NATO’s leading role in the era of IoT:

A security approach of the new era’s fuel

Nikolaos C. Moulios serves as the representative of the European Student Think Tank (EST) to
Greece since September 2018. Also, he is an international affairs analyst with a focus on Science
and IR interaction in the Student Association of International Affairs (SAFIA). He is especially
interested in European and Eurasian affairs.

Source: A Review on Internet of Things for Defense and Public Safety, Sensors Magazine

Introduction

Our alliance faces complex challenges: from terrorism to political extremism and from the
European migrant crisis to low intensity naval crises. NATO should provide security to its members
in a context of a significant socio-economic transformation to a completely data-driven society.

Both states and non-state actors already, use the cyberspace for political warfare,
intelligence gathering, and attacks to critical infrastructure. In a world which is controlled by

1
intelligent algorithms and sensors without sufficient human supervision, few malicious hackers can
cause disasters of magnitudes in certain cases comparable to warfare. Furthermore, the IoT will give
them approximately 50 billion “eyes” in the more sensitive aspects of our lives, both public and
personal. The analysis of data gathered from that sensors gives to their owner a significant strategic
advantage, more important than the ownership of oil wells. NATO is the most capable organisation
to plan and imply a strategic dogma for cyber-warfare, using new technologies like quantum
cryptography, photonics and blockchain in a close partnership with academia, industry and other
organisations such as the EU.

IoT: Function, Potential and Prospects

No academically agreed definition of IoT exists. Gartner in 2017 formulates a generally

successful definition attempt. Gartner in 2017 attempted such a definition of IoT as: "the network as
“the network of physical objects that contain embedded technology to communicate and sense or
interact with their internal states or the external environment”.An IoT network is comprised of
connected objects which exhibit distributed intelligence, by incorporating hardware supporting
computation, memory, communication, as well as sensing and quite often actuation too. One of the
most vital parts of an IoT Net are connected sensors. They can monitor their environment’s
parameters (physical, chemical or biological), continuously or at specific time instants. A special
category of sensors, with a broad range of applications, are machine vision cameras; which can
record images of their environment across the visible and non-visible electromagnetic spectrum.
After the collection and analysis of those data, many systems can react to changes immediately,
using motors or other “intelligent’ devices such as robots or even by eliciting human responses
through direct and/or indirect means

The development of IoT is based mainly on four pillars: 1) hardware (sensors, controllers
etc) are becoming more powerful, cheaper and smaller with exponential rates. 2) emerging
technologies like 5G networks increase data transfer speed and offer cost and energy efficient
connectivity solutions 3) Data processing and storage capacity increases rapidly. Innovative
technologies like biocomputers, DNA based storage devices and quantum computers may affect
significantly this sector in the near future. 4) Developments on software, especially on Artificial
Intelligence and deep learning algorithms as well as big data analysis increase the analytical
capacity of systems allowing evidence-based forecasts using huge amounts of data collected by
multiple sources .

2
 Many technological challenges should be addressed to achieve the full potential of IoT. A
significant challenge is the integration and combination of data collected from heterogeneous
sources; that basic prerequisite to achieve the best efficiency as well as cost reduction of a cyber-
physical system needs common communication protocols (standardisation). Furthermore, the
continuous operation of IoT on a global scale needs significant distribution of energy sources, new
technologies like biotechnology and nanotechnology along with the large scale utilisation of
renewable energy sources may provide a sustainable solution. Lastly, the protection of those
systems by accidental and malicious actions are technically complicated. Safety, Security and
Privacy challenges rising while we should keep a sustainable balance between effectiveness and
cost, as well as openness and protection. Because of the disruption of IoT technologies, except of
critical organisations, businesses and citizens should be aware about these challenges.

Cyber-Physical networks are highly valuable for both businesses and states. They support
informed decision making using pattern recognition, prevent crises by the early detection of
(possibly harmful) changes, and decrease the cost but can cause extremely serious, large-scale
dysfunctions in an organisation, city, and state level. And of course, such attacks could be initiated
by state or non-state actors, and could also be addressing critical infrastructure and/or critical
governance processes, or could even be harming the reputation and/or relations of individuals in
important positions.

Source: SANS Webcast, “Securing the Internet Of Things”

IoT and Cybersecurity: NATO’s Key Role

Every device connected with the internet, immediately or not, should be always considered
as a potentially insecure device. Every sensor is a potential “eye”, that might prove more efficient
than the most capable spy on the monitoring of one parameter. The access to the data collected by
3
the sensors of a completed IoT system of a target is a high-value intelligence, actually an fMRI of
this particular system/infrastructure. A “smart mega-city” for example, using the internet of
Everything to control and motion every aspect of life may be attacked by evil actors or it can be
recorded in multiple layers providing a strategic advantage to the owner of the data.

In a hybrid tactical environment, the exploitation of information is critical. Platforms of

sensors like satellites, ships, UAVs, and soldiers provide data useful for both tactical planning and
strategic planning, forecasting and evaluation. NATO needs full compatibility between C4ISR
systems to have a Common Operational Picture (COP) in all commanding levels. Data prioritisation
is vital in the battlefield to achieve the minimum time for right, evidence-based, tactical decisions.
Except of C41SR, the IoT has significant applications in logistics and training along with argument
reality technologies and AI. IoT gathered data can provide confident simulations for tactical and
strategic planning training. Commercially available IoT devices usually do not meet military
specifications. As a result, R&D on this area needs a boost. The focus should be on investing in
scalable security measures (Centrally provided tools in encryption are generally both more efficient
and cost-effective), networks security, and cloud technologies. Cases of Estonia, Georgia and
Ukraine provide us with valuable lessons about the need of preparedness for the unexpected. NATO
should be the leader in the research on encryption, identification etc using quantum algorithms,
cyber-physical identification systems and biometrics along with behavioural patterns analytics to
protect its cyber ecosystem from attacks. Partnerships with academia, research community, private
sector and ethical hackers community are vital.

International and multi-stakeholder cooperation is another critical issue, NATO could

provide a debate platform for policymakers, experts and business leaders to achieve the maximum
awareness level and a common understanding of challenges. Cyber-terrorists, criminals, and state
actors prefer attacks against private organisations, which usually have significantly weaker
measures than military/government organisations. Those attacks, except of access to confidential
information, industrial espionage, privacy issues, and financial loss have a significant psychological
impact, causing panic and loss of confidence in the population, as well as strong economic effects.
The main target of a cyber-terrorist or a political warfare actor is to undermine the trust of the target
while overcomes target’s resilience and responsiveness by unleashing a rapid series of large-scale
attacks. Preparation is the vital element to eliminate the actual and psychological impact of an
attack: and preparation not only of the officials that would handle and/or be exposed to the effects
of the attack, but arguably, also of the wider citizen population.
4
 Furthermore, NATO faces an exposure asymmetry. EU countries and the US are among the
highest exposed to IoT related threats economies while Russia, Iran, and China have significantly
less exposition to those threats. A best-practices paradigm is Japan, which has a relatively small
exposure, mainly because of the customisation of commercial software (tailor made provably secure
software for critical parts of the cyber-infrastructure). Also, an attack by terrorists is significantly
more unlikely than one by a state-related factor. Terrorists want drama and blood. As a result,
NATO should monitor and analyze the capacity on cyber-warfare of its well-known enemies. As a
dynamic alliance, NATO should accept risk, plan policies and dogmas and invests on research and
innovation via wide-range partnerships, and should also, arguably, regularly do simulation exercises
of different types of cyber-attacks, thus increasing the readiness of relevant entities (within as well
as outside security forces). Lastly, we should focus on the protection of data and networks, not only
the IoT devices, while ensuring the continuous operation of critical networks in degraded
environments. Last but not least, this extra "security" layer should be carefully balanced with
progress in the deployment of state-of-the-art IoT and other such systems, given that NATO
countries also need to make sure that they don't stay behind in their capabilities due to an over-
secure policy. Being able to balance progress with robustness is not an easy task; yet it is often vital.

The NATO’s strategy in the era of chimeras

Multinational “umbrella” organizations such as NATO face plenty of cybersecurity

challenges. The exponential increase of connected devices increase also the number of challenges,
but more importantly, transforms their nature. Advanced sensing methods (including social sensing
techniques which can detect and therefore analyze human behaviour) could provide a malicious
actor with large amounts of data. Their analysis could suggest accurately system’s vulnerabilities.
Parallel to those, technological developments in the field of social engineering are rapid. This threat
is a game-changer factor because of that hurts the most important and improbable as well, part of a
human-machine system, the human. Malicious actors, in many cases, not wish to cause catastrophes
(because then they would be detected and counteracted) but to undermine a system causing long-
lasting harmful effects, while passing unnoticed, or while misinterpreting them not as being cyber-
attacks, but as random failures. Also, they wish to destabilise a system destroying the reputation of
specific people, getting the wrong people selected for/or elected in specific positions, and
manipulating targeted groups behaviour.

5
 NATO recognizes the cyber-defence as a core task of collective defence. With the
assumption that the international law applies in cyberspace, NATO should, except the protection of
its own networks, develops a common strategy in cyberspace, specialised regulatory and technical
guidances, as well as, doctrines while it provides training, technical, financial support in cyber-
defence related projects. Since 2008 (Georgia-Russia conflict and cyber-attack against Esthonia)
NATO start developing its cyber-defence capabilities with the founding of the Cooperative Cyber
Defence Centre of Excellence in Tallinn, Estonia. Since 2012 the NCIA (NATO Communications &
Information Agency) is the executive agency which ensures the protection of NATO’s systems.
Another significant development is the extended cooperation with the EU since 2016 in a technical
level, cyber-security, and emergency response. In the operational level, after the 2017 ministerial
agreement on a Cyberspace Operations Centre (will be fully operational in 2023) the NATO
capability on cyber operations is significantly increased.

The new cyber-environment which is dominated by artificial intelligence, big data sets, IoT
and quantum computing ( which can decrypt many of the previously "unbreakable" encryption
algorithms) requires a multifaceted strategy. In broad terms, an emphasis needed in the sectors of:

1. Training and Exercise, with the organisation of annual NATO exercise on Cyber Warfare and
courses provided to allies’ civil & critical infrastructures servants (both operational and in
systems protection and security);

2. Doctrines and policies, on the improvement of systems standardisation and development

common cyber-warfare doctrines;

3. Research & Development, via Science for Peace and Security projects, and cooperation with
academia and industry as well, with an emphasis in AI, IoT systems, and Social Engineering
fields;

4. Public Awareness, with an emphasis in targeted groups (sensitive industries, journalists etc);

5. Policies and protocols to prevent human-related vulnerabilities;

6. Establishment of an Allied Cyberspace Command (CYBCOM) to improve READINESS,

INTEROPERABILITY, COMPETENCY and STANDARDIZATION of alliance cyber-defence
units;

6
7. Development of guidelines on IoT networks protection, especially in critical infrastructures.

Conclusion

Nato has a leading role in the new cybersecurity partnership, shaped by technological
challenges as well as disruptive, emerging technologies like IoT, especially in innovation and
development of new solutions, policy-making and with a focus on the protection of critical
infrastructures. Also, a data-based security approach protects the new fuel by malicious actors, like
“thieves” and terrorists. Furthermore, other emerging technologies in material science, networks
and energy will boo the IoT. To protect “oil wells” and our strategic advantages we should
implement innovative technological solutions while increasing awareness and grow a security
culture.

List of References

1. Lewis J.-A., Managing Risk for the Internet of Things, CSIS, Washington DC, 2016

2. Tonin M.. THE INTERNET OF THINGS: PROMISES AND PERILS OF A DISRUPTIVE

TECHNOLOGY, NATO Parliamentary Assembly/STC, 2017

3. STRATEGIC PRINCIPLES FOR SECURING THE INTERNET OF THINGS (IoT), U.S.

Department of Homeland Security, 2016

4. Alexander Klimburg (Ed.), National Cyber Security Framework Manual, NATO CCD COE
Publication, Tallinn 2012

5. Popescu N., Secrieru N., HACKS, LEAKS AND DISRUPTIONS, RUSSIAN CYBER
STRATEGIES, EU ISS, Paris, 2018

6. Fraga-Lamas, P., Fernández-Caramés, T.M., Suárez-Albela, M., Castedo, L., & González-
López, M. (2016). A Review on Internet of Things for Defense and Public Safety.
Sensors.

7. Covington M., Carskadden R., Threat Implications of the Internet of Things, NATO CCD COE
Publications, Tallinn, 2013

7
8. Gazula M., Cyber Warfare Conflict Analysis and Case Studies, Working Paper CISL# 2017-10,
2017

9. Defense Policy and the Internet of Things Disrupting Global Cyber Defenses, Deloitte

10. Mapleston M., The Internet of Things for Munitions Health Management, NATO

11. J. Publication 3-12, Cyberspace Operations, US Chairman of the Joint Chiefs of Staff (2018)