On June 14, 2016, NATO Secretary General Jans Stoltenberg announced that NATO will now consider cyber as an “operational domain.” The recognition of cyber-attacks as an element of warfare, alongside land, air and water attacks, by an organization that stresses collective defence carries weight, and how NATO chooses to engage with cyber-conflict will play a key role in the continued ‘militarization’ of cyberspace. Thus, it is important to understand the implications of NATO’s cyber announcement and the context under which this decision was made.
This is not the first time NATO has acknowledged the military capabilities of cyberspace. In June 2014, NATO ministers called for a cyber-defence policy that placed “cyber as part of NATO’s collective defence.” This suggested that a cyberattack on a NATO member could invoke Article 5 (referred to as the collective defence clause: an attack on one member is an attack on all members). Instigating Article 5 has serious implications; members would have the right to respond to the aggressor, even using force if necessary.
The 2014 announcement was more focused on integrating cyber into NATO by “enhancing information sharing” and “boosting cooperation with industry.” While this year’s announcement does build on this initial policy, it also seems related to increasing cyber capability. Stoltenberg mentioned “this is about developing our abilities and capabilities to protect NATO cyber networks but also to help and assist nations in defending their cyber networks.” Another official delved further into this, with Reuters reporting that “recognizing cyber as an official domain of warfare will allow NATO to improve planning and better manage resources, training and personnel needs for cyber defence operations.”
In this regard, NATO’s integration of the cyberspace into the operational domain is very important. As Stoltenberg highlighted, it is becoming “impossible to imagine a military conflict today without a cyber dimension.” Where the medium of conflict is shifting, security organizations must be prepared to participate in the event of an attack. Some NATO members have already begun to invest in the tools for cyber-engagement. The UK has been investing in offensive cyber capabilities for quite some time now, and US officials have recently reached a “tipping point” in cyberweapons.
This announcement comes at an interesting point in cyber-relations, as NATO members and allies have recently been victims of political and infrastructural cyber-attacks. In May 2015, the German parliament found that its computer system had been hacked and even a month after the hack was detected, key data was still being stolen by the hackers. In June 2015, French television network TV5 Monde’s website was defaced with jihadist propaganda. In December 2015, a cyberattack on Ukrainian infrastructure left 80,000 Ukrainians without power. Earlier in June 2016, in the midst of the US presidential election season, the Democratic National Committee’s report on Donald Trump was leaked online, stolen directly from the DNC’s computer networks. Even as recently as June 22, 2016, files digitally stolen from the Clinton Foundation have been released online, containing damaging information against many financial activities conducted by the foundation.
The common element in the attacks described above is that they have allegedly been traced to Russian hacker groups. This introduces a diplomatic element to NATO’s cyber-initiatives: cyber-attribution. Russian groups have been cyber-aggressive for quite some time – this began as early as 2007 when they attacked Estonia’s government websites for removing a Soviet war memorial. Despite identifying the territory in which these attacks originate,and even the groups that conducted them, it is virtually impossible to determine if these groups are running independently or through state sponsorship. Regardless, Russian hackers have been particularly active in the cybersphere recently, and this speaks to the necessity of building cyber defensive capabilities now.
Now that NATO has committed to approaching cyber as a space for conflict, the organization will have to moderate a number of complex elements. For example, there is the defensive versus offensive divide in what capabilities to develop. While an anonymous official emphasized that NATO’s focus would be on the defensive and avoid offensive tactics, the fact is a number of countries, such as the US, UK, and Russia, already have offensive capabilities (there is an argument that offensive capabilities can be integrated into defensive alliances). If NATO chooses to pursue offensive capability, will knowledgeable members contribute that information? As James Lewis of the Centre for Strategic and International Studies pointed out, there is a “huge reluctance to share capabilities” eroding the cyber-defence culture.
Additionally, NATO Ministers will have to determine the criteria under which a cyberattack does invoke Article 5. There are different variations of cyberattacks – some are going to be more damaging than others. Is taking down a government website with distributed-denial-of-service (DDoS) attacks a cyber-attack? While this would be a minor inconvenience to some governments, for countries like Estonia, where so many of their governmental services are online, this has more serious implications. Additionally, should there be any response to cyber attacks that are economically-threatening in nature? While these attacks and other non-military targeted attacks may not invoke Article 5, should NATO respond to more less severe cyber-attacks as well? If so, how? In 2014, it was suggested that this be determined on a case-by-case basis (and Stoltenberg reiterated that it will depend on the “severity of the attack” after the 2016 announcement). While I agree that this is the most appropriate way to approach this now, NATO ministers should invest time into developing basic criteria for how to respond to different levels of ‘cyber-attacks.’
Finally, as a more long-term consideration, it will be interesting to see how NATO approaches different cyber-aggressors. Russia is not the only cyber-aggressive country; China is also aggressively acting on the internet, conducting both economic and diplomatic espionnage as well. ISIS has also been utilizing the internet to reach potential members, therefore NATO may also have to engage with the Islamic State online as well. With the issue of attribution on top of this, it will be interesting to see how NATO chooses when to engage in the cyber realm.
NATO has taken a positive step in ensuring its members’ security by embracing cyber into its operational domain. Where cyber is a space that is still being developed and shaped by those who engage in it, NATO’s involvement will contribute to the normative development of cyber-warfare rules, both defensive and offensive. It is going to be very interesting to see how NATO chooses to formulate its own standard of operation there and how that affects other international cyber relations.
Photo: Courtesy of U.S Federal Government via Wikimedia Commons. Public Domain.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.