Sharing is Caring: The United States’ New Cyber Commitment for NATO

Trey Herr is a visiting fellow at the Hoover Institution. Jacquelyn Schneider is an assistant professor and affiliate faculty at the Center for Cyber Conflict Studies at the U.S. Naval War College. You can follow Schneider @JackieGSchneid. Her comments are her own and do not represent the views of the U.S. Navy, the Naval War College, or the Department of Defense.

Given the recent blockbuster headlines about alleged Chinese snooping on server hardware sold to major technology companies and the latest joint-denunciation of Russian cyber operations, you could be forgiven for having missed an important NATO-related development. The Associated Press reports that the U.S. Defense Department will announce a new commitment to use offensive and defensive cybersecurity capabilities on behalf of NATO allies.

The new commitment is notable given how cybersecurity has long been treated as an exceptional domain of operations, and cyber capabilities reserved as strategic national assets to be shared with only the closest of allies. With this announcement, the Pentagon is suggesting that cyber capabilities might be used alongside conventional weapons with allies and indeed, equal weight appears to be given to offensive and defensive operations. Perhaps most significantly, the announcement moves NATO partners closer to what has been a tight coterie of U.S.-favored signals intelligence partners such as the United Kingdom, New Zealand, Australia, and Canada.

The DoD announcement is a sign of the continued, if nascent, normalization of cybersecurity under the current administration and in Europe. Even where offensive cyber operations may not rise to the level of war, they provide decision-makers with options to influence the geopolitical environment. This aligns with recent trends in the U.S. military to integrate cyber capabilities into maneuver units and large exercises, and reflects the shift towards more risk acceptant and offensive measures to counter cyberattacks found in the 2018 DoD Cyber Strategy.

Moving cyber capabilities into the same strategic frame as conventional weapons, especially with NATO, reflects a shift in institutional cyber arrangements within the United States and the growing power of the military relative to the intelligence community. For the United States, cyber capabilities have always had a complicated relationship with the intelligence community, in particular the National Security Agency (NSA). When Cyber Command stood up in 2010 as a sub-unified combatant command within the Department of Defense, it moved into the NSA’s headquarters, staffed its management ranks with longtime NSA employees, borrowed networks and technical capabilities, and to this day shares a dual-hatted commander. In the immediate years after the command was created, it was logical that the structure of partnerships with allies looked more like the special signals intelligence relationships formed around the NSA rather than traditional alliance networks in NATO and Asia. The recent announcement aligns cyber operations more closely with Department of Defense missions, which are more likely to posture capabilities for deterrent effects, than intelligence missions, which view capabilities as assets to be carefully husbanded.

Treating cybersecurity capabilities more like conventional arms and less like national assets also helps drive the integration of cyber operations into the planning and execution of a broader array of conventional military missions. Early cyber operations were largely conventional espionage and surveillance activities supercharged by the spread of computing and the internet. In the United States, this led to the creation of large and complex software tools, carefully guarded by the intelligence community as national assets (sometimes unsuccessfully). The DoD’s announcement indicates a move towards treating at least some of these capabilities, along with their supporting infrastructure, more like conventional armaments and making them available for broader use; a model closer to Central or Special Operations Command and less like the National Security Agency.

The Pentagon’s new commitment also reflects changes in how Europe talks about cybersecurity and characterizes the Russian threat. The last two years have seen a trend toward more open discussion of offensive cyber operations and the possibility of the alliance adopting more assertive postures to counter cyber operations against its members. After years of devastating ransomware attacks and cyber-enabled information attacks, NATO members are more willing to explore cyber triggers to Article 5. They have also been more willing to articulate the cyber threat against the alliance. In addition to last week’s denunciation by Dutch, UK, and U.S. authorities, Russian state actors are widely suggested to be responsible for an increasingly brazen series of operations, including targeting German government ministries, French and British TV stations, and more.

Sharing offensive cyber capabilities raises the question of whether cyber operations can extend effective deterrence to NATO partners. There seems to be little focus on using these operations to deter conventional or nuclear attacks on NATO countries, but this may evolve. The United States seems to want NATO to use cyber operations to deter other cyber operations, particularly those falling under the threshold of armed conflict. Cyber operations have all sorts of problems for deterrence: signaling is difficult, they can be perceived as a cheap threat, and their effects are largely uncertain. By contrast, moving new military forces in Eastern Europe or conducting ground exercises are credible signals of extended deterrence, but are costly and time consuming. Cyber capabilities aren’t free, nor are they necessarily cheap, but the promise to use them can add new credibility to a deterrent threat without the same investment and delay as conventional alternatives. Sharing cyber capabilities may be a cheaper way to signal alliance commitment than other options and might signal a further maturation, and acceptance, of cybersecurity into geopolitics.