Is Internet conflict NATO’s next defense-industrial agenda, or just a matter for industry?
“Where [was] the industrial agenda for the NATO Summit?” Hugo Rosemount of Defense One asked after Wales. Successful industrial engagement has not traditionally been NATO’s long suit, but after the talks had concluded, we had our answer: cyber was priority one. That might seem some progress for an alliance whose first cyber policy was articulated in 2008, after the attacks on member state Estonia, and was last updated three years ago. Moving at the speed of cyber, movement today is possibly none-too-soon, but at least a sense of urgency has set in. So yesterday, as part of our Cyber Risk Wednesday series, the Atlantic Council hosted an event on “NATO’s Cyber Defense Mission and Capabilities”, a panel discussion amongst Sorin Ducaru, assistant secretary general for emerging security challenges; Jason Healey, director of our Cyber Statecraft Initiative; Christopher Painter, the State Department’s coordinator for cyber issues; and moderator Vago Muradian of Defense News.
But while the phrase “Digital Pearl Harbor” was first recorded in 1991, we’re still waiting for one 23 years on. Part of the answer to that seeming anomaly lies with common incentives. For example, do not telecommunications companies in different countries, even those whose governments are at best frenemies (Painter’s word), or just outright adversaries, have similar interest in preventing denial-of-service or botnet attacks? In the short run, as Muradian suggested, economic espionage is what allows state-owned Chery Automotive to put VW clones into production before VW itself does, by stealing the plans from German computers. But in the long run, as Painter argued, respect for international norms is in the best interests of Chinese and Russian economic enterprises, if they want to avoid sanctions and foster trade.
Thus the big difference with cyber conflict is not its supposedly lightning speed, nor its clearly global range, nor its low barriers to entry—even if Healey’s image of “two guys in the basement” is, in Muradian’s estimation, “eternally fascinating as the great equalizer”. The big difference is the role of the private sector.
Indeed, as Computer Week was reporting back in September, in establishing the ‘NATO Cyber Industry Partnership’ (NCIP), the alliance was looking to address issues such as “supply chain management, risk assessment, information assurance, and early warning best practices.” Of course, that’s to back up its resolution that cyber attacks fall under the provisions of Article 5, the collective defense clause of the North Atlantic Treaty. But it’s also another way of acknowledging that cyber defense shares features with civil defense, in that it’s everyone’s responsibility, and a matter not always handled best by the military.
Fairly, that is already well understood. As Atlantic Council member Randy Fort of Raytheon articulated in a question, at least 80 percent of cyber defense infrastructure in NATO countries is in the private sector. And at the private lunch after the event (under Chatham House Rules), several industrial representatives—from defense contractors, software firms, telecommunications providers, and security specialists—assured the assistant secretary general that their companies had been working on the problem for years, sharing information across corporate boundaries and international borders. It was NATO, rather, that needed to make the case to them that the alliance could help.
Perhaps then, much of cyber conflict follows a Minuteman model: wherever your are in the economy, stand ready to fight off an attacker, secure your network, put out your neighbor’s fire, and clean up the litter afterwards. Maybe let the guys at Fort Meade retaliate, but don’t be a victim: take charge of your own protection. Under this model, NATO’s best role may be found establishing common procedures. As one retired Army officer turned Internet security specialist asked afterwards: if Serbian partisans in Kosovo start throwing rocks at your peacekeepers, should they step forward, step back, or stand fast? Various NATO contingents arrived with doctrines recommending all three of these responses—as well as no guidance at all. Ducaru reminded us that NATO’s cyber mission is merely a matter of defensive coordination. As internationalized as the cyber problem is, industry could benefit from some of that coordination.
James Hasík is a senior fellow at the Brent Scowcroft Center on International Security.