NATO: resilience, deterrence and defence in cyberspace
NATO’s mandate in cyber domain and growing cyber threats; could cyber attacks possibly lead to invocation of Article 5?
Dr. Antonio Missiroli
Assistant Secretary-General for Emerging Security Challenges, NATO
- This article was originally published as part of the 2018 edition of Bled Strategic Times, the official gazzette of the Bled Strategic Forum (BSF) international conference. You can access the full version of this and other BSF publications by visiting our official website.
We live in a brave new world where old activities we were all already familiar with — espionage, sabotage, disinformation, disruption and even subversion — have taken new forms. Cyberspace is both a domain in which most of this happens and, arguably, the main conduit for such activities. As a result, these hostile operations do indeed generate less kinetic violence but profit also from lower entry barriers, wider attack surfaces and less visibility. Their range is vast and their frequency an almost daily occurrence — but not all are of equal importance, not all can be deterred, and not all pose significant threats to national or collective security (although some do). Perpetrators themselves may range from state or state-sponsored groups to criminal organizations, from ‘hacktivists’ to terrorists. And all this occurs in and through a quintessential man-made environment, mostly privately owned (and operated) and only partially governed.
NATO’s mandate in the cyber domain is defensive in nature and built upon two main pillars: protecting NATO networks, and enhancing the level of resilience across the 29 (hopefully soon 30) Allies. Since the initial creation of NATO’s computer incident response capability in 2002, the Alliance’s approach has evolved from addressing cyber defence in primarily technicalterms to viewing it as an integral part of NATO’s strategiccontext — in other words, from information assurance to mission assurance. Allies have also acknowledged that cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability: for NATO, such threshold refers — implicitly or explicitly — to the possible invocation of article 5 of the Washington Treaty. In this vein, cyber defence was recognized at the NATO Summit in Wales in 2014 as part of NATO’s core task of collective defence. On the occasion, Allies also affirmed that international law applies in cyberspace — a principle that was reflected also in the 2013 Report of the UN Group of Governmental Experts (UNGGE) and further articulated in the two iterations (2013 and 2017) of the so-called ‘Tallinn Manual’ prepared under the aegis of NATO’s cooperative Cyber Defence Centre of Excellence (CCD COE) in Estonia, an autonomous military organization accredited by the Alliance.
In an effort to bolster nationalresilience, Allies adopted a so-called Cyber Defence Pledge at the 2016 NATO summit in Warsaw. Since then, the Pledge has demonstrated its value as a tool to attract strategic-level attention and promote investment (financial, human and political) in cyber defence, raising awareness that the Alliance is only as strong as its weakest link. Allies have recently self-assessed their efforts to implement the Pledge, and a first progress report was presented to the NATO Summit held in Brussels on 11–12 July last. What is already apparent is that virtually every nation has upgraded its cyber defence capabilities over the past couple of years, with a tangible multiplier effect across the Alliance, although additional efforts need to be made in terms of recruitment and retention, training and education, and cyber threat intelligence. It is encouraging to see how much progress Slovenia has made in regard to putting cyber defence on a sound policy footing, for example through ongoing efforts to update the legal framework around cyber security, which will unlock additional resources to improve existing national cyber defence capabilities.
Cyber defence is indeed unconventional in nature, with countries employing different approaches for how they organize themselves to address the issue; yet it is now an integral part of a broader cumulative endeavor to bolster collectiveresilience against equally unconventional threats, most of which are situated — at least so far — below the article 5 threshold but can also easily be(come) constitutive elements of more comprehensive and systematic ‘hybrid’ campaigns.
The Warsaw Summit also brought recognition of cyberspace as a specific domain of military operations where NATO must be able to defend itself as effectively as it does in the air, at sea and on land.As part of a three-year roadmap to implement this decision, the Alliance is looking into (and developing further) how it thinks, trains, equips and collaborates in cyberspace. To support this work, NATO Defence Ministers agreed in November 2017 to a set of principles that would guide the integration of the full spectrum of ‘effects’ generated by national cyber capabilities for mission assurance purposes (mostly through embedded liaison officers), as allied forces and militaries are not immune to cyber risks and increasingly rely on cyberspace to carry out their mandate. This does not and will not change the overall defensiveposture of the Alliance, which is also the most effective way to deter potential aggressors.
In cyberspace, just like in the other domains, NATO relies on Allies to provide capabilities for its military operations and missions. Last February, as part of broader efforts to ensure the NATO Command Structure is fit for purpose, Defence Ministers endorsed the creation of a Cyber Operations Centre (CyOC) in Belgium. This centre, which is currently being set up, will help integrate cyber aspects into NATO planning and operations. For its part, the Tallinn-based CCD COE keeps fostering research and education, capacity-building, cooperation and information-sharing among 17 NATO members and a range of partners.
As an alliance of sovereign states, NATO is not expected to do attribution, which remains a national prerogative and represents an intrinsically complex operation. However, consultation and concertation among Allies — and beyond — in these matters is already a fact, and expressions of collective solidarity to a stricken country a strong possibility. In late May, within the G7 framework, some NATO Allies have also agreed to ‘impose consequences’ on perpetrators.
NATO does not produce or promote norms either, although it acts in conformity with international law, follows the principles of restraint, proportionality and cooperation, and supports the diplomatic efforts underway in the UN and OSCE. While the prospects for agreeing at multilateral level on new international norms appear challenging in the current international climate, work should continue to implement those norms of responsible state behaviour that have already been agreed in previous UN GGE reports, and to impose consequences on behaviour that is deemed unacceptable.
In fact, cyber defence is a quintessential team sport, and the Alliance recognizes that it cannot go it alone in cyberspace: partnerships are instrumental for strengthening resilience and deterrence. Cyber defence partnerships — including with like-minded countries, international organizations (starting with the European Union, with which a Technical Arrangement was signed in February 2016) as well as industry and academia — constitute an important part of NATO’s approach to cooperative security, in full awareness that 21stcentury frontiers and fortresses are no longer what they used to be.