As NATO prepares for its annual summit, to be held July 11-12 in Brussels, media attention has been focused on whether member states will boost their defense spending and readiness across the traditional operational domains of land, air and sea. This reflects a needed focus on important, but frankly longstanding alliance priorities. What many NATO-watchers are missing, however, is NATO’s full embrace of its newest operational domain: cyberspace.
Just two years ago, at the Warsaw Summit, allied nations recognized cyberspace as a new “operational domain in which NATO must defend itself as effectively as it does in the air, on land and at sea.”
Since the Warsaw Summit, NATO has developed an ambitious roadmap to implement the cyber operational domain approach, with profound implications along lines of effort, such as: training, capability development, organizational construct, operational planning, training, exercises and strategic communications.
Work in these areas is conducted with the aim to augment the cyber resilience and achieve mission success, in a cyber environment that is increasingly contested by adversaries. This is in line with the alliance’s cyber pledge to prioritize investment in cyber skills and capabilities.
Furthermore, the recognition of cyberspace as an operational domain opens the way for the integration of voluntary sovereign national cyber contributions into NATO operations and missions. Keeping in line with the other operational domains, NATO itself will not acquire offensive capabilities, but will rely on the contributions of its member nations. Already, the United Kingdom has led the efforts. In a Chatham House address last year, Sir Michael Fallon, former U.K. defense secretary, announced publicly that “the United Kingdom is ready to become one of the first NATO members to publicly offer such support to NATO operations as and when required.”
At the NATO defense ministers’ meeting last November, allies agreed on a framework of political and legal principles to guide the integration of voluntary cyber contributions from member nations. The framework ensures that any allied engagement in cyberspace will abide by NATO’s defensive mandate, political oversight and compliance with international law. This is also in line with allies’ support for the development of norms and confidence building measures, for security and stability in cyberspace.
This year, allies’ defense ministers agreed to establish a Cyber Operations Centre as part of the new NATO command structure, the first cyber-dedicated entity within NATO’s command structure. This is the first step toward integrating cyber capabilities into NATO planning and operations, but specific considerations should be kept in mind.
In the physical domains of land, air and sea, operational planning refers to of the physical forces or capabilities provided. In the cyber domain, integration will focus on the effects generated by the voluntary national cyber contributions, rather than the capabilities themselves, given that most cyber tools are unique and discrete.
Within NATO, there has been a growing emphasis on developing the “digital IQ” of the allied military. In Portugal, a NATO Cyber and Communication-Information Systems Academy is being set-up, while cyber resilience is now featured in coordinated training curricula in every NATO member state. Cyber has been also streamlined across all NATO exercises.
The NATO Cyber Center of Excellence in Estonia organizes two annual cyber-dedicated exercises. The first, “Cyber Coalition,” is testing the alliances readiness and response procedures and policies in situations of wide-reaching, persistent cyberattacks. The second exercise, under the Locked Shields banner, tests the skills of cyber experts in red-team/blue-team war games scenarios. This year, NATO’s blue team won the exercises, signaling the growing interest of member nations to strengthen NATO’s new operational domain.
“All crises today have a cyber dimension,” noted Secretary General Jens Stoltenberg earlier this month. Soon after in London, Stoltenberg hinted that the July NATO summit will “take decisions on integrating national cyber capabilities into NATO operations.” This reflects a game-changing approach in terms of mainstreaming cyber across strategy and tactics, training and exercises, as well as military planning in all operational domains. This is consistent with the recent U.S. Department of Defense strategy, which aims to “invest in cyber defense, resilience and the continued integration of cyber capabilities into the full spectrum of military operations.”
It is no secret that, in cyberspace, we are under attack as we speak. As the threat landscape expands, so does NATO’s commitment to the new cyber operational domain.
Ambassador Sorin Ducaru is a senior fellow at the Hudson Institute. Between September 2013 and November 2017, he was NATO assistant secretary general and chair of NATO’s Cyber Defense Committee and Cyber Defense Management Board, having a leading role in NATO’s cyber policy development and implementation. He is also a special advisor of the Global Commission on the Stability of Cyberspace.