NATO ROAD TO CYBERSECURITY – towards bold decisions and decisive actions

NATO ROAD TO CYBERSECURITY – towards bold decisions and decisive actions

When it comes to cybersecurity, the North Atlantic Alliance has come a long way. It can broadly be divided into three stages: the first one was when cybersecurity was treated more as a technical challenge which was supposed to be faced separately by the Atlantic Alliance and its institutions in relation to the ICT infrastructure used by NATO, and separately by the Member States with regard to their national ICT networks; the second one was when the topic became an important political issue (the process was primarily initiated during the Riga Summit and subsequently stepped-up following the cyberattacks against Estonia); and finally the third one when NATO declared cybersecurity to be a strategic challenge, requiring a coordinated response on the part of the entire Alliance and all Member States, perhaps even under Article 5 of the Washington Treaty (conclusions of the Wales Summit). NATO’s journey towards cybersecurity has not come to an end yet; on the contrary, it will take a lot of effort and further bold decisions to move closer towards achieving the goal.

The NATO Summit in Warsaw has a chance to become the next important stage in the process. We have already heard announcements that NATO will recognise cyberspace as an operational domain, next to land, sea, and air. In conjunction with the conclusions of the Wales Summit where the possibility to invoke Article 5 of the North Atlantic Treaty in the event of a cyberattack was confirmed, it becomes clear that the Alliance recognises the strategic importance of challenges of contemporary cyberspace. These are indeed important steps towards enhanced cybersecurity; however, a real breakthrough requires even bolder decisions to be made.

In this report, the Kosciuszko Institute invited authors to take up the most pressing cybersecurity challenges facing the Alliance. The NATO Summit in Warsaw should begin the discussion about these key areas. Everything indicates that in the coming years, the discussions on the direction of the Alliance’s involvement in cyber operations will be dominated by two issues. The first one concerns the need for the Alliance to specify exactly the activities carried out in the framework of collective defence and the development of NATO’s capabilities, also offensive, to operate in cyberspace. The second one, which is frequently brought up in the discussion about the cybersecurity of the Alliance, is the need for comprehensive measures to be implemented to counter hybrid threats, including the multi-dimensional use of cyberspace as one of the most critical elements.

Considering the first issue, one of the most important recommendations made in this report is to demand that a serious debate about the Alliance’s capability to use offensive cyber weapons is started. While this way of thinking is a natural consequence of recognising cyberspace as another domain of warfare, it also increases the number of options for launching operations in the framework of collective defence. It is necessary to bear in mind that activities carried out in cyberspace, including offensive operations, may be far more humane and often more commensurate than conventional actions. This means that a conventional (kinetic) response to cyber operations would not always be adequate. Therefore, offensive operations are the key to the future – from the point of view of both deterrence and defence.

Considering the role and importance of cyber operations, we put forward very specific solutions, namely the establishment of a Cyber Component Command or a Cyber Planning Group.

Taking into account the fact that since activities below the threshold of war and taking the form of hybrid threats will be increasingly used by opponents of the Alliance, the report devotes much space to this issue. Cyber operations perfectly fit the hybrid warfare strategy: they exploit the capacity to carry out actions aiming to destabilise, misinform, and destroy and at the same time evade responsibility for them. It appears that the use of ambiguity is particularly easy in cyberspace and thus “attractive” for aggressors.

Our main message is that the Alliance must not only adapt its operational strategy to these new challenges, but also establish strong cooperation arrangements with partners, especially with the European Union, to effectively combat hybrid threats. The nature of hybrid threats combines military and non-military activity. Combining the efforts of the military organisation such as NATO with the political and economic organisation such as the EU is necessary to effectively face this brand new challenge.

The authors have adopted a comprehensive perspective to deliberate on the cybersecurity of the Alliance. Among other things, they carried out an analysis of the legal and practical aspects of offensive actions in cyberspace. Drawing upon specific examples of exploiting cyberspace in hybrid conflicts, they indicated possible means to prepare the Alliance for countering these threats. Finally, they proposed that new areas of cooperation with various actors should be explored, including the private sector and other public organizations.

The report starts with the analysis of the Alliance’s hitherto engagement in cyber operations carried out by Commander Wiesław Goździewicz. At this point the entire team would like to express their wholehearted thanks the Commander who in addition to authoring the analysis offered inestimable help and advice when working on the substantive content of the entire report.

The report concludes with a set of key recommendations that we hope will prove useful for shaping future decisions considering NATO’s engagement in cyber operations. Our recommendations are far-reaching and bold – exactly as NATO’s activities should be in this area.

NATO Summit conclusions will be discussed during CYBERSEC 2016.

Dr. Joanna Świątkowska
CYBERSEC Programme Director,
Senior Research Fellow of the Kosciuszko Institute

Click here to download the report.