NATO Cyber Policy Under Construction
Multiple nations and dynamic threats complicate planning.
NATO is taking a comprehensive approach to building a cyber policy that would deter adversaries, defend its member nations and provide key capabilities in multidomain operations. This approach to the alliance’s cyberspace strategy takes into account resilience, counter-cyber activities and operational capabilities in both civilian and military elements.
Yet when it comes to NATO cyber policy, much remains to be established. With 29 member nations all having different needs and different approaches to cyber operations, the alliance has not yet arrived at a fully functional policy. It continues to seek input from its nations while incorporating necessary capabilities amid continuing changes in the cyber domain.
Maj. Gen. Wolfgang E. Renner, GEAF, commander, NATO Communications and Information Systems (CIS) Group and deputy chief of staff cyberspace at Supreme Headquarters, Allied Powers Europe (SHAPE), explains the rationale for this comprehensive approach to the cyber challenge. “You can’t solve it in the military arena, you can’t solve it in the civilian sector—it really is not just multidimensional. It’s comprehensive.”
Cyberspace is a full operational domain on a par with land, sea and air in NATO, he continues. The general notes that cyber aspects are integrated in the planning of NATO operations. This both adds capability to operations and makes them more resilient to cyber attacks. “The trick is not to re-create the wheel,” he states. “Also, cyberspace is unique in some ways from the other physical domains. We must integrate cyberspace into the operational machinery we already have in place.” This would be achieved by using procedures in place for the other domains and incorporating cyber into them.
“We want to achieve an effect,” the general says, noting that multiple options achieve this effect by classical means or by cyber approaches. Cyber also supports the other domains in operations. This effects-based approach applies to all domains, he emphasizes, with cyber being the new contributor in operations.
As it would with a conventional attack, NATO must be ready to defend its members against a hybrid attack incorporating cyber capabilities, the general continues. “Cyber attacks are increasingly used as a tool in the arsenal of hybrid warfare, and improving our cyber defenses is an important element of NATO’s work to counter hybrid warfare,” he emphasizes.
The alliance’s strategy on countering hybrid warfare takes cyber challenges into account. This includes strengthening the resilience of the alliance, its cyber defenses, its situational awareness and its cooperation with other allies.
NATO’s unique challenge in integrating cyberspace operationally is that it must be done in the context of 29 member nations, the general adds. “This makes the task more complex,” he notes.
NATO’s members bear the responsibility for their national cyber defenses individually. Leaders at the 2016 Warsaw summit pledged high priority to strengthening their cyber defenses. NATO support for their efforts emerges from the alliance’s new Cyberspace Operations Center in Mons, Belgium. On track to become operational this year, the center will support commanders with comprehensive cyberspace situational awareness, Gen. Renner explains. It also will coordinate NATO’s operational capability in cyberspace. The general describes it as part of the alliance’s work to ensure that NATO is as effective in cyberspace as it is on land, at sea and in the air.
Gen. Renner explains that NATO and its allies already exchange cyber threat information in real time. The alliance also shares cyber attack information with the European Union, as during last year’s cyber ransom attacks.
Strategically, NATO controls member nations’ cyber capabilities in operations through subordinate commanders heading forces allocated by the nations. However, sovereign capabilities such as critical national infrastructure can affect military operations. Gen. Renner points out that these capabilities must be protected by their respective member nations, and NATO must ensure that these nations maintain effective cybersecurity for their infrastructure.
Yet this division of cyber capability control is at the heart of the alliance’s policy determinations. Establishing a process in which NATO and its members divide up cyber responsibilities will depend on how the nations can agree on the exchange of information, Gen. Renner explains. This process is not in place yet, and he describes it as “under construction.”
The first step in that process was to have subject matter experts explore the challenge in different nations. Discussions included recommendations for potential processes. Information sharing and multilevel security remain issues to be addressed, as well as what its nations are willing to provide to support operations and missions.
The thrust of NATO cybersecurity policy will be deterrence, Gen. Renner offers. “NATO as an organization has no plans to develop its own offensive cyber capabilities,” he declares. “At the same time, allies can volunteer sovereign effects for NATO operations and missions. This ensures NATO’s defense continues to evolve with the most fast-moving cyber threats that we face.” He adds that several member nations already have contributed capabilities, citing the United States, the United Kingdom, the Netherlands, Estonia and Denmark. Allies retain control of their national cyber capabilities at all times when they are used during NATO operations.
“As in all other domains, in cyberspace NATO acts in line with its defensive mandate and international law,” the general warrants.
Protection and prevention are the first steps for cyber planning, he says. Next will come a toolbox to counter potential threats or prepare for reaction.
Much work remains for NATO to achieve fully operationalized cyber, Gen. Renner maintains. The alliance has accomplished a great deal in a short period, but it must follow a long road map. How to orchestrate operational cyber is one of the tasks ahead, just as it was for the other domains, he offers. This will require defined rules and procedures with details in place for how cyber operations are done. It will encompass the two-way flow of information between NATO and its nations with the goal of producing an effect. Incorporating this joint-effects approach is one of the alliance’s major challenges, he says.
In the military arena, virtually every system needs to be defended in cyberspace. This especially holds true in logistics, where the supply chain is a target that must be defended. Gen. Renner notes that the purchaser of a laptop must consider the source from which it came, along with the hardware and software suppliers to the company that built the machine.
NATO nations have pledged to maintain effective cyber defenses as part of the alliance’s collective defense. A key to success will be shared situational awareness and mission assurance in the cyberspace domain, Gen. Renner says. “We have to have a clear picture of what is going on,” he states. “This is the very first step if you talk about cyber. You have to have situational awareness—what is going on in the nations, what nations are willing to provide, what is going on in NATO and its networks. Then we have to put this in a kind of common operational picture.”
Above all, NATO must educate its leadership about cyber’s potential risk and threats as well as options for action. This information must be included in leadership programs, training and exercises. Generating plans, processes and procedures to address these issues also is essential.
These efforts to generate an alliancewide cyber policy will fail without cooperation and coordination among member nations, the general states. “This is a prerogative to be successful in this new domain of operations.”