It’s been more than a year since NATO declared cyberspace an operational domain of warfare akin to air, sea and land and while the alliance is still working its way through the practical implications of this pronouncement, behind the scenes leaders have taken a series of steps to fortify NATO’s cyber operations.
The alliance’s initial focus has been primarily on cyber defense; strengthening NATO’s infrastructure and member nations pledging to take concrete steps to harden their systems as well.
The NATO Communications and Information Agency, is also undergoing a major IT modernization effort mainly focused on centralization and virtualization of services.
Since the announcement last year, the alliance is rethinking how it might run cybersecurity operations, Merle Maigre, director of NATO Cooperative Cyber Defense Center of Excellence – a think tank independent of NATO – told reporters in November at the Estonian embassy.
NATO is now developing detailed metrics related to the cyber defense pledge and regularly reporting how each nation delivers on its cyber commitments based on these metrics, Maigre said.
The alliance also announced the establishment of a cyber operations center.
“Cyber is another top priority for NATO, which will be reflected in our updated command structure,” Jens Stoltenberg, secretary general said in early November. “I expect ministers will decide on ways to integrate cyber into all NATO planning and operations. So we can be just as effective in the cyber domain, as we are in air, on land and at sea.”
This cell will more or less advise commanders on how best to achieve an effect for mission accomplishment, Cmdr. Michael Widmann, CCDCOE Strategy Branch Chief, told reporters at the Estonian embassy.
But what does it mean?
While NATO ministers continue to meet, discuss and update their command structure, what does the declaration of cyber mean from a practical perspective? Despite both DoD and NATO declaring cyberspace a domain of warfare, “nobody has defined what that means,” said Alex Crowther, of the National Defense University, said during a presentation at AUSA’s annual conference in October.
Coalition cyber operations are still in their infancy and it is less clear how a block of nations can conduct and coordinate effects in the inherently obfuscating cyberspace domain.
“In NATO, we need to figure out what cyber operations are before we decide what the organizational construct is. We need to decide what precisely cyberspace is as a domain for operations. Additionally, we need to set down what the rules of engagement are because cyberspace is a different and unique domain for operations,” said Brad Bigelow, the chief technical adviser to the CIS/Cyber Defense (Communications Information Systems/CD) staff at the Supreme Headquarters Allied Powers Europe, or SHAPE.
NATO members own their planes, their ships and their cyber capabilities and they can share that with other allies when they wish and deploy them into NATO missions and operations, Maigre added.
This national model – in which one country employs the effect – has been floated by other thinkers as a potential model given the complicating factors that all 29 member nations have their own systems, networks and views on cyberspace. Even within U.S. organizations and agencies, deconflicting their forces so they are not potentially competing against each within cyberspace other is critical.
Another complicating factor is one that plagues the U.S. as well; definitions and redlines. What type of cyber event – many of which fall beneath the threshold of conflict – might trigger the alliance’s collective self-defense provision?
“These are always political decisions,” Marina Kaljurand, the former minister of Foreign Affairs for Estonia said during a March event hosted by the New America Foundation in Washington.
“[The] political level is much, much more complicated. [It] has to take into account all the circumstances…so there has to be consensus among 28 allies,” she said prior to Montenegro joining the alliance bringing it to 29 nations. “Refer to 9/11; one day before that, nobody ever thought that civilian aircraft could trigger Article 5. It did.”
Others are also not so confident the alliance can overcome these obstacles.
“I’m not really confident that we’re going to get there in a credible way because there are so many countries that have to come together and it’s so hard for each country to individually come up with a strategy that clearly articulates what they care about in cyberspace, what is an act of war,” Jacquelyn Schneider, assistant professor in the Center for Naval Warfare Studies, said during a panel at CyCon U.S. in Washington in November.
Developing cyber doctrine
The NATO CCDCOE, while not a formal alliance organization, acts as the custodian of NATO’s cyber policy and doctrine. In this role, it leads this process by scheduling meetings and inviting all the players to the table who are ultimately responsible for writing the doctrine, Widmann said.
Doctrine drafted by nations that participate are then circulated to all 29 member nations to comment on topics as small as punctuation to as large as major themes and non-starters. Initially, Widmann said, the themes centered on defensive cyberspace operations doctrine but now officials are spending more time on an operations doctrine, leaving the door towards things like offense.
Leaders hope to complete the document by the end of 2018, but Widmann said that is an ambitious deadline given national opinions on cyber can change from month to month.
Need for a NATO cyber command?
As NATO looks to bring its cyber operations online some have asked whether that begs the need for NATO to establish its own cyber command.
Siim Alatalu, head of International relations at the CCDCOE, in a paper presentation during the CyCon conference, outlined what a NATO cyber command might look like.
The command’s objective would be to ensure viability of NATO’s technology in the face of threats, send out a signal of deterrence, offer flexible cyber response through détente and deterrence and close the gap between aforementioned procedures such as what constitutes and act of war in cyberspace.
Alatalu said the model for a NATO cyber command could replicate several existing institutions. This means such a command could:
- Replicate that of the NATO special operations headquarters acting as a coordination mechanism between allied nations;
- Replicate the NATO Computer Incident Response Capability, though this is a civilian and not military organ;
- Take a national model using the national cyber commands as a template, though Alatalu noted there is not a one-size-fits-all approach.
Moreover, to get there, Alatalu outlined the means of achieving a NATO cyber command that could include;
- NATO-owned offensive capability financed by the allies as a decentralized structure;
- A clearinghouse for coordination of nationally-owned offensive capabilities;
- Pooling and sharing of operational and tactical cyber defense expertise not for specific operations but to be better prepared in the event something happens.