Gaining illicit access, via digital means, to purposefully guarded information has long been a distracting subject for movie directors. Films from 1983’s War Games, to the oh-so-’90s Hackers as well as the initial Matrix trilogy, have won over audiences. It’s not hard to understand why. Such movies glamorise the high-stakes nature of hacking and cybersecurity. Not only is digital security centrally important to militaries, governments and the future of humanity but it also comes with an overlap of Hollywood sexiness and technological possibility as well. Away from the big screen, however, and the present reality of cybersecurity and digital espionage can be much more prosaic. Despite the Hollywood treatment making the details of hacking seem rarefied, cyber espionage, at least in the fraught world of global geopolitics and military machinations, is not uncommon. Since the first recorded ‘hack’ – in the mid-1980s a German hacking group gained access to US military computer systems, selling acquired information to the Soviet KGB – this type of digital subterfuge has exploded. In 2019, according to Council of Foreign Relations data, there were 76 state-sponsored cyber operations. More recently, Russia has phished European entities to get information about Ukrainian government operations.
At the same time, its security agencies have used malware to gain access to private sector and state computers across the US and European Union. Both successful and unsuccessful breaches of cybersecurity defences are hardly Matrix-like, too. Earlier this year, news headlines charted a German security breach after a military official dialled into a call from an insecure landline. High stakes? Certainly. High tech? At least not to outside eyes.
Indeed, as first publicised via Russian media, the world’s largest country was able to access a meeting in which German military officers discussed sending ‘bridge-busting’ Taurus missiles to Ukraine, after an official logged into a WebEx call from a non-secure Singaporean hotel line. But despite the seeming banality of the hack, follow-on consequences have been of blockbuster proportion. In Germany, the breach reignited a politically divisive domestic debate about sending such weapons eastwards, as well as sparking recriminations around digital security and protocols around sensitive communication. One German minister called for en masse retraining in protected communications. Another information security expert simply told Politico: “Somebody was sloppy.”
Security, not sloppiness
It’s within the remit of Jean-Paul Massart, chief at Nato Digital Workplace Centre and Nato Communications and Information Agency (NCI Agency), to ensure that any so-called ‘sloppiness’ doesn’t impact the security of digital communication within the 32-country military and political alliance. As head of the Nato’s internal data and technology agency, he is responsible for every aspect of Nato’s digital structure: from ensuring access to digital tools for seamless workplace operations to overseeing ongoing digital transformation as well as cybersecurity. Massert’s team help make good on the latter part of his remit, digital security, by forging the right vendor partnerships but also by devising appropriate guiding standards and digital security classifications. Indeed, such standards are used to dictate protocol on calls that might involve discussion around information as sensitive as that on the now infamous German Taurus missile mishap. As Massart explains, protocols, as well as any incumbent checks and balances, being adhered to are critical to ensure no unwanted third parties can access specific digital communications. Such checks can be surprisingly simple, he adds, ranging from asking the identity of call participants to finding ways to communicate offline where appropriate. “Sometimes we take communication off the internet and we monitor networks for any suspicious activity,” he says. “But when a call is very important, members of my technical team sit in and if they notice anything [suspicious] they can shut them off the call.” Massart brings this type of, admittedly rudimentary, but nonetheless, effective check to life on our own WebEx chat: asking who I am and where I’m dialling in from. With no blanked-out video mosaics or unexpected participants on our screen, we’re free to chat. “It’s very important we know who is on a call,” he adds.
Massart continues that checks such as these only need to happen on the most classified of communications. Between officials discussing potential weapons transfers; probably, yes. But hardly useful for pre-agreed conversations with journalists, where information will enter the public realm thereafter. With his internal agency also tasked with contributing to Nato’s strategic prowess, digital security also has to be designed so as not to impinge on organisational needs. Here, a hierarchy of security classifications, alongside a clear view of the nature of intended communication helps Massart’s team decide on the appropriate digital security tack. “Our classifications go from public-facing all the way to secret,” he explains. “We don’t use expensive systems or create an air gap [taking comms offline] if the conversation is administrative, so we have built a digital toolbox to satisfy different scenarios.”
Cybersecurity in concert
Critically, as Nato is an international alliance, Massart explains that standards around digital security and application need multi-party in-concert agreement in order to ensure interoperability and effectiveness. “All [Nato] nations need to buy in,” he adds, noting that while military leaders might not care about which specific system is used, they will care about its utility, such as the ability to have live translation or seeing the right number of faces on the screen. And, of course, security. To ensure such effectiveness, Nato works in partnership with vendors to deliver the security and utility it needs, as well as mitigating risk by working with many suppliers and then having in-house solutions.
“We work with industry suppliers to get past problems, such as only having 25 mosaics on a video call,” he adds, noting that for the mission-critical, and, as he describes, “secret” communication, sometimes the technology marketplace just won’t cut it. “[For highly classified calls] I cannot use cloud-based systems available only on the internet,” he explains. “Here, the only way we can secure our systems and guarantee they won’t be connected to is to go properly offline for that extra layer of security.”
Indeed, Massart’s Nato protocols dictate that for calls such as the German incident, it would only be secure if they had members of a security team dialled-in or participants didn’t use the internet at all. “We sometimes create ‘air gaps’ which allows communication between us but still uses telecom provider lines without technically being connected to the internet,” he says. However, as he emphasises, such an approach isn’t always viable. With the alliance currently undergoing an organisational cultural shift to further democratise access to information, it’s hardly likely the need for communication, and the incumbent digital risk, can be minimised. As Massart admits, this creates a constant security risk. “We want to share more information internally to deliver superiority [in performance] via information awareness… but this has created an interesting problem,” he adds.
An age of risk
However, it’s Massart’s view that in an age that is increasingly digital-first, security risks will inevitably exist. He notes the growing threat of criminal and state-sponsored cyber espionage and hacking as well as its growing sophistication, backdropped by an increasingly fractious geopolitics. “As we increase our reliance on digital technology in a more interconnected world, we’re at the same time exposing ourselves more than without it,” he explains. “That comes with its own challenges.” These are not challenges that Massart and his team are likely to shrink from. His agency was conceived during the pandemic, a time when every organisation, not just military alliances, were struggling with a digital transition. “It was a brutal transition,” he says.
Indeed, he describes how an alliance whose strength was fostered by effective in-person communication (built around specific protocols and guidelines) needed this to be translated to a digital realm during the first days of the pandemic: speedily, at scale and securely. This meant attention to details such as how to replicate formal meetings, how to create platforms where it was obvious who was call leader and designing roundtable settings for senior leaders to communicate effectively online. And, by the time Russia invaded Ukraine, Nato’s digital communication had increased by 1,000% since February 2020. “Capitals needed to talk to each other without being physically present in Brussels while maintaining all security precautions. Our challenge was to protect that security,” he says.
It’s the responsibility of security that Massart takes seriously, noting the role of his in-house cybersecurity teams in this. As he says: “They’re going to be using my services.” Of course, it’s not just the services themselves that are important, but how they’re used – especially by senior officials in classified calls. While it is such high-profile individuals, and high-stakes decisions, that will obviously get the most attention if this goes wrong, it’s the protocols and digital solutions behind them that will then come into question too. As Massart sees it, the pressure is on. “We have to withstand anything that comes at us,” he concludes. While, for many, Massart’s operations are largely ‘behind-the-scenes’, it’s an all-ornothing sign-off a movie director would be proud of.
