Recently, there have been a number of articles that explore the important and ongoing debate about the capabilities and policies NATO needs in order to deter and defend against the ever-looming cyber threats.
While many such articles accurately highlight the urgent need for NATO and its member states to develop a more proactive approach to countering cyber threats, it is worth further considering a significant step the Alliance has already taken towards achieving a more effective posture to counter cyber threats. At the NATO Warsaw Summit in July 2016, the Alliance declared cyberspace an operational domain.
By declaring cyber an operational domain in which the Alliance must defend itself as it does on land, sea, and air, member states gave NATO a mandate to create a dynamic framework that will help the organization to better confront current security challenges. When implemented by 2019, NATO’s decision will empower military commanders to use cyber tools alongside conventional means of defense to confront current security challenges, such as use of cyber tools as part of hybrid operations.
The concept also enables the organization to explore ways cyber tools could be used as standalone capabilities if their use could achieve better operational results than conventional means. Indeed, the designation opened the door for the Alliance to consider how offensive cyber capabilities could be used in support of its operations
Such a designation signals a shift in the organization’s focus from information assurance to mission assurance, recognizing that there is no such thing as absolute cybersecurity and that the organization will have to operate in contested environments. It is indeed proof of NATO’s increased maturity and understanding of the operational environment.
Designating cyber as a domain of operations enables NATO to plan, train, and organize itself in news ways. The Alliance will also have recourse to the cross-domain toolbox of capabilities that it can employ in air, land, or sea in response to cyber threats. This in itself significantly ups its game to counter the threats.
Despite the array of options afforded to the Alliance in light of the designation of cyberspace as an operational domain, NATO will have to continue to adapt. The Alliance must find ways to achieve greater situational awareness of the ever-changing cyber environment and redesign its decision-making process in order to keep up with the pace of the threat.
NATO allies must also find effective ways to connect Allied Command Operations with the defender of NATO networks, the NATO Communication and Information Agency. To further adapt to the reality of cyberspace as an operational domain, NATO will have to introduce dynamic ways to acquire technology while innovating and understanding the value and attributes of actionable threat intelligence.
When considering the use of offensive cyber capabilities against a perceived threat, NATO will have to manage a range of challenges. Strategic communications and coordination of vulnerabilities are just two of them.
In terms of strategic communications surrounding this issues, NATO’s message could be easily hijacked by adversaries claiming that such use or considerations of use are escalatory and contrary to the organization’s work in promoting peace and stability, and its important contribution to the discussion on norms of responsible state behavior.
In his article for the Council on Foreign Relations, Jeppe T. Jacobsen brilliantly lays out the challenges of development and coordination of use of offensive cyber capabilities and the potential role NATO can play. In short, the author argues, the use of cyberweapons against common adversaries could be coordinated through the joint NATO division that is being created under the newly appointed NATO Assistant Secretary General for Intelligence and Security, Arndt Freytag von Loringhoven.
It is important to highlight that any use of national offensive cyber capabilities in support of NATO operations would have to be agreed upon by the Allies. Given the disparity in levels of capability and experience NATO members have in the cyber realm, this will be no easy task. However, much can be done with existing frameworks and capabilities.
For starters, NATO and the less-experienced Allies can learn from those more experienced countries that have already used offensive cyber capabilities in operations. For example, the United States and United Kingdom have deployed cyber tools in the fight against the Islamic State of Iraq and al-Sham (ISIS). The United States has also elevated its focus on cyber operations with US President Donald J. Trump’s decision to elevate US Cyber Command to a full combatant command within the US military. Through training and education, NATO can encourage Allies to share best practices and discuss the legal, policy, and technical challenges involved in the incorporation of offensive cyber capabilities.
If NATO begins to incorporate national offensive cyber capabilities into its security toolbox, it must support its Allies in the responsible development and use of such capabilities. NATO can serve as a great platform for the member states through its organizational structure. Using its cyber range capability and exercises, Allies can train together and learn hands-on from the more experienced members.
Implementing the concept of cyberspace as an operational domain, and using NATO’s existing capabilities and frameworks to sort out important issues around offensive cyber capabilities, will not only bring the Alliance closer to the possibility of using offensive capabilities in support of NATO operations but also serve as a strong deterrent to potential adversaries. The aggregate power of national capabilities that could be used in support of NATO easily outweigh any single adversary’s capacities.
Klara Jordan is a nonresident fellow with the Atlantic Council’s Cyber Statecraft Initiative. You can follow her on Twitter @JordanKlara.
Additional editing by Rachel Ansley, editorial assistant at the Atlantic Council.