Defending Nato's networks

As the war between Russia and Ukraine rages on, Nato’s importance to global security has seldom been more self-evident. However, today’s increasingly unpredictable security environment presents a series of challenges for the alliance, key among them the issue of resilience – the ability to readily adapt to new circumstances, a core characteristic of military flexibility.

Within the alliance, the Nato Communications and Information Agency (NCI Agency) does considerable work in the collection, processing, exploitation and dissemination of intelligence data and information from a wide range of sources, providing experts and commanders with necessary insights to understand the challenges, vulnerabilities and limitations faced by Nato. By sharing this information and collaborating with organisations across the alliance, the NCI Agency helps improve situational awareness, enhance decision making and builds greater resilience against emerging threats. Within the NCI Agency, the Chief Technology Office heads the organisation’s efforts on boosting resiliency within Nato, leading the agency’s innovation portfolio and ensuring that it stays ahead on top of emerging and disruptive technologies such as cloud computing, zero-trust, intelligence-at-the-edge computing, machine learning and AI.

Building resilience

“Resilience [has been] critical for Nato since its inception,” stresses Antonio Calderon, chief technology officer at the NCI Agency, adding that the very principal of resilience is rooted in Article 3 of the North Atlantic Treaty, Nato’s founding document, “which refers to the capacity to prepare for, resist and respond to eventual disruptions to ensure the continuity of the Alliance’s activities”.

Nato’s resilience agenda extends beyond defence considerations, encompassing civil preparedness, technological innovation and societal cohesion, Calderon explains. “In this sense, we are witnessing an even stronger commitment from all allies to enhance resilience, individually and collectively, to address vulnerabilities in both military and civilian spheres,” he adds. “This has been a central topic in recent Nato summits, reflecting on the alliance’s commitment to adapt to evolving threats.”

The NCI Agency’s work helping Nato build resilience extends across several different fronts. The organisation’s cyber experts operate around the clock to monitor and defend the alliance’s networks, identifying and preventing vulnerabilities while helping to respond, recover and learn from cyber incidents, notes Calderon, adding, “We are evolving our cybersecurity posture into augmenting our cyber resilience.”

As chief technology officer, Calderon and his office support Nato by providing the required technology and interoperable federated architectures to understanding, collecting and analysing data, so it can be shared securely across different systems. This helps decision makers understand the bigger picture, enabling them to make informed decisions faster to help address emerging challenges.

Of course, new emerging threats are more complex and diverse than ever, knowing no borders, which complicates matters. To address these issues, nations cannot work in isolation, and therefore informationsharing and collaboration are essential for building resilience across Nato. Resilience can be an incredibly complex issue given its reliance on a wide variety of actors and stakeholders. Sharing key data between allies can help drive understanding on the issues and the potential solutions at play.

“In this sense, we act as a collaboration enabler, enhancing synergies and cross-collaboration between the military and the civilian world,” explains Calderon, citing the data-driven resilience dashboard developed by the NCI Agency’s Exploiting Data Science and AI team as a practical example, built in conjunction with Nato Allied Command Transformation. The dashboard brings together disparate civil and military data to support resiliencerelated activities under specified scenarios. It provides an overview of some of Nato’s resilience baselines, such as energy, health and transportation, which would aid in planning and provide critical situational awareness during a crisis.

Pulling data from a wide variety of open sources, including national governments, companies, industry regulators and media, the resilience dashboard uses AI and advanced data analytics to consolidate this information and provide insights, in-line with the Nato AI Strategy and its Principles of Responsible Use.

The threat of new technologies

While emerging and disruptive technologies spur on much of the focus on resilience in Nato, they also present beneficial opportunities across all aspects of human life, including in defence, where they have the potential to make armed forces more efficient, costeffective and sustainable. However, they can still represent new threats from both state and non-state actors, and the risk of misuse of these technologies can result in devastating consequences for civilian society and military forces alike.

Calderon’s office is tasked with the mission of ensuring secure adoption of new technologies, balancing their risks with their opportunities. “We have already witnessed the misuse of AI using deep fake technology to undermine trust in our institutions and influence public opinion,” he notes. “From fabricated videos of political figures spreading false narratives and damaging reputations, to the use of automated bots powered by AI to spread disinformation across social media. “We have – thankfully – not yet seen AI being applied to lower the barrier to, for example, develop biological weapons. But, when in the wrong hands, [the] technology might pose a significant risk.”

At the same time, Calderon is quick to highlight the benefits that these technologies can provide. For example, to combat disinformation and misinformation, the NCI Agency is working in close collaboration with the private sector to provide Nato with an information environment assessment capability that will support its ability to understand and counter harmful disinformation. “Ensuring responsible deployment of these technologies is essential to combat these challenges. In this sense, recent government announcements on responsible development and use of AI are promising, but this is a difficult technology to control fully,” he adds.

Defence applications for 5G networks

Of course, resilience isn’t the only issue that Calderon’s office is focused on. Nations across the alliance are investing in infrastructure to implement 5th generation mobile networks, also known as 5G, which has the potential to create vulnerabilities that could be exploited by bad actors.

“As a telecoms engineer, mobile networks technologies are close to my heart,” says Calderon, having previously worked in that part of the civil sector. 5G networks are typically deployed as cellular infrastructure by telecommunications operators under a highly regulated construct, he explains.

However, 5G standards – and their evolutions – have transformative technical characteristics and support usage scenarios that go beyond tradition applications like mobile broadband, permeating into new domains such as private IT infrastructure, critical communications for public emergency and safety services, and so on. This includes defence applications in different contexts, including defence users deploying private 5G systems or making use of public 5G infrastructure. One of the technical features of 5G standards, which cover both the access and the core networks elements, is network slicing, Calderon explains. This feature enables the creation of separate network infrastructure built on the same physical network, through virtualisation of full-blown network functions including mobile network core functions – access infrastructure, mobility management, radio capacity and so on.

This allows mobile network operators to offer totally segregated network services to different users, including critical communications users – such as emergency services and security forces – and potentially military users as well. According to Calderon, at least one Nato nation is implementing a defence slice across national mobile networks to provide in-area – meaning ‘within national territory’ – seamless coverage and mobility services to military users. Of course, this advanced concept requires the implementation of trusted networks by mobile operators and a range of security measures. Other approaches are possible and are being considered by other Nato nations, from private defence networks to hybrid arrangements combining private networks or extensions, along with use of public infrastructure by the military – often referred to as ‘operate through’.

That’s not to say, of course, that the increasing implementation of both public and private 5G infrastructure doesn’t come with its fair share of challenges. As Calderon notes, in the future, this technology will be considered critical to the ongoing function of society, and as such it is essential to ensure access to it – and to implement secure and resilient 5G networks against all potential threats, including supply chain aspects. “Nations are mitigating these risks through the development of policies and strategies in this area, such as the EU toolbox of risk mitigation measures for 5G networks and the recent Nato 5G strategy,” he adds.

The main challenges around 5G in terms of network security and resilience include, as in any digital infrastructure, the fact that vulnerabilities might be related to hardware and software, or deficiencies in the related processes and policies. “These potential vulnerabilities are exacerbated in the case of 5G due to the complexity of its technology and their reliance on software and on network function virtualisation,” Calderon explains, “which in turn can make networks exposed to back doors accessible to equipment vendors or third parties.”

Similarly, additional vulnerabilities might arise from the lack of compliance with 5G standards or the incorrect implementation of said standards, which contribute to single-vendor implementations – “a major security risk”, according to Calderon – with associated supply chain risks.

A non-technical vulnerability stems from the increasing role of services provided by suppliers, Calderon adds. They can be subjected to interference by third countries, particularly in the absence of legislative or democratic safeguards, change of corporate ownership from the supplier, or exposure to supply chain disruptions.

“The topic is complex but fascinating for me and my CTO team,” he says. “Nations are more aware of the cybersecurity risks of 5G networks and the need to make them resilient through the implementation of risk mitigation measures, the promotion of standardisation of network architectures, and the implementation of open interfaces, among other measures.”

Participation in 5G standardisation efforts

While standardisation of mobile standards is not new to 5G, it remains the key success factor that allows for the mass deployment and adoption of mobile services in modern societies since secondgeneration information management and technology (IMT) standards, Calderon explains.

Since 2022, the NCI Agency has been a member of ETSI standard organisation and, as a result, a part of the 3rd Generation Partnership Project (3GPP) – an umbrella term for a number of standards organisations that develop protocols for mobile telecommunications – enabling the agency to participate and observe standardisation efforts in 5G and its evolutions.

With 5G, however, unlike with past generations of mobile standards, the development of IMT standards was performed by industry verticals and new nontraditional actors for the first time – including the transportation industry, emergency services and industrial application users. In particular, Calderon adds, defence users have an outsized interest in influencing 5G standardisation, as future IMT standards – from 5G evolutions to future 6G standard releases – will also be used for defence applications.

However, as defence applications and use cases are considered niche when compared to mass-market civil applications, it is essential that defence users at standardisation bodies ensure that technical features and functional requirements – like SideLink, which allows push-to-talk type of functionality in tactical communications – are pursued in standardisation, and development and implementation by industry.

“Additionally, 5G standardisation and compliance of 5G implementations to standards helps reduce the vulnerabilities of commercial implementations,” notes Calderon. “They enable multi-vendor deployments with controlled interfaces and verification points that allow the use of security controls, monitoring practices and exposure to backdoor risks, especially in the context of public 5G infrastructure.

“The main benefit for defence applications is that the participation in 5G standardisation efforts facilitates the exploitation of their interoperability and their potential for the development and implementation of gap-filling, cost-effective communication capabilities,” he adds. An example of the NCI Agency’s work with 5G is Nato’s 5G exercise run by Allied Command Transformation and Latvia. During the exercise, Calderon says, they demonstrated the use of 5G to provide long distance, low-latency, high throughput and interoperable communication services. These services were used to connect a variety of autonomous devices such as drones and land platforms, seamlessly, over long distances.

Ultimately, this work, alongside the NCI Agency’s efforts to help Nato build digital resilience across its operations, will go a long way towards creating a safer, more collaborative security environment, benefitting civil operations just as much as their counterparts in defence. New and emerging technologies will continue to pose a threat while bringing transformational opportunities to the alliance in the future – it’s crucial, then, Nato is prepared to adapt to meet them both. Thankfully, the NCI Agency is here to ensure just that.