As the North Atlantic Treaty Organization (NATO) celebrates its 70th anniversary, it faces a rapidly changing world and a newly developed threat: cyberattacks. Members of NATO have already been affected by cyber attacks both directly, such as the cyber attack against Estonia in 2007, and indirectly, through misinformation campaigns launched in Norway. NATO has expanded its deterrent role through the creation of new standards under its collective defense and has established relationships with allied organizations, like the NATO Computer Incident Response Capability. Additionally, NATO is aiming to partner with the private sector to share information and is offering material to improve cyber defense for potential new allies. Even with these structures in place, NATO must continue to improve and standardize its responses to cyber attacks in order to remain relevant in the quickly digitizing world.
In response to the rise in cyber attacks, NATO declared cyberspace its fourth domain of military operations at the Warsaw Summit in 2016. This follows the establishment of the 2014 Cyber Defence Pledge that included cybersecurity as a part of NATO’s collective defense defined in Article 5 of the Washington Treaty. Through these declarations, the NATO Heads of State and Government declared that “[NATO] must defend itself as effectively as it does in the air, on land, and at sea.” NATO has taken a deterrence stance in the cyber realm, with the goal set forth by NATO Secretary General Jens Stoltenberg “to make the potential costs of an attack too high. And to make the potential gains of an attack too low.”
NATO’s allies have created organizations to defend their cybersecurity, including the NATO Strategic Communications Centre of Excellence (StratCom) and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). StratCom was established in Latvia and focuses on information warfare and the development of hybrid warfare. CCDCOE was founded by Estonia in 2008 and focuses on training cyber professionals and researching cyber defense education through annual cyber conferences and developed materials. These organizations allow NATO to improve its own defenses while establishing relationships with organizations outside of its current membership. NATO must continue to expand its network and relationships in order to keep up with evolving cyber threats and attacks.
In addition to these established organizations, NATO continues to develop relations with cyber officials in various governmental and nongovernmental organizations. NATO recently held a meeting with European Union cyber officials in December 2018 to discuss future cyber developments within Europe. Additionally, it created the NATO Industry Cyber Partnership in 2014 to establish a mutually beneficial dialogue. This partnership allows NATO and its allies to defend its defense supply chain at the origin; while the private sector receives information on the cyber risks and potential malware vulnerabilities NATO discovers.
Through these organizations and agreements, NATO has improved and strengthened its unified cyber defense capability, seemingly positioning itself to be a standard bearer for cybersecurity. However, these commitments lack specifics and could hamper NATO’s ability to respond to an attack because of bureaucratic and security protocols. Following the inclusion of cyber attacks under Article 5, NATO and its allies could not agree on what kind of attack would trigger the collective defense response. Allies still use their own incident standards to define cyber incidents and in some cases do not make these standards public. This results in an uneven response and makes it difficult for NATO and its allies to provide a unified, Article 5 response to cyber incidents. Stoltenberg has defended this vague definition by stating that, “a clearly defined threshold only invites attacks immediately beneath it.” This clarification does not address the larger issue of which attacks would trigger an Article 5 response, as NATO already defends against low-level cyber attacks daily. Ambiguous guidelines could also cause NATO to misappropriate responses to cyber attacks, leading to potentially embarrassing overreactions to minor incursions or devastating slow responses to crippling attacks. Without a clear definition, NATO will struggle to respond to attacks.
As stated earlier, NATO’s focus is on deterring attacks—to such an extent that the cost of an attack would outweigh any benefits. However, this focus has resulted in NATO lacking the offensive capabilities to respond in the same capacity as its allies, like the United States. There is some discussion within NATO over taking an “offensive defense” role within cyber in order to respond directly after an attack. This change will have its own repercussions, as it may lead to an attack being wrongly attributed or a response unnecessarily escalated.
As cyber attacks become more prevalent, NATO must address its shortcomings in responding to potential threats. If NATO clearly defines its role in cybersecurity and demonstrates that it can provide sound responses to attacks, NATO will not only be able to protect itself, but also expand its influence to new partners looking for security.