“I mean, it's pretty obvious where China's going,” Ambassador Joe DeTrani told The Cipher Brief in the State Secrets podcast. “that's going to be the competition between the autocracies and the democracies of the world. I think that's where we're going.”
Ambassador DeTrani isn’t the only one interested in where China’s going. The Cipher Brief spoke recently with NATO Assistant Secretary General for Intelligence and Security David Cattler about the alliance’s interest in Beijing’s global ambitions.
“China's rise presents a strategic challenge to the international rules-based system,” said Cattler. So why is NATO interested in China well beyond its alleged support to Russia in the Ukraine war?
“The reason is first, of course, that we're a regional political military alliance that has global interests,” said Cattler. “And the second reason is that there are some actors and some issues - and cyber is a good one to raise as an example - that have global reach. We have to have a 360-degree approach.”
NATO’s Intelligence interest in Beijing was just one of the issues The Cipher Brief talked about at NATO Headquarters in Brussels as we dug in on the challenge of coordinating intelligence collected from 30 different nations and more than 75 intelligence and security services and then synthesized into information that can be shared.
We also wanted to know how the urgency around that mission has been impacted by the war in Ukraine, which Cattler describes as the greatest challenge the alliance has ever faced. This condensed version of our interview has been edited for length and clarity.
THE INTERVIEW
The Cipher Brief sat down with NATO Assistant Secretary General for Intelligence and Security David Cattler at NATO Headquarters in Brussels
The Cipher Brief: How has the Russian invasion of Ukraine brought more of a focus and urgency to your Intelligence and security role?
Cattler: It's really shown that both intelligence and security have a very high priority and should have a very high priority. I'd tell you from a security perspective first. It's hard to see how you think that you can take better decisions if you can't protect those decisions and the debate because you want to have a decision advantage. You want to be able to move and act and keep that to yourself, to have that power in the delivery. From an intelligence perspective, I argue central to good decision-making, is excellent intelligence so to really understand the situation, to have those insights from an intelligence perspective and to have an intelligence-driven forecast as well. I feel like we have demonstrated the value to a point where our stock has never been higher within this system than it is right now.
The Cipher Brief: How do you manage intelligence collection among so many member nations?
Cattler: This is a really complex part of the job. If you were to consider that I'm the head of an intelligence or security service, I don't have my own organic intelligence collection capability. I have some open source resources. I have access to the nations. They do obviously have collection capability, but most of what I'm receiving is actually their judgments, their views on certain issues.
NATO does have some of its own organic military collection though. We have the NATO AWACS program and we have the NATO AGS, so think UAVs, the five UAVs that are radar capable, and allies will contribute, but the key thing people need to understand is that, from my perspective as the assistant secretary general, I have nothing that the nations don't choose to provide. I need their people. I need their expertise for intelligence and security, and I need their information, and that's why one of my key points is that the trust has to be very, very high and has to be very close, or I might not get all the necessary people and information to do the things we need to do.
It pays to be a Subscriber+Member with exclusive access to virtual briefings with leading experts and top officials in the national security and intelligence space.
The Cipher Brief: With the war in Ukraine, is there a need for additional collection assets for NATO?
Cattler: What you see [in Ukraine] is the use of the NATO military intelligence collection assets, but something you've left unsaid are the nations' contributions to the Supreme Allied Commander Europe's (SACEUR)operations that support his strategic campaign to deliver on the mission that he has in this case, which is to ensure the safety, security and the defense of every square inch of NATO territory. What he's doing there is a defensive mission to reinforce the Eastern Flank, and a key piece of that is in fact, improved intelligence surveillance and reconnaissance capability. He will draw on resources the nations have contributed either in advance in the form of the Airborne Warning and Control System (AWACS). The Allied Ground Surveillance system (AGS) has also been used to support those requirements.
Think about our five UAVs that have radar sensors on them. He's drawing on an even greater quantity of allied contributions in the form of their own ISR [Intelligence, Surveillance, Reconnaissance]take from national missions, and he's also drawing on the resources of the nations as they contribute platforms, processing exploitation, dissemination capability also to the alliance to be used in a coalition, in an alliance frame. There are 40,000 more troops now under SACEUR's command than there were a year ago, and a large part of that in fact, was this reinforcement. There's more air policing. There are a greater number of battle groups and there are more intelligence and surveillance and reconnaissance assets available. We are also thinking long-term about what all this means. We will hopefully soon have two new NATO members in Finland and Sweden, which will fundamentally change the NATO geography when you look everywhere from the high north to the Baltic Sea, very much making the Baltics and the Baltic Sea more of a NATO area frankly, in a way it might not have been before that. We're also then thinking about the way in which the alliance adapts. You can see a lot of this in the results of the Madrid Summit, in the communiqué and the political and military decisions that nations' leaders agreed to there and also in the new strategic concept that charts the course essentially for NATO for the next 10 years at the strategic level.
The Cipher Brief: Henry Kissinger said not long ago, that the Russian invasion of Ukraine is reason enough for Ukraine to be accepted as a member of NATO. Understanding that you're not managing policy here, how would allowing Ukraine in as a member of NATO - while the conflict is still going on - change the NATO footprint in terms of its ability to gather intelligence?
Cattler: Whether nations join is a two-part decision. Nations apply for membership, and the members who are currently the 30, then also take a collective decision about membership. NATO allies have agreed in the past in Bucharest at the Bucharest Summit, and then also reinforced this past December, that an open-door policy still holds, which means that new members may join, again, if those two conditions are met, and that the door is still open for Ukraine. The initial commitment, if I take it out of the stock political language, was it's not a question of 'if', it's a matter of 'when', but again, those two conditions have to be met.
The alliance has very clearly communicated that what's most important right now, is to support Ukraine, to ensure that they have what they need to defend themselves and to prevail on the battlefield to restore both their territorial integrity and their sovereignty. That's what the alliance is focused on now. We have had a longstanding relationship with the Ukrainians really in many dimensions, cyber, intelligence and security, military training, humanitarian assistance, economic assistance and so on going all the way back at least until 2014, and I think that's really paid off. It certainly has made it easier for them to assimilate western weapons and tactics from having had so much cooperative training in recent years.
It would change quite a bit actually. If Ukraine were a member, the alliance geography again changes. We already have allies and partners. Ukraine is one of them on the Black Sea but we have Bulgaria and Romania. We have Turkey. We also have Georgia. NATO has been constructively and positively engaged in the Black Sea region for quite a long time, and the Black Sea is no less important to alliance security than are any of the other regions that we care about. When we say we look at 360 degrees, the Black Sea does have significant importance. But again, that's why the Secretary General and the nations have expressed that Ukraine has to prevail, and then they'll have the further discussion about what the future might hold in terms of membership.
The Cipher Brief: Russia is very capable when it comes to cyber activities, and Ukraine has always been an unfortunate test bed for those capabilities. NATO has invested considerably in cyber over the last couple of years. How does that impact what you're doing on the intelligence side?
Cattler: A great deal. First, if I talk about the strategic requirements, the alliance has stated publicly that a cyberattack could also be a cause for an ally to submit an Article 5 request under the Washington Treaty, to ask for allied support in their defense. No ally has done so, but you have seen allies that have come under cyberattack and even some partners that have come under cyberattack that have then caused or have warranted a statement from the North Atlantic Council on behalf of the alliance to the public, to the aggressor in some cases when attribution has been there, to put out a statement of concern and to talk about action that has been taken or will be taken, so [we have] a tremendous focus on cyber at least for that reason.
We also understand that cyber is a key operational domain, and the alliance agreed several years ago contemporaneously with this decision that a cyberattack could trigger an Article 5. They also recognize that cyber and space were new operational domains for the alliance that we needed to understand to be able to perform and to defend and operate and then, correspondingly, put a tremendous amount of effort in on our knowledge, education and training for the alliance, for the headquarters' environment, for the commands and then also to help allies receive information from allies and to help allies and partners then, by extension.
The case of the Russian activity is a very interesting one. I'm sure you know there's been a lively debate about did they or didn't they use cyber in this war? I tend to be in the camp that they did use cyber. They used cyber throughout the previous several years, and that's why in fact, many allies and the alliance as a whole decided to provide the Ukrainians with additional training and capability. That's been reinforced and enhanced. We continue to conduct exercises with them to help with threat signatures to better defend themselves, reconstitute and move forward.
There were cyberattacks on Ukraine even in the prelude to the war. Direct denial-of-service attacks, taking the KA-SAT network offline in Ukraine that the government and the military relied on for assured communications for command and control but overall, we did not see a bigger or a more robust cyber shock-and-awe campaign, and it would seem that the Russians have not been fully able to link cyber effects to tangible hard military effects on the ground. This is an area that is going to be really ripe for further lessons-learned and analysis both open and closed, in the future.
The Cipher Brief: Let's talk about open source intelligence. What are you finding as director of intelligence here at NATO, in terms of how to use open source intelligence, and how are you thinking forward about how that might improve the overall intelligence picture?
Cattler: Open source has tremendous value, but it has to be used responsibly and, as I say as an 'old-school person' in that view, we have to be very careful. If I have a video or an image, how much confidence can I have that it is legitimate? Is it what it is purported to be? Where was it taken and when it is purported to have been done? I'm hesitant to fully rely on open source, and I'm also then correspondingly, very careful to caveat. If that's all I have, I'm going to be very clear that I can't confirm or I don't have other means to confirm. But if I'm more confident with the sourcing, the context, the consistency, the narrative, it does make it contextually more useful.
This war in particular, has really shown the tremendous value of open source because there are an incredible quantity of highly valuable people out there not just reporting firsthand, and here I mean people that are looking into open source techniques to track aircraft, to look at results of combat operations on the ground, at sea, in the air. But I would tell you I've also found firsthand narratives where people report for themselves about their forced deportation, about torture, about other maltreatment as they have made their way out of either Ukraine or Russia in the case of their forced deportation or kidnapping. That's pretty powerful. Especially when it can be confirmed that they are who they say they are and they did have that experience. Having that is really useful.
It's also useful to have a range of classification of the material because, in this job, I'll have some public-facing engagement, private engagements with the services here or in the capital of the nations and I'll have to brief the North Atlantic Council and the military committee and to have things that are classified and unclassified gives me more flexibility to adapt to the various environments and to be able to convey with confidence this is what's going on.
As I said, the alliance doesn't often have its own collection capability, but we are looking as well into open source capabilities for the ingest of relevant material. It's processing, linking things like artificial intelligence and machine learning to that to both better enable workflows, so perhaps to try to take things that computers can help us do better to determine the legitimacy of something or to better help us identify what we should look at and we shouldn't look at, and also to just simply process this tremendous volume of information that's available. These are things that will mature in the coming years.
The Cipher Brief: How are some of the member countries thinking about open source and artificial intelligence?
Cattler: There are two primary lenses: one is the idea of emerging and disruptive technologies, especially artificial intelligence, machine learning and all of those capabilities, because the alliance needs to understand from a defensive perspective what does that future hold, how can that be adapted, how might that be weaponized as well, what are the rules of the road, what are the ethics, what are the standards, how would potential adversaries or challengers behave with these technologies, how should we think of that, and where would the technology potentially go, and then we also have to consider how does the alliance use those technologies and capabilities for itself?
Within my business, we have a very active discussion with allies and with the services about the proper role and utility of open source intelligence and how we can work together as a team, how we can work together as an alliance to position ourselves. Some will contribute open source intelligence. Others don't. Some will share tools and techniques. Some don't or don't have them or they're working on them, but there's a good team effort there, and then there are two things finally I'd highlight to you that the alliance also just agreed in Madrid that I think are relevant here. One is the idea of a network called DIANA. That is a defense innovation accelerator that the allies have agreed to in which there will be cooperation on technology innovation and on its operationalization, the research and development and the fielding.
In fact, the first chair of this is actually coming from the Pentagon. He's an American on the board for this work, and that's a huge thing, and then, relatedly, allies have also agreed to a trust fund that is essentially for investment in these areas. There'd be a lot of connection and synergy between DIANA as a network, a concept and the investment fund, this trust fund, so that, as they see we're together as a group of 30 or hopefully soon 32, it would be wise to make a cooperative investment. They'll have the resources to be able to do that, and AI and other related fields will be a piece of that.
The Cipher Brief: your biggest challenges and opportunities in 2023 will be what?
Cattler: The first one is the war. Although NATO was not a combatant, a participant in the war, we are supporting Ukraine. There is a tremendous amount of demand and focus on that, and Ukraine must prevail, so we have a huge effort and focus there. I think, operationally, that's one of the biggest things.
We're constantly working on security and improving it and adapting because the threat environment is not getting any easier. We've already mentioned cyber a few times, but cyber-related espionage is a big concern. Even traditional security threats are things that we also are very, very mindful of and work as a group to try to deal with, and that's something else in 2023 we need to be sure that we're... If I use NATO terms for a second, are we modernized and fit for purpose? Are we fully adapted to that threat landscape? Are we anticipating properly and positioning ourselves?
From an intelligence perspective, I'm also focused on preparing for the summit because NATO will have the summit in 2023 in Vilnius in July. Not to presuppose what the final agenda will be, but I think it's fairly obvious that there'll be a large discussion about where we stand post-Madrid from 2022, especially the things about support to Ukraine, issues related to Eastern Flank reinforcement force, posture changes potentially, command and control changes and so on, and we also have related very-high priority, and allies have agreed in the strategic concept that Russia and terrorism are the top two threats and adversaries. We also said that China's rise presents a strategic challenge to the international rules-based system.
It's not just for the President anymore. Are you getting your daily national security briefing? Subscriber+Members have exclusive access to the Open Source Collection Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.
The Cipher Brief: You mentioned cyber espionage. How are you thinking about the impact of changing technologies on cyber espionage both from an offensive and a defensive perspective?
Cattler: My bottomline judgment is that the attackers still have a big advantage over the defender, and we have to be very savvy to appreciate that we, from a defensive perspective, first have to consider that networks need to be secure, yes, and we have to understand that we need better security because we may have a penetration. You have to have the right internal compartmentalization and control so that that can't cause you a cascading series of failures. In the industry, they talk about this zero-trust kind of mindset. That's what I'm getting at.
The second thing from a defensive perspective, is that we have to be very mindful that security is not something you add last. Security is something that you live and breathe, and when you take on a new initiative, we do what we call 'security by design', meaning security is a factor right from the very beginning in cybersecurity. No exception. We put a lot of emphasis on the notion that cybersecurity is not an island unto itself. Cybersecurity is a key pillar under a security umbrella. When I think about things like insider threat management, physical security and cybersecurity, I'm thinking about them as interrelated disciplines that are mutually supportive.
I don't operate alone. The security team here, the office of security does not operate alone for cybersecurity. We have a chief information officer. We have a NATO communications information agency that builds and operates networks for the alliance and so on. It is very much a distributed team effort in which we all have key roles to play.
Just to get to the offense briefly, too, I think we've seen some really notable adaptations though, too, a whole lot more ransomware in 2022, and what I've seen where industry projects for '23, I think, that's at least likely to continue, if not rise. You've seen more governments and governmental actors, municipal all the way to federal level or equivalent have also come under ransomware attack. You see this interesting blend then of commercial activity, if you will, plus hostile state actor, more use by state actors and non-state actors in that, some exchange of code, some learning going on there. To bridge back also to your point about EDTs, I think one of the thing that worries me is the use of AI, deep fakes, machine learning to do human engineering in order to break into networks.
I also just read a very interesting article about using AI to actually write the code for malware even though it's not supposed to be allowed, these articles I'm reading have indicated that people have found a way to get around it and, apparently, the AI was quite good not just at writing the code itself, but also at generating a script for a scenario of how would I socially engineer my conversation via email or via voice with the target to get the access from my tool to be deployed. I think that's going to be very, very challenging to try to anticipate and stay ahead of.
Read more expert-driven national security insights, perspectives and analysis in The Cipher Brief
