These are important and critical parts of NATO’s cyber security work but they fail to do two things. One, they fail to get to the heart of the quintessential question about NATO’s cyber security obligations: what constitutes an ‘attack’ and what capabilities might be provided to a member experiencing an attack?
Two, the current list of summit cyber deliverables won’t do much for those countries inside NATO that find themselves on the wrong side of the digital divide. Too many member states still lack basic information on the evolving nature of cyber threats and the different types of possible attacks. Some members have also avoided developing cyber strategies and tools, fearing the high costs of doing so. In reality, though, there are a number of low cost ‘cyber hygiene’ measures − such as taking an inventory of authorized and unauthorized devices and software, securing configurations for hardware and software on mobile devices and servers, and conducting continuous vulnerability assessments and remediation – that can significantly reduce risks. . . .
Some of the larger members that currently contribute the most to NATO’s overall budget also worry about who would pay for new capabilities. It is no secret that most NATO members, having faced multiple rounds of steep budget cuts in recent years, are having a hard time maintaining conventional military capabilities. How then, the more capable NATO members have asked, would other members realistically be able to afford any offensive or defensive cyber capabilities that the Alliance deemed critical?
While purchasing new cyber capabilities (other than what is required to secure internal NATO networks) seems too ambitious, NATO members have come to the conclusion that they need to at least begin a dialogue on the biggest question facing the Alliance on cyber: NATO’s Article 5 obligations to defend a member state in the face of an attack on its territory.
Article 5 commitments require member states to reveal what capabilities they actually have on offer in the face of an attack. For some countries like the US, making that list available even to NATO member states would reveal highly sensitive information about cyber capabilities. At the same time, NATO members don’t want anyone to assume − particularly those countries that have already experienced cyber attacks − that NATO’s support is in question.
Clearly there is a gap that needs to be bridged. But if NATO managed to address such questions in the nuclear field, which is equally as sensitive in terms of revealing allies’ capabilities, it should be able to do so in the area of cyber as well.
Julianne Smith, Associate Fellow, Americas Program, Chatham House.