19 January 2019

An Assessment of North Atlantic Treaty Organization Cyber Strategy and Cyber Challenges

By Ali Crawford

Summary: Cyber capabilities are changing the character of warfare. Nations procure and develop cyber capabilities aimed at committing espionage, subversion, and compromising the integrity of information. The North Atlantic Treaty Organization has evolved to meet these modern challenges by consistently implementing new policies, creating governing structures, and providing education to member-states.

Text: In 2002, leaders from various nations met in Prague to discuss security challenges at a North Atlantic Treaty Organization (NATO) summit. Agenda items included enhancing capabilities to more appropriately respond to terrorism and the proliferation of weapons of mass destruction, to consider the pending memberships of several Eastern European nations, and for the first time in NATO history, a pledge to strengthen cyber defenses. Since 2002, NATO has updated its cyber policies to more accurately reflect the challenges of a world that is almost exclusively and continuously engaged in hybrid warfare.


As NATO is a defensive organization, its primary focus is collective defense, crisis management, and cooperative security. Early cyber policy was devoted exclusively to better network defense, but resources were limited; strategic partnerships had not yet been developed; and structured frameworks for policy applications did not exist. When Russian Distributed Denial-of-Service (DDoS) attacks temporarily disrupted Estonian banking and business sectors in 2007, the idea of collective defense was brought to fruition. Later, in 2008, another wave of vigorous and effective Russian DDoS attacks precluded an eventual kinetic military invasion of Georgia. This onslaught of cyber warfare, arguably the first demonstration of cyber power used in conjunction with military force, prompted NATO to revisit cyber defense planning[1]. Today, several departments are devoted to the strategic and tactical governance of cybersecurity and policy.

NATO’s North Atlantic Council (NAC) provides high-level political oversight on all policy developments and implementation[2]. Under the NAC rests the Cyber Defence Committee which, although subordinate to the NAC, leads most cyber policy decision-making. At the tactical level, NATO introduced Cyber Rapid Reaction teams (CRRT) in 2012 which are responsible for cyber defense at all NATO sites[3]. The CRRTs are the first to respond to any cyber attack. The Cyber Defence Management Board (CDMB), formerly known as the Defence Policy and Planning Committee (Cyber Defence), maintains responsibility for coordinating cyber defense activities among NATO’s civil and military bodies[4]. The CDMB also serves as the most senior advisory board to the NAC. Additionally, the NATO Consultation, Control, and Command Board serves as the main authority and consultative body regarding all technical aspects and implementation of cyber defense[5].

In 2008 at the Bucharest Summit, NATO adopted its first political body of literature concerning cyber defense policy which primarily affirmed member nations’ shared responsibility to develop and defend its networks while adhering to international law[6]. Later, in 2010, the NAC was tasked with developing a more comprehensive cyber defense strategy which eventually led to an updated Policy on Cyber Defense in 2011 to reflect the rapidly evolving threat of cyber attacks[7]. NATO would continue to evolve in the following years. In 2014, NATO began establishing working partnerships with industry leaders in cybersecurity, the European Union, and the European Defense Agency[8]. When NATO defense leaders met again at the Warsaw Summit in 2016, the Alliance agreed to name cyberspace as a domain of warfare in which NATO’s full spectrum of defensive capabilities do apply[9].

Despite major policy developments and resource advancements, NATO still faces several challenges in cyberspace. Some obstacles are unavoidable and specific to the Internet of Things, which generally refers to a network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data. First, the problem of misattribution is likely. Attribution is the process of linking a group, nation, or state actor to a specific cyber attack[10]. Actors take unique precautions to remain anonymous in their efforts, which creates ambiguities and headaches for the response teams investigating a particular cyber attack’s origin. Incorrectly designating a responsible party may cause unnecessary tension or conflict.

Second, as with any computer system or network, cyber defenses are only as strong as its weakest link. On average, NATO defends against 500 attempted cyber attacks each month[11]. Ultimately, the top priority is management and security of Alliance-owned security infrastructure. However, because NATO is a collection of member states with varying cyber capabilities and resources, security is not linear. As such, each member nation is responsible for the safety and security of their own networks. NATO does not provide security capabilities or resources for its members, but it does prioritize education, training, wargaming, and information-sharing[12].

To the east of NATO, Russia’s aggressive and tenacious approach to gaining influence in Eastern Europe and beyond has frustrated the Alliance and its strategic partners. As demonstrated in Estonia and Georgia, Russia’s cyber power is as equally frustrating, as Russia views cyber warfare as a component of a larger information war to control the flow and perception of information and distract, degrade, or confuse opponents[13]. U.S. Army General Curtis Scaparroti sees Russia using cyber capabilities to operate under the legal and policy thresholds that define war.

A perplexing forethought is the potential invocation of NATO Article 5 after a particularly crippling cyber attack on a member nation. Article 5 bounds all Alliance members to the collective defense principle, stating that an attack on one member nation is an attack on the Alliance[14]. The invocation of Article 5 has only occurred one time in NATO history following the September 11 terror attacks in the United States[15]. The idea of proportional retaliation often arises in cyber warfare debates. A retaliatory response from NATO is also complicated by potential misattribution.

Looking ahead, appears that NATO is moving towards an active cyber defense approach. Active defense is a relatively new strategy that is a set of measures designed to engage, seek out, and proactively combat threats[16]. Active defense does have significant legal implications as it transcends the boundaries between legal operations and “hacking back.” Regardless, in 2018 NATO leadership agreed upon the creation and implementation of a Cyber Command Centre that would be granted the operational authority to draw upon the cyber capabilities of its members, such as the United States and Great Britain[17]. Cyber Deterrence, as opposed to strictly defense, is attractive because it has relatively low barriers to entry and would allow the Alliance to seek out and neutralize threats or even to counter Russian information warfare campaigns. The Command Centre is scheduled to be fully operational by 2023, so NATO still has a few years to hammer out specific details concerning the thin line between cyber defense and offense.

The future of cyber warfare is uncertain and highly unpredictable. Some experts argue that real cyber war will never happen, like German professor Thomas Rid, while others consider a true act of cyber war will be one that results in the direct loss of human life[18]. Like other nations grappling with cyber policy decision-making, NATO leadership will need to form a consensus on the applicability of Article 5, what precisely constitutes a serious cyber attack, and if the Alliance is willing to engage in offensive cyber operations. Despite these future considerations, the Alliance has developed a comprehensive cyber strategy that is devoted to maintaining confidentiality, integrity, and accessibility of sensitive information.

No comments: