NATO looking to bolster data security as leaders gather in Washington
Members of NATO and the commercial sector need to enhance cooperation to improve data security, senior officials suggested Monday on the eve of the alliance’s summit in Washington.
The summit, which kicks off Tuesday, is expected to include discussions and potentially major announcements about the road ahead for digital capabilities
Gen. Chris Badia, NATO’s deputy supreme allied commander transformation, noted that the transatlantic partners need to plan for warfighting in five domains — air, land, sea, space and cyber. However, cyber capability is “not at the level it should be,” he said at the FP Security Forum on Monday.
“You have to have dominance in three major steps. First of all, you need … information dominance. If you have information dominance, then you get into the decision dominance. And once you have that, then you have engagement dominance overall. So really, the first question is: What do you need for new technology when you go into information dominance? And then … it comes into space and it comes into cyber,” he said. “It’s assured access to space and it’s data security. This is what we are after, this is [where] you have to invest. And this is where we need to come closer a lot more and cooperate much more. So those are the systems we’re looking for.”
One way that NATO is trying to bolster its capabilities is through the Defense Innovation Accelerator for the North Atlantic (DIANA) initiative, which launched last year to help find and accelerate dual-use technologies that could address contemporary and emerging security challenges.
DIANA is currently accepting applications from startups and other organizations for its second cohort. One of the five “challenge areas” is data and information.
“One of the challenges last year and this year includes data security and interoperability because we want to get really sort of the bright engineers and scientists and entrepreneurs that can have ideas that they can put forward that have an impact, not only in defense and security but also the commercial area … These are areas that are just as important in the commercial realm for information security as it is for the military security. So the ideas that can come forward here, we need to not only be able to elicit it from the human capital across the NATO alliance but then to also be able to accelerate its development, accelerate the business itself so that we can get these solutions out into the market and out into use for NATO allies. So this is a very, very important area,” Barbara McQuiston, chair of the DIANA board of directors, said at the FP Security Forum.
Across the alliance, officials are looking for defensive cyber tools amid digital transformation, she noted.
“We’re more and more reliant on the data and on the capabilities that we need to have in the field and at the edge of where we operate. So this is something that is a large theme of all the activities, touches on NATO across the board, but being able to have the dual-use technology come in and very quickly play a role and very quickly be able to give you capabilities in the field, and also be able to accelerate these ideas as we need them to keep at the pace of change and adoption that’s needed for secure defense,” McQuiston said.
“In many ways, we’re looking at information security and interoperability across the alliance, and also looking at zero-trust systems and a lot of the security implications that defense and security think about when they’re putting things in the field and information in the field, with AI technologies, sort of making sure that we can have a robust system that’s defendable even with different and new attack surfaces,” she added.
Zero trust is a cybersecurity framework that assumes networks have already been penetrated by adversaries, and therefore organizations need tools to constantly monitor and authenticate users and their devices as they move through a network. The U.S. Defense Department is aiming to meet its own target levels for zero trust by the end of fiscal 2027.
Meanwhile, artificial intelligence-enabled cyberattack capabilities are a growing concern for NATO countries worried about defending their networks.
Tom Burt, corporate vice president for customer security and trust at Microsoft, said U.S. companies working on AI are keeping an eye on potential adversaries that might look to exploit these types of technologies.
Currently, nations such as Russia and China appear to be using AI more for their disinformation operations than network attacks, he suggested at Monday’s forum.
However, “in the longer run, we have to be very vigilant for what we’re seeing our adversaries do and be prepared to work with governments on how we respond to that, to minimize the risks,” Burt added.
In the future, AI technologies will likely provide more of an advantage to defenders than attackers when it comes to cyber, Burt said, noting the large amount of private sector investment going into artificial intelligence.
“I have this great confidence that in the intermediate term … that AI is going to provide cybersecurity defenders with an asymmetric advantage over our attackers. And there’s several reasons for that. The first reason is to do AI, you need the world’s best data scientists, and the private sector … we have that. The second thing is unbelievable financial resources. So Microsoft is committing more than $12 billion every quarter to building the data centers with the GPUs that we need around the world to both train and operate these AI models. And … our competitors are making similar investments,” he said. “It’s coming from companies that have great financial resources. When you think about that, and you think about the ability of the cybercrime syndicates or even most of the world’s governments, they can’t compete with the need to build those systems, which they require to be able to do the work that they’re going to want to do to counter the defenses we can build. So that gives us a significant advantage. And it takes the number of even governments that you have to be thoughtful about in this area down to a small number.”
A third factor is that large companies like Microsoft are already working with large data sets and receiving trillions of “signals” from end-user devices, cloud services and everything in between, Burt said.
“That is a unique data set that we can train defensive AI models against. And we’ve seen that be successful in Ukraine with our Defender for Endpoint, identifying Russian wiper malware and blocking it — not because we had a signature, not because we’d seen it before, because the algorithm said, ‘Wait, this code is up to no good.’ We’re going to be able to build more sophisticated algorithms that are going to look at that stream of data and see adversary activity before it impacts customers and block it. I’m confident that that’s going to be a capability. I know our teams are working on those capabilities now. And I’m confident that in that three-to-seven-year time frame, if we don’t create a significant asymmetric advantage, we won’t have done our job,” he said.
