Amid the theatrics surrounding the defense spending issue at the recent NATO Summit in Brussels, some groundbreaking decisions made by the allies on cyber defense were overlooked. They represent a major shift in NATO’s approach to cyberattacks and their details are worth decoding.
NATO’s new approach, spelled out in the comprehensive “Summit Declaration” and other public documents, is all about the operationalization of cyber defense and imposing costs upon attackers.
At the Warsaw Summit in 2016, NATO recognized cyberspace as its newest operational domain, as important as that of land, air and sea. While that was a key step, the operational decisions and actions are the ones that really matter. The goal, as reflected in the 2018 “Summit Declaration,” is to “operate as effectively in cyberspace as we do in the air on land, and at sea to strengthen and support the alliance’s overall deterrence and defense posture.”
First among these key decisions is to establish a Cyber Operations Center (CyOC), the first cyber-dedicated entity within the NATO command structure. While the details are not captured in public documents, allied sources indicate that CyOC will be integrated within NATO’s Allied Command Operations in Mons, Belgium, as an important resource to the Supreme Allied Commander Europe. It will develop structural links and embed specialized staff throughout NATO’s operational command elements.
The second important development is that the allies have affirmed, for the first time, the determination “to employ the full range of capabilities, including cyber, to deter, defend against and to counter the full spectrum of cyber threats.”
This reflects a fundamental shift away from securing cyberspace with purely defensive measures. The “full range” of cyber capabilities means that both defensive and offensive capabilities can be deployed by NATO, in line with its defensive mandate and in accordance with international law. Since NATO, as an organization, will not develop or acquire any offensive capabilities, it will rely, as in other operational domains, on voluntary contributions by allies. Therefore, NATO leaders also “agreed how to integrate sovereign cyber effects, provided voluntarily by allies, into alliance operations and missions, in the framework of strong political oversight.” The U.K. has already announced its readiness to offer voluntary national cyber contributions to support NATO missions, and other allied nations are expected to make similar pledges.
The third new development is the commitment to “work together to develop measures which would enable us to impose costs on those who harm us.”
This reflects the frustration over the growing number of increasingly harmful cyberattacks against NATO allies in recent years, and the recognition that the alliance lacks a coherent policy to impose relevant costs upon attackers and therefore change their calculations. NATO’s 2016 Cyber Defense Pledge has been key for enhancing cyber resilience by raising the costs for cyberattackers. But its “deterrence by denial” approach — rather than one centered on deterrence by punishment — is not considered sufficient in the context of growing threats. By linking cyber defense to NATO’s Article 5 collective defense clause, the alliance is providing a strong deterrent against potential high-level cyberattack — those which could have an impact comparable to an armed conventional attack.
There is now a clear recognition of the need to develop a framework of punishment measures for use against cyberattacks, including those that fall below the threshold of an armed attack. This is very much in line with the U.S. Department of State’s “Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats,” published in May.
In order to deter cyberattacks below the threshold of the use of force, the State Department recommends working with U.S. allies and like-minded partners to “adopt an approach of imposing swift, costly and transparent consequences on foreign governments responsible for significant malicious cyber activities.” The European Union is making similar efforts to develop a “cyber diplomacy toolbox” to include a set of diplomatic, political or economic potential sanctions that would impose costs upon cyberattackers. It goes without saying that NATO-EU cooperation should also include close coordination and a complementarity of efforts to deter cyberattacks or mitigate their effects.
Finally, there is a renewed commitment to engage with the international community, as well as with industry and academia, to bolster the security of infrastructure and networks. The benefits from a norms-based, predictable, and secure cyberspace are clear for an alliance tasked with prevention and deterrence. The same goes for harnessing the opportunities of technological evolution and innovation on the side of the defenders.
Ambassador Sorin Ducaru is a senior fellow at the Hudson Institute. Between September 2013 and November 2017, he was NATO assistant secretary general and chair of NATO’s Cyber Defense Committee and Cyber Defense Management Board, having a leading role in NATO’s cyber policy development and implementation. He is also a special advisor of the Global Commission on the Stability of Cyberspace.