NATO and Strategic Cyber Capabilities

NATO Defense Ministers meeting as the North Atlantic Council, March 10, 2011.

From Jason Healey, the New AtlanticistNATO must transform itself in order to deal with cyber threats and opportunities.  Although currently on a strong course with a new cyber strategy, recently approved by the national defense ministers, the Alliance still has a long way yet to go. NATO should for now continue to stick to a basic recipe of implementing the new strategy to get defense right, rather than being distracted by new missions such as offensive cyber operations.

Just as NATO must focus on current military operations in Afghanistan, Libya, and off Somalia, it should also keep its eyes on the current cyber fight. Cyber may one day be a weapon of mass disruption, but NATO should first improve basic defenses to fight today’s fight, not worry about tomorrow’s.  And today’s cyber fight is not one of massive, disruptive attacks on national infrastructure, but a more insidious threat: the continuous theft of defense information through cyber espionage. . . .

Critically, the NATO Computer Incident Response Capability must continue to improve and expand their mission to monitor systems and respond to incidents for all NATO headquarters and agencies, whether military or civilian. Amazingly, some non-technical aspects of incident response happen at NATO headquarters, in the cyber office of the Emerging Threats division. The NCIRC, which should handle response, is staffed solely with computer security specialists who are not trained to reach out to police or others. The Department of Defense recognized and largely solved this issue way back in 1998, after the SOLAR SUNRISE incident, so there is no reason why NATO should need to relearn old lessons.

Fortunately, the strategy’s most noteworthy strengths are that is focuses on overall policy, rather than technology, and keeps the focus on actions that NATO must perform, rather than seeking new missions for the Alliance. This very reasonable start must be followed up by execution of the plan itself, for which an action plan is now being drawn up in NATO headquarters. . . .

For NATO to prioritize offensive cyber capabilities now would be folly, especially in the face of its own vulnerability. Indeed, NATO cannot win its next war with offensive cyber capabilities but it could lose that war unless it improves its defenses. 

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This blog post is adapted from comments given at a panel on NATO strategic capabilities, organized by the Security and Defense Agenda in Brussels in June 2011.

Image: ap%203%2021%2011%20North%20Atlantic%20Council%20meeting.jpg