as I speak French, I hope you will not mind if I deliver my opening remarks in English.
First of all, if I've understood this correctly, Mr. Chair, your focus today is on cyber issues, cyber defence, and cybersecurity. That's where I'll begin, but I'd just like to say before I start that as somebody who's been around NATO for a very long time, my division, emerging security challenges, deals with a broad portfolio of issues, including cyber issues, but also counter-terrorism, nuclear policy, and strategic forecasting.
If afterwards the members of the committee want to enlarge the discussion to other aspects of NATO's current postural policies, please, I'd be more than happy to stray off the reservoir—or the reservation, if you like—and intervene on that too.
On cyber, you could of course spend many a happy hour talking about this, because it's such a complicated, fast-moving topic. Let me at least briefly try to give you a sense of where NATO stands. For us, cyber represents three very key strategic challenges. The first one, to paraphrase an American sociologist, Clay Shirky, is “here comes everybody”.
Cyber for the first time allows virtually anybody in the world to become a strategic actor—and for a very small investment compared with what states used to have to invest to develop significant capabilities. Cyber allows anybody to attack anything from anywhere at any time. It totally obliterates the traditional security refuge of geography, of being behind borders and declarations of neutrality.
For states or for organizations like NATO, for the first time we have to defend everything all the time, whereas security policy, as you know, for most centuries allowed you to define a particular adversary and particular strategic access and to focus most of your resources on certain nevralgic points. Now you have to make difficult decisions over priorities, whether that's critical infrastructure, the civilian sector, the banking sector, or telecommunications and, as the threats from cyber keep shifting, from one sector to the other. You need an enormous agility to be able to keep up with the changing threat landscape, particularly when a company like Symantec identifies upwards of two million pieces of new malware on the market every year.
The second issue, of course, is that cyber obliterates the old distinction between being at peace and being at war. It condemns us to live in a kind of permanent grey zone, neither peace nor war, where everything is contested and where we are subject to attacks, major or minor, every day of the week. Most of these attacks are below the traditional NATO article 5 threshold, which used to be clearly identified in terms of tanks crossing a defined frontier.
Cyber is in that sort of grey zone where we sometimes find it difficult to determine what is an armed attack or its equivalent, or what is a hostile attack and what is simply a nuisance. Therefore, there's a difficulty in knowing how to respond, because on the one hand you want your response to have an impact, and on the other hand you want to avoid an escalation into a crisis that probably goes beyond where you would like to be.
There are issues of how to classify attacks, how to attribute attacks and how quickly to do so, how much evidence you need before you can make attributions, and what the appropriate response is. Is it diplomatic? Is it economic? Could it even be military? NATO certainly has said, back at our summit in Wales in 2014, that at a certain threshold a cyber-attack indeed could be considered the equivalent of an armed aggression and therefore provoke the activation of article 5 and a NATO response. However, what that threshold would be is something that we have kept ambiguous, because we believe that ambiguity serves the purpose of deterrence.
The third and final opening strategic point about cyber is that it clearly cannot be dealt with by using the tools that you traditionally have within your own organization. When it comes to traditional collective defence—and Canada is participating in that, of course, in leading the multinational division in Latvia at the moment—we have within our own organization the tanks, the aircraft, and the artillery we need, even if sometimes we would like it to be more modern or more ready.
When it comes to cyber, we find that in order to be effective we have to depend on others, the private sector, for instance, which is responsible for 90% of the networks where most of the innovation and much of the cyber-intelligence come from. In the cyber-field, you're only as good as your ability to form those partnerships, to persuade other people to help you out, and to build a true ecosystem for handling the challenge.
Those are three introductory messages.
Very briefly, what is NATO doing? There are four areas. I'm more than happy, of course, to go into these with all of the members of the committee in as much detail as would be helpful to you.
Number one, we of course need to defend our own networks. It sounds simple. It's the starting point, but in a complex organization like NATO, it isn't so simple. We have 55 different sites to protect. We have 35 different IT systems. Some are new and some are legacy systems. Of course, when you combine the old and the new in the cyber-world, you have many more interfaces and therefore many more vulnerabilities and attack surfaces. We have built up, over the last few years, a comprehensive NATO cyber-incident response capability—we call it NCIRC—situated within SHAPE in Mons, that provides our civilian and military networks 24-7 coverage.
A second part of this is bringing the intelligence community, which has forward strategic warning of cyber-attacks, together with the technical community. In the cyber domain, particularly for incident management, it's very important to make sure that what you are seeing corresponds to what you are hearing. In other words, the intelligence piece corresponds to what you are actually seeing in the networks, because the one could, of course, alert the other. We therefore have a cyber-threat analysis cell that brings these communities together.
Mr. Chair, as you know from the time that you and the members of the committee visited NATO headquarters in Brussels, we have established a joint intelligence and security division precisely to bring more of the national intelligence feature into NATO so that we can have better situational awareness and better correlation of the data we are receiving.
Of course, also in this field, as you know—and this is true of all of us—part of the protective task is identifying your critical dependencies. You are often amazed to discover that just when you thought that you had mapped out your cyber-ecosystem, identified all of your critical networks, and brought them up to the same level of protection, there is some new supply chain risk from some other system that you realize is connected to yours, and you don't know exactly what the level of security is there. That constant mapping is important, too.
The second level of our efforts is assistance to allies. We really want to be the heart of a number of cyber-defence services that could help our allies become more resilient at the national level and learn from each other's technologies, people, processes, education methods, and experiences so that we can increasingly benchmark standards in an objective way by allowing allies to assess themselves voluntarily and then compare the results with others.
This is in the form of a cyber-defence pledge that is now in its second year. Indeed, I am hoping that, in the next couple of days, Canada's submission, its self-assessment for the second cycle, will arrive at NATO headquarters. Of course, we'll compare that with what Canada told us just a year ago. I know, from your own national activities over the past few months, there's been a surge of effort in this area. Therefore, I'm sure you can add many good new things to report to us.
The pledge, as I said, allows for comprehensive benchmarking: it allows NATO to have a comprehensive overview of the strengths or weaknesses in the cyber realm of our allies, and therefore to help with feedback and advice; and it encourages nations to both devote more resources to cyber by identifying key NATO priorities and to also join themselves up more at the national level over the various ministries and different departments. Many allies have told us that the pledge was the first comprehensive stock-taking that they were asked to carry out.
Very briefly, before I stop, there are two final elements. The third is where perhaps we might get some questions and discussion, because it's the most ambitious and the most demanding. At our summit in Warsaw in 2016, we declared cyber as an operational domain. In other words, we have to fit the virtual world and cyber together with the four traditional areas of crisis management and conflict: air, sea, land, and space. We have to fit cyber as the fifth domain and therefore understand the implications of conflict in the cyber space and which instruments and doctrine we need to be able to deal with that on the assumption that all future conflicts will probably, or inevitably, have a cyber dimension. Therefore, how does cyber fit with nuclear deterrence, conventional defence, and missile defence, into NATO's posture? What can it do, what can it not do, and what kinds of new capabilities do we need?
You've probably seen, Mr. President and members of the committee, that we've agreed now to establish a cyber operations centre and to incorporate into NATO's posture voluntary national cyber contributions that individual allies who have these capabilities would be willing to make available to us. That work is ongoing.
My last point is that we in NATO of course want to be political in the cyber domain, and not simply technical military, because as with every other area of NATO engagement, we see our security as depending upon political initiatives, arms control initiatives, confidence-building measures, and agreed restraints, and not just in the development of new weaponry. Therefore, we are very engaged—even if we're not negotiating—in the whole domain of international law as it applies to cyberspace, and how we can work with the EU, the United Nations, the OECD, and other institutions.
If your committee is interested in this, I would refer you to the two Tallinn manuals that our centre of excellence has produced on the international law governing cyberspace, which are helping to drive this intellectual debate forward.
I will stop there, but again, I hope we can have good, productive discussion with the committee in the direction you wish to follow afterwards.
Thank you again for the privilege to be able to speak to you this morning.