Over the last decade, there has been a continuing advancement of the cyber threat in both depth and breadth with the expansion of exploitation, disruption, and destruction activities. In an Internet-connected, net-centric world, military networks and key supporting critical infrastructures are now at significant risk from cyber intrusion. As Admiral Michael Rogers, head of Cyber Command, has testified:
Digital tools in cyberspace give adversaries cheap and ready means of doing something that until recently only one or two states could afford to do: that is, to reach beyond the battlefield capabilities of the U.S. military. They have demonstrated the capacity to hold “at risk” our military and even civilian infrastructure. In lay terms, that means that decades of military investment is now imperiled, because as Secretary Carter says, our forces depend on the functioning of our military networks and combat systems, without which they, and we, are far less effective in all domains.
What is true for the United States is equally, and even more, true for other NATO nations. The risks are widespread and substantial….
NATO currently recognizes cyber-attack as a potential Article 5 trigger, and also has recognized the necessity to defend its own networks while, for the most part, leaving the defense of nations to the nations themselves. NATO has created a small Cyber Response Team to assist nations that request help. NATO’s Multinational Cyber Defense Capability Program has developed work packages for the sponsoring nations of Canada, the Netherlands, and Romania that permits sharing of information within a trusted community and is working on other capabilities. NATO’s Cooperative Cyber Defense Center of Excellence, based in Estonia, has a “mission to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defense by virtue of education, research and development, lessons learned and consultation.” Among other activities, it hosts valuable cyber exercises such as Locked Shield, which includes national and NATO cyber teams….
Extended deterrence and cyber
In addition to the steps NATO is currently taking or proposing, the extended deterrence doctrine, if applied to cyberspace, could significantly ameliorate NATO’s cyber vulnerabilities and deficiencies at the national level. While generally considered as a nuclear defense concept, “extended deterrence . . . serves to reassure our . . . allies of their security against regional aggression.” In applying that doctrine to cyber defense, nations with greater capabilities would help provide less capable nations with the establishment, transfer, training, and support of key cyber capabilities. These capabilities would be particularly focused on the protection of military networks, telecommunications infrastructure, and the electrical grid, and to provide an offensive capability to be utilized as authorized including as part of an integrated defense in a conflict.
To do this effectively, NATO should take the following actions.
• Create “cyber framework nations,” each of which could help support national capabilities including the establishment, transfer, training, and support of necessary cyber capabilities in line with the framework nation concept approved by NATO at the 2014 Wales summit. For example, a cyber framework nation could help a less cyber-capable ally establish an effective intrusion protection system, provide forensic support, and develop resilience capabilities to be utilized in the event of attack by an adversary. The United States would be the first cyber framework nation;
• Establish operational partnerships with key private entities, including ISPs and power grid operators. For example, military, telecommunications, and electrical grid operators could create, in advance, capabilities that would mitigate a Tier V or VI attack. As discussed below, this should be done first at the national level; the US, as a cyber framework nation, could help others organize for this effort; and
• Develop doctrine and capabilities to provide for the effective use of cyberspace in a conflict as part of NATO’s warfighting capabilities. For example, cyber tools potentially could disrupt an adversary’s communications, logistics, and sensors or be utilized as part of a defense of critical infrastructures….
While there would be multiple ways in which to work out funding requirements, a potentially useful approach would be for NATO and the European Union to collaborate in this arena. Most specifically, extending the recent NATO-EU cyber collaboration, the European Union could create a “cyber reliability support initiative” that would help fund upgrades to national military, telecommunications, and electrical grid infrastructures to enhance cyber resilience….
A final point: cyber extended deterrence is not a gift from the United States or other cyber-capable countries to less capable recipients. If the US were to fight forward and with allies, as all US military doctrine and plans expect, then it would be extraordinarily hard to do so in an era of networked warfare without the military, telecommunications, and power grids of host nations being available for US and allied activities. Cyber vulnerabilities are one of NATO’s and its member-states’ most significant challenges, but an extended deterrence approach as recommended could significantly and promptly reduce such vulnerabilities.
Franklin D. Kramer is a distinguished fellow and on the board at the Atlantic Council and a former assistant secretary of defense. Robert J. Butler is an adjunct fellow at the Center for a New American Security and served as the first US Deputy Assistant Secretary of Defense for Cyber Policy. Catherine Lotrionte is the Director of the CyberProject in the School of Foreign Service at Georgetown University and former Counsel to the President’s Foreign Intelligence Advisory Board and former Assistant General Counsel at the Central Intelligence Agency.