NATO must transform itself in order to deal with cyber threats and opportunities. Although currently on a strong course with a new cyber strategy, recently approved by the national defense ministers, the Alliance still has a long way yet to go.
NATO should for now continue to stick to a basic recipe of implementing the new strategy to get defense right, rather than being distracted by new missions such as offensive cyber operations.
Just as NATO must focus on current military operations in Afghanistan, Libya, and off Somalia, it should also keep its eyes on the current cyber fight. Cyber may one day be a weapon of mass disruption, but NATO should first improve basic defenses to fight today’s fight, not worry about tomorrow’s. And today’s cyber fight is not one of massive, disruptive attacks on national infrastructure, but a more insidious threat: the continuous theft of defense information through cyber espionage.
While some critics might contend this approach is focused on fighting yesterday’s cyber conflict, it happens to not be the case. The common practices needed to protect against quiet crimes and stolen information actually form much of the foundation of skills and tools required to combat more advanced or disruptive threats. It is no less important in cyber than in the physical world to start with basic tasks and master them before moving on to anything more complex. And, without doubt, NATO still has a long way to go on these basics. Priorities for the Alliance are not even the ‘best practices’ yet but are rather the easier and more straightforward common practices such as effectively patching vulnerable systems.
Critically, the NATO Computer Incident Response Capability must continue to improve and expand their mission to monitor systems and respond to incidents for all NATO headquarters and agencies, whether military or civilian. Amazingly, some non-technical aspects of incident response happen at NATO headquarters, in the cyber office of the Emerging Threats division. The NCIRC, which should handle response, is staffed solely with computer security specialists who are not trained to reach out to police or others. The Department of Defense recognized and largely solved this issue way back in 1998, after the SOLAR SUNRISE incident, so there is no reason why NATO should need to relearn old lessons.
Fortunately, the strategy’s most noteworthy strengths are that is focuses on overall policy, rather than technology, and keeps the focus on actions that NATO must perform, rather than seeking new missions for the Alliance. This very reasonable start must be followed up by execution of the plan itself, for which an action plan is now being drawn up in NATO headquarters.
With so many basic tasks left to improve, there no need for NATO to rush forward into new mission areas such as organic NATO offensive cyber capabilities. Headlines and pundits scream that offensive cyber operations are potential war-winners. Every nation wants to have its own cyber command and it is no surprise that some would like NATO to do likewise.
However, since the dawn of the cyber age, it has been a rule of thumb that the loudest proponents for cyber capabilities are those who know the least about their operational use and promise. When it comes to battlefield effects of cyber weapons, the most skeptical groups are the planners, developers, and operators that face uncertain effects, lengthy targeting and approval processes, and doubtful commanders and lawyers. As Bob Giesler, a former Pentagon cyber official now at SAIC, put it, sometimes it is easier to “just bomb it” rather than go through the lengthy approvals needed to employ cyber capabilities.
For NATO to prioritize offensive cyber capabilities now would be folly, especially in the face of its own vulnerability. Indeed, NATO cannot win its next war with offensive cyber capabilities but it could lose that war unless it improves its defenses.
In conclusion, to develop cyber capabilities, NATO should focus its efforts on the following areas:
- Pour resources into the basics: incident response, information sharing, properly maintaining computers to “patch” them from being vulnerable, and generally executing the new strategy.
- Consider cyber conflict as a national security problem for policy makers, not a technical issue for computer security professionals. For example, future cyber barrages against Estonia can be much more tractable at the policy level, as senior leaders are more likely to look beyond the technical origin of the attacks to look for fingerprints of national responsibility.
- Work extremely close to the European Union, especially for issues such as the resilience of national infrastructure that NATO militaries may rely on. The EU’s ENISA has recently issued reports on the resilience of Internet interconnections and country reports for all 27 member states.
- Look for ways for multinational sharing of some defense capabilities, such as incident response, and security training, tools and technology. NATO does not need a separate IT schoolhouse for each nation’s military (or, worse, one for each military service as in the Department of Defense). Nor does NATO need separate IT procurement programs, incident response training, and many other duplicative efforts. Nations not only should, but must, take advantage of the Alliance to pool and share.
- Think of how to engage the private sector, not just for information sharing, but in more substantive ways as well. Many non-governmental organizations have significant capabilities to fight cyber crime, respond to incidents, and foster cooperation with other nations. These groups and companies are already doing these missions and it will be in their interest, and NATO’s, to work together. In short, it will be both more effective and less expensive for NATO to rely on the private sector where it can.
The senior leadership of NATO has launched a strong cyber strategy. The chief objective is to implement the needed tasks in a time of austerity. Defense is far too important in cyber conflict to be done sloppily; it must remain the focus for development of strategic capabilities for NATO for a long time to come.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This blog post is adapted from comments given at a panel on NATO strategic capabilities, organized by the Security and Defense Agenda in Brussels in June 2011.