The 2018 NATO summit and the months leading up to it were a spectacle of diplomacy at its finest and at its worse. The media drama surrounding the summit overshadowed the big strides the Alliance has made in its cyber defense mandate.
With the announcement that Allies agreed on how to integrate sovereign cyber effects into Alliance operations and missions, NATO and its member states managed to articulate (at least internally) how to reconcile NATO’s defensive posture in the face of Allies having adopted offensive cyber capabilities.
This is a considerable success on an issue which has arguably been a conundrum for the Alliance at least since 2013, when the UK announced that the country is developing a full spectrum military cyber capability, including a strike capability. Over the years, NATO member states have used cyber as a standalone capability or in support of their operations individually, and it was only a matter of time that their use be warranted in NATO operations.
NATO’s defensive mandate in cyber has evolved over time – from protecting its networks to protecting its ability to conduct missions in contested environments- but the organization struggled to respond to calls to be more proactive. The announcement that the Alliance will coordinate sovereign cyber effects for its operations, struck many as an aggressive move.
While getting to this decision undoubtedly required a fair amount of diplomatic maneuvering and work with technical and legal experts, the fact that NATO will coordinate sovereign cyber effects for its missions and operations doesn’t change the defensive mandate of the organization- the operators supporting NATO missions need tools to proactively defend themselves before the execution of a mission is jeopardized. They may need to go outside their networks to disrupt attacks, identify attackers or retrieve stolen data or degrade the adversary capability to continue activities harming NATO’s ability to operate.
I also don’t believe it signifies a more aggressive stance of the organization. As evidenced by the debate around the use of cyber capabilities in the United States- one of the NATO members with the most developed doctrines and policies around their use, the technical and coordination requirements of achieving desired effects with cyber tools- that have to specifically tailored to the system’s architecture or software- to have those effects – renders this option a fairly unattractive one compared to traditional kinetic capabilities.
In fact, coordination, integration, and possible de-confliction that would have to happen before the use of such effects generated by national capabilities can contribute to greater stability and collaboration between European NATO member states and the United States.
Indeed, what can, at the outset, appear aggressive and escalatory can be the biggest contribution to NATO’s collective security mandate in cyber so far. The political oversight and the consensus based decision process in NATO means, that any effects that NATO will want to integrate will be debated among the 29 member states. And while the discussion will likely revolve around “what to achieve” versus “how” it is hard to imagine that the conversation will not include some amount of detail about different vulnerabilities in the information systems and technologies of the adversary that the operation desires to exploit.
This “side effect” can lead to unexpected information sharing between Allies for the greater good. Allies may become more aware of their own national vulnerabilities, but maybe more importantly, disclose these to vendors in their vulnerabilities equities process (VEP) rather than stockpile them for future use. These conversations may also inspire them to establish their own VEP and discuss the tradeoffs associated with the desire to conduct offensive cyber operations at the national level in an interconnected and interdependent world where the tools they launch to achieve certain effects can be reverse engineered and used against them and their own vulnerabilities.
These will be difficult trade-offs for NATO and its member states to manage in a world where they will have to ensure that their military mission can continue in contested cyberspace. But these conversations have the potential to positively shape responsible behavior in cyberspace, especially for those NATO member states that are at the early stages of shaping their thinking, doctrines, and law with respect to offensive cyber operations.
Only time, and more clarity on what NATO’s decision on how to integrate sovereign effects will tell what the decision means for international security. But the decision has the potential to be NATO’s biggest possible contribution to cooperative security and crisis prevention in cyber.