Dr. Max Smeets is a cybersecurity fellow at Stanford University Center for International Security and Cooperation. Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations. You can follow Smeets @smeetsmwe.
U.S. President Donald J. Trump dominated last week’s NATO summit. He criticized the alliance’s inability to meet collective defense spending targets and questioned its relevance, all of which sparked headlines and op-eds about the existential threat he posed, not only to NATO but to the liberal international order.
It is no wonder that few payed attention to the cybersecurity issues that were raised in Brussels. According to the summit declaration and a statement on transatlantic security, cyber issues were mentioned more times than terrorism—a noteworthy development considering the alliance has spent the last seventeen years fighting the Taliban in Afghanistan. And, perhaps even more noteworthy, NATO Secretary General Jens Stoltenberg wrote an op-ed for the Financial Times, which makes the case that defending cyberspace matters as much as defending land, sea, and air.
Given all of this activity, what did NATO actually accomplish with respect to cyber policy? Two words: not much.
This year’s outcome documents reiterate the same things that previous summits have said. In line with statements made over the last few years, NATO reaffirmed its desire to operate as effectively in cyberspace as in other domains, and aims to support the alliance’s cyber defense and deterrence posture. It also reiterated its commitment to implement the cyber defense pledge, where each member country pledges, among other things, to “develop the fullest range of capabilities to defend [their] national infrastructures and networks,” and reaffirms the alliance’s commitment to international law in cyberspace.
As NATO repeats past statements, it also leads us to repeat the same conceptual and strategic questions that NATO has struggled to answer in the past. Given the absence of clear boundaries in cyberspace, is it possible to delineate where defense ends and offense starts? Is deterrence a viable strategy for NATO members when the barriers of entry are low, it is difficult to impose costs on adversaries, and so much activity takes place below the threshold of armed attack?
Russia’s use of online information operations against member states also raises new questions that NATO has somewhat side-stepped. Should NATO be in the business of responding to cyber-enabled information operations? If it did, what would that look like? And are information operations part of the Cyber Defense Pledge or is it conveniently bracketed off as something different (possibly part of Finland’s Hybrid Warfare Center)? How can a military organization be effective against such threats?
Perhaps the most concrete cyber initiative associated with this year’s summit is the new NATO Cyber Operations Center, which NATO defense ministers agreed to create last year. According to many observers, the new cyber operations center is a "big deal." According to one former NATO official, the center marks "dramatic change in [NATO’s] cyber policy" leading to a "new aggressive stance."
Work to stand up the operations center is ongoing. NATO’s pre-summit documents said that this year’s meeting in Brussels would help to further specify the role the center. Yet, little remains known about the functioning of the organization (and hence, if it is truly a game changer).
When the center was established last year, Secretary General Stoltenberg stated:
Today, ministers agreed on the creation of a new Cyber Operations Centre as part of the outline design for the adapted NATO Command Structure. This will strengthen our cyber defences, and help integrate cyber into NATO planning and operations at all levels. We also agreed that we will be able to integrate Allies’ national cyber capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities. Just as Allies own the tanks, the ships and aircraft in NATO missions.
Yet, offensive cyber capabilities are not like conventional capabilities. What integration means in this context is unclear. And to what degree is this integration into missions a NATO effort or an effort by—at most—a handful of states which are actually able to conduct meaningful cyber operations?
The summit raised some old questions and new ones too. We were hoping for some answers but NATO does not make them easy to find.