NATO has much to discuss at its annual summit in Warsaw on July 8 – 9. From the implications of the UK’s decision to exit the EU, to aggressive Russian actions in the Baltics, to the war with ISIS, to terror attacks and refugee flows across Europe, to instability in Afghanistan, the range of tough security challenges is large and difficult.
One additional item rightfully on the agenda is alliance roles and responsibilities in the cyber domain. Cyber space has joined the air, land, sea, and space as war-fighting domains in which freedom to operate is essential for mission execution. Cyber security (and resiliency) is critical for alliance operational integrity. NATO Secretary-General Jens Stoltenberg has said repeatedly that “cyber is now a central part of virtually all crises and conflicts, NATO has made clear that cyber attacks can potentially trigger an Article 5 response.”
Cyber attacks by an identified state actor against an alliance state actor can be as threatening to the alliance as kinetic events in some circumstances, as was the case when Russian persons attacked the Estonian Ministry of Defense in 2007. But NATO needs to refine its definition of “cyber attacks” if it is to have meaning and integrity.
For example, attacks against domestic critical infrastructure constitute an unrefined and hugely expansive mission space. Should it be an alliance military mission? Should this come under NATO’s security umbrella? Expanding Article V protections to attacks against private sector operations may seem logical to some, but NATO should proceed with great caution before promising its security umbrella to cyber homeland security and resiliency. Asserting protection and response to attacks in this area, over-states NATO’s capacities and undermines alliance credibility.
There are a host of reasons why NATO must confine its ambitions to government network defense and response, and rethink whether domestic infrastructure protection really is – or should be – part of its writ.
First among the reasons is that the private sector owns and operates the vast majority of critical infrastructure and may not want NATO or even their own government’s help. The private sector has its own diverse perspectives, and the crisis management links between government and the private sector simply do not exist. Calling this a NATO mission makes essential coordination with the private sector exponentially harder. Differing national laws and ethos that define government–private sector cooperation makes it nearly impossible.
NATO members, like so many national governments, continue to minimize the reality that the private sector is at least as central as governments in cyber crisis management and response. Unlike traditional armed conflict, deterrence and crisis management is a joint venture with the private sector, no matter how often governments think they will be the tip of the spear.
The private sector is not only a co-equal branch in cyber crisis management but has different stakes than governments and multinational alliances. Information technology and other major companies are borderless, and responsive to global stakeholders and financial markets. Their interests often do not align with those of governments, and certainly not major military alliances. The private sector generally has superior capabilities than governments. Its decisions about what to do, when to do it, and how to do it, will take government views into account but will not be beholden to them.
Revisiting North Korea’s repeated attacks against Sony America’s networks throughout 2014 highlight how different and difficult crisis management is in the domestic digital domain. NATO will do well to remember how complicated this event was for the United States national security apparatus.
In brief, the North Korean state attacked the digital data stores of the American subsidiary of a Japanese company. The key actors through most of the crisis were all in the private sector, and Sony responses were framed more by the actions of its rivals and business partners in industry than anything said or done by government. Not surprisingly, individual business interests outweighed common cause. Private sector unity was not possible.
Of course the U.S. government played an important role late in the crisis when President Obama declared there to be a national interest in the situation and imposed sanctions on the North Korean state. But the central point is that critical decisions were made by the private sector, based on business needs, damage assessments, and capabilities.
Government was not able to manage this major crisis even though it involved a nuclear weapon state threatening physical strikes in the U.S. homeland. Events since, such as Apple’s refusal to cooperate with a court order to assist the government in accessing encrypted information on a terrorist’s iPhone, reinforces the reality that the relationship between government and industry is getting more distant, not closer. Apple probably would be even less likely to cooperate with a 28 nation military alliance than with its “home” government.
Just imagine how complex it would be for a 28 nation military alliance to assert response dominion against digital attacks by a known adversary against the networks controlling a member’s key infrastructure. What if the company(s) involved had deep business interests in the adversary nation and refused to work with the alliance in fashioning a response? What if its business interest compelled accommodation? What if it did not want to share its essential capabilities with government (or a large military alliance) fearing doing so would be a competitive disadvantage?
National security officials across the globe struggle with the idea that the private sector is not subservient to government in protecting their information technology interests and often is just as capable as government in intelligence gathering and response planning. Cohesion between the two worlds is not likely unless the private sector becomes an essential actor in this element of national security decision making space.
This is not to say industry can operate alone. Industry has many dependencies on government. Only governments can set laws and press treaty enforcement between states. Industry relies on government to provide emergency response assistance if digital strikes have a physical effect, such as a major power outage. Governments often hold key bits of information that can complete the operating picture environment.
The shared dependency between government and the public sector provide opportunity to remake decision-making processes heretofore made solely by government actors. Until we make more headway remaking these processes, NATO would be wise to constrain its ambitions to defending its own networks and improving its operational resiliency. It should set aside planning to protect and respond to digital strikes against privately owned domestic critical infrastructure.
NATO has more than enough challenges ensuring its communications integrity and updating war plans to fully accommodate for fighting in the digital domain. Let’s leave the hornet’s nest of what the alliance should do in response to attacks on domestic infrastructure and private companies to a more settled period.