Why We Are Unconvinced NATO's Cyber Policy Is More Aggressive, and That's a Good Thing

Daniel Moore is a PhD candidate in cyber-warfare at the King’s College London’s War Studies department. Max Smeets is a postdoctoral fellow in cybersecurity at the Center for International Security and Cooperation, Stanford University. You can follow them respectively at @ILDannyMoore and @smeetsmwe.

Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. The article provides valuable policy insights and highlights an important set of issues which have frequently been overlooked, including international cooperation on cyber capabilities and the (evolving) role of NATO in the cyber domain. It may also help to signal to a broad audience that NATO takes the ‘cyber domain’ seriously.

Yet, we are critical of his remarks and would like to pose two basic questions. First, should NATO want to be aggressive? Second, does the operations center truly mark a radical shift in policy?

First, an individual state or alliance may resort to the use of military force to pursue a range of objectives, such as defending a territory, deterring an adversary, or compelling a rival to do something. As a result, states try to be predictable in their actions or signal their credibility to follow through on a threat. All of these things are hard to do in cyberspace, making it prone to conflict and escalation. For example, states have a hard time assessing each other’s relative strength and capabilities, increasing the likelihood that offensive actions on either side could spiral out of control. As Ben Buchanan's Cybersecurity Dilemma shows, even routine intelligence operations can be misinterpreted as aggressive intent.

Second, (luckily) there is also little evidence to suggest that NATO has become more aggressive. It’s worth citing Secretary General Stoltenberg’s briefing following the Defense Ministers meeting held in November, which Col. Ali refers to, at length here:

Finally, we discussed ways to strengthen our cyber defense. We must be as effective in the cyber domain as we are on land, at sea, and in the air, with real-time understanding of the threats we face and the ability to respond however and whenever we choose. Today, ministers agreed on the creation of a new Cyber Operations Centre as part of the outline design for the adapted NATO Command Structure. This will strengthen our cyber defenses, and help integrate cyber into NATO planning and operations at all levels. We also agreed that we will be able to integrate Allies’ national capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities. Just as Allies own the tanks, the ships and aircraft in NATO missions. NATO is a defensive alliance, whose actions are always subject to strict political oversight and always act in accordance with international law.

It might be that the prepared statements are an ill-reflection of what’s happening behind the scenes. Yet, from what’s known, NATO’s initiative to create of a new cyber operations center can equally be characterized as a new effort to solve internal integration problems or as a way for NATO to provide a more credible deterrence posture. From this perspective, the new center seems to represent both a consolidation of efforts that began with the establishing the Tallinn-based Cooperative Cyber Defense Centre of Excellence in 2008 and continued with the acknowledgement of “cyber” as a warfighting domain in 2017.

Individual NATO member states have a hard enough time articulating a defense strategy, aligning interests, developing and coordinating new capabilities among military branches and government departments. Although states have the intent to develop cyber weapons, very few actually possess a meaningful capability. Even states that can conduct military cyber operations, like the United States, have faced significant challenges in making them effective.

Between NATO member states, these issues are equally relevant and perhaps even more daunting. Hyping up NATO’s efforts does nothing to promote a better understanding of how states operate in cyberspace, or of how state interactions in cyberspace work.