Ebook: Toward Effective Cyber Defense in Accordance with the Rules of Law

Dear reader,

This publication is a product of the joint effort between several experienced lecturers that were actively involved in the NATO Science for Peace and Security Advanced Training Course entitled “Toward effective cyber defense in accordance with the rules of law”, held in Ohrid, Republic of North Macedonia in November 2019. We want to share our work by publishing a series of papers that will provide a deeper understanding of the specific topics presented for diverse scholars, professionals in both the public and private sector and the general public.

The NATO SPS ATC welcomed talented professionals and scholars who demonstrated that we should not underestimate the power of the information and communication technologies in our daily personal and professional life. Information and communication technologies (ICT) play an important role in the South Eastern European (SEE) societies. Cyberspace is a widespread, interconnected digital technology domain and it underlies societies’ communications (email, cell phones, texting), transportation (traffic control signals, car engine systems, airplane navigation), state administration (birth/death records, social security, licensing, tax records), finance (bank accounts, loans, electronic paychecks), medicine (equipment, medical records), and education (virtual classrooms, online report cards, research). During the last decade, the digital revolution in the SEE countries’ has given more people access to communication, education, and news than ever before.

In some cases, limitations in technology resources have limited the capabilities of governments to respond to the ever-evolving challenges of defending the cyber domain. But in general, SEE countries have paid appropriate attention in developing cyber defense capacities. Most of the events and efforts in these areas have focused on raising awareness about the general necessity of building cyber defense capacities, such as operational and technical aspects. It is vital to recognize that the problem is not limited to government, but is equally targeting the private sector.

While the laws of each nation differ, recognizing and acting on the legal aspects of cyber defense have marginally been considered. Given that the Rule of Law is an important element in NATO’s mission, raising the awareness and introducing best practices in cyber defense in accordance with the Rule of Law is important for the region of Southeast Europe. Accordingly, the NATO SPS ATC “Toward effective cyber defense in accordance with the rules of law” covers the peacetime legal aspects governing cyber defense and international law of armed conflict applicable to cyber defense.

Topics were carefully chosen to cover issues in laws and regulations, cyber defense policies and their practical implementation.

Many thanks for the unselfish effort given by the various speakers at the NATO SPS ATC Toward Effective Cyber Defense in Accordance with the Rules of Law and their contributions to this publication.

We hope that you will find the information interesting and useful.

Thank you for reading this publication.

The Editors

The technologies known as artificial intelligence and deep learning are expanding across both the public and private sectors, and in more and more sectors of enterprise. From AI assisted medicine to AI banking systems, this growth is and will be explosive. However, these systems, while they can be very effective and efficient, are not without risks. The need to be sure that the systems, as implemented are compliant with relevant laws, governmental regulations and contractual obligations. Additionally, experience indicates that AI systems can be subject to inbuilt bias that makes the results of using the AI system suspect. This article discusses the potential problems with artificial intelligence and deep learning systems, and posits ways of mitigating potential problems while recognizing the value of these systems.

Public and private sector organizations in south eastern Europe face many challenges. One of these involves cyber threats posed by a range of actors, from nation-state operators to organized cyber-gangs to individual cyber-criminals. Attacks range from high-technology techniques involving newly discovered or previously unknown flaws in systems to low-tech attacks involving unfaithful workers or convincing an employee to give up sensitive data. This paper covers several topics involving responses to cyber threats.

Drones, small unmanned aerial vehicles, have emerged from the realm of science fiction to a multi-billion dollar international industry. Advancements and availability of technology have made the practical application of drones a reality for the commercial sector as well as a toy for the hobbyist. Along with the expansion of drone use has also come the opportunity and availability of drones and related technologies for use by threat actors. This paper first introduces unmanned systems and the underlying principles of operation. Next it describes the emergence of drones as tool for industry, but also a potential instrument of malicious activity. Finally, the paper describes the current state of practice in protection against the drone threat including State activities and recommended elements of a counter-drone program.

This paper will assess the definition and the role of the CSDP in the EU cyber defence policies. The focus on cyber defence in the area of CSDP is not meant to render other cyberspace policies of the EU less relevant. Purely for the purpose of this book, the paper focuses on the military aspect of the EU cyber defence. The second part of the paper defines the CSDP, its actors and the EU competence in the field. The third part covers all adopted EU policies related to cybersecurity, with a focus on issues related to the CSDP approach to cyber defence.

This paper explores the application of existing international law to the area of cyberoperations. Most States agree that existing international law applies in the cyber realm. Additionally, current State practice shows that existing international law provides sufficient guidance and frameworks for characterizing cyber actions and responding lawfully. Properly characterizing a cyber action is imperative for understanding how to lawfully respond to the action.

This paper presents the study on the nature of the hybrid threats and vulnerabilities of the South Eastern European region with proposals for countering these types of threats in cyberspace. The research starts with the concept of command and control warfare to understand better the doctrine of the hybrid warfare of the Russian Federation, considered as a main threat for the region. Response from NATO and EU is analyzed to identify the specific measures to be used in Southeastern Europe. Academic support in countering hybrid threats in this region is proposed as a Basic Environment for Simulation and Training (BEST) – Resilience as a first step to develop a dedicated Center of Excellence (CoE) in this domain for South Eastern Europe.

Financial resources are necessary for the execution of terrorist attacks. If the perpetrators do not have sufficient capital, then they have to get the missing money from an external source. Supporting terrorists or terrorist organizations through financial means is a crime under criminal law. In my article I will examine the cost of the terrorist attacks and techniques of terrorist financing today, and how criminal law reacts to this new type of crime.

While the threat of cybersecurity breaches—unauthorised access to networks, applications, and data—should be a priority for businesses and organizations, it is likewise a priority for government’s worldwide, and, in particular, governments are working on rules and standards intended to protect controlled unclassified information in public procurements. This is an important issue because governments share vast quantities of sensitive data with contractors through public procurements. Governments are increasingly realizing that this poses a significant risk to national security and steps should be undertaken to protect controlled unclassified information (CUI). The purpose of this article is to identify and compare those rules and standards in the United States and the European Union on the protection of controlled unclassified information and provide general recommendations. Overall, this article concludes by confirming that there are differences between the approaches taken by the US and EU to protect controlled unclassified information and that a uniform approach in the EU is recommended.

The ambiguity of cyberspace and modern technologies pose serious challenges, among others to the applicability of international law. States’ threat perception, interest, and technological development determine states’ position over the applicability of international law to cyber defense operations. Today, it is well established that international law of armed conflict and international human rights law apply to cyber defense operations in armed conflict. The article explores how the differences between these two complementary bodies of the law will reflect in the protection of the right to life and could provide challenges and uncertainties to the decision-makers during the interpretation of their applicability in the future cyber defense operations.