At Warsaw Security Forum 2023, the roundtable discussion entitled “Enhancing Cyber Resilience in CEE for the Benefit of NATO” culminated with two key recommendations for bolstering cyber resilience in Central and Eastern Europe (CEE), with implications for NATO’s strategic interests.

• First is using the NATO Malware Information Sharing Platform to improve CEE cyber resilience;
• The second one is building up the experience of the Swedish Psychological Agency to better counter the influence operations of adversarial states.

The starting point for the discussion was two advocacy causes drafted in the Warsaw Security Forum Report 2023 which later led to amendments and further developments[i].

Those are:

• Strengthening CEE’s cyber resilience by establishing an organization that uses telemetry on cyber operations against Ukrainian infrastructure;
• Analysing influence operations of adversarial states against CEE countries and creating common standard capabilities for the region.

Regarding the first cause, the group of experts in the report recommended setting up an organization that will aggregate all feeds and telemetry. They argued that different stakeholders collect various telemetry and therefore creating a comprehensive overview is not possible. The organization should focus on bringing benefits for the users and avoiding a situation where the telemetry is misused in circumstances profiting only one contributor. The solution to this problem might come from the experience of other bodies where the entities might participate without sharing information. When it happens twice the stakeholder is no longer invited.

The experts also indicated that there is a problem with collecting coherent telemetry. Allied countries might use different techniques. Moreover, some entities such as CERT EU could not provide sources of their information. The final telemetry depends on what is measured and collected, how and when it is collected, and other factors. The experts were not unanimous in concluding which agency currently has more comprehensive and coherent  telemetry. On one side Ukraine is defending itself from Russian aggression and fighting every day against new malware and attack techniques. On the other side, international IT companies may have more external perspectives and holistic views on the situation in Ukraine. However, this lack of agreement only empowers our advocacy cause to use the organization to increase the effectiveness of data exchange.

The experts also discussed that not all of the telemetry should be shared because it would be too much data to absorb and there is no effective mechanism to give enough feedback from the partners. It must be decided what to share and what kind of sources it will be based on. Therefore, one of the ideas was to limit it only to military targets. Sharing telemetry must be based on a certain level of trust, similar to the trust built at CERT levels and partners must be willing to act on it.

Instead of creating a new organization to use telemetry on cyber operations, the experts recommend expanding and improving existing structures. They indicated that the NATO Malware Information Sharing Platform (MISP), which already facilitates information sharing of the technical characteristics of malware within a trusted community without having to share details of an attack. This platform has so far been resilient against cyberattacks and despite many attempts, Russia was not able to infiltrate it. On many occasions, Moscow wanted to check what NATO and Ukraine knew about Russian capabilities in cyberspace so they could plan their operations better. Therefore, the telemetry must be securely stored and the NATO’s MISP seems to have adequate defenses, being also a platform to analyse data, trends, opportunities and knowledge. Using the NATO MISP is also recommended because members of the Alliance, IT companies and Ukraine are already sharing telemetry through it. A recommendation to improve the utility of the current MISP is to improve data analysis of the telemetry that is being shared through the platform so members can more rapidly absorb that data.

Regarding the second advocacy cause to build standard capabilities for the region against influence operations, the report proposes to create an organization responsible for fighting these kinds of threats. Such an agency has existed in Sweden. The Psychological Defence Agency has been dealing with the harmful influence operations coming from foreign entities but at the same time, it has not addressed the domestic narratives[ii]. It limits its role in the domestic agenda to building resilience, training journalists and politicians as well as advising other states and over 300 institutions.The Agency has already dealt with Islamic campaigns against Sweden that were using fake narratives such as that the Swedes are kidnapping children to turn them into Christians or that gays are pushing Muslims to eat pork.

The historical roots of the Agency are in the time of the Cold War. However current tasks are tailored to the technological development and the new areas of potential disinformation. One of the last projects of the agency is fighting disinformation in the gaming sphere. There are 3 billion gamers all around the world and they are vulnerable to disinformation, radicalisation and harassment. The current regulation of harmful in gaming industry reminds the situation of social media platforms in 2015. The Agency recently collaborated on the publication addressing influence operations on video games platforms[iii].

Currently, social media have some form of regulations which games do not, and there is a need for more attention. There are several vulnerabilities in gaming such as using advanced biometrics that could be exploited by adversary actors. The war in Ukraine demonstrated the risk of using computer games for intelligence purposes. FSB and Russian intelligence have been reaching out to children through games influencing them to take photos of key infrastructure.

Establishing resilience in Central and Eastern Europe (CEE) against influence operations might be more difficult than in Western Europe and the United States due to the lack of strong NGOs. The network of such vibrant organizations that connect people should be established. Therefore, the mechanism to help them and provide training to build capabilities should be introduced. The other problem is also with the trust of the society in the governments as in the CEE region the government was historically often a source of disinformation.

The expert group also agrees that countermeasures against Russian influence operations are needed and should be based on promoting facts and our values through multi-domain channels. Especially helpful could be the meme portals, often more powerful than social media and they are very popular among young people. The French experience of countering Russian narratives in Africa might be useful.

There is also a need to regulate social media as the Ukraine example shows their very slow reaction to eliminate harmful content and the experts warn that what is happening in Ukraine today might happen in other countries in the future. In the EU the effective enforcement of the Digital Service Act could improve the situation.

Experts also stressed that it is important to remember that not only Russia is conducting influence operations but also China and other countries. One of the effective ways of countering such operations is to identify information operations, disclose them and disseminate information about them.

Participants of the roundtable:

• Dominik Swiecicki, Swedish Psychological Defense Agency (Speaker)
• Victor Zhora – Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine (Speaker)
• Illia Vitiuk – Head of the Department of Cyber and Information Security of the Security Service of Ukraine (Speaker)
• Bilyana Lilly – Chair, Democratic Resilience Track, Warsaw Security Forum (Moderator)
• Brigade General Mariusz Chmielewski – Deputy Commander of the Cyber Defense Forces
• Vishal Amin – General Manager (Managing Director) of Security Solutions, Microsoft
• Robert Kośla – EMEA Chief Architect CYBER Modernization & Transformation Microsoft
• Pavel Havlicek – Research Fellow at the Research Centre AMO
• Denys Kolesnyk – Independent Researcher
• Maria Manuela Catrina – Deputy Director, National Cyber Security Directorate
• Alina Urs – Cyber Security Expert at National Cyber Security Directorate
• Duncan Thomson – Europe and Eurasia Regional Director at CRDF Global
• Andrzej Kozłowski – Director of Research Office, Pulaski Foundation
• Monica Sendor – Political-Military Officer US Embassy
• Barry Pavel – vice president and director of the RAND National Security Research Division
• Mark Cozad – Senior International Defense Researcher at RAND Corporation
• Marcin Olender – Public Policy Manager, Google

[i] Central and Eastern Europe as a New Center of Gravity, https://warsawsecurityforum.org/wp-content/uploads/2023/09/WSF2023_raport_20-09_WEB.pdf

[ii] Psychological Defence Agency, https://www.mpf.se/en/

[iii] Malign foreign interference and information influence on video game platforms: Understanding the adversarial playbook, https://www.mpf.se/assets/uploads/2023/10/Malign-foreign-interference-and-information-influence-on-video-game-platforms.pdf