Commentary: "NATO’s Unclear Future in Cyberspace"

Nick Cohen
October 17, 2019

At a speech delivered on September 26, 2019 at Columbia University, NATO Secretary General Jens Stoltenberg laid out his vision for the security alliance in the face of increasing global instability. He reiterated the organization’s commitment to democracy, freedom and the rule of law, asserting that these will continue to be the fundamental values that guide the alliance. Indeed, these core values will become ever more important as the alliance faces a shifting strategic environment. On the one hand, the global power balance is changing from the U.S.-led post-Cold War liberal order to a polycentric world, in which both Russia and China play increasingly important roles. On the other hand, rapid and disruptive technological change has fundamentally altered the strategic field, forcing NATO to reevaluate how it assesses and responds to threats.

Secretary General Stoltenberg spent a significant portion of his talk focusing on the second of these two challenges, arguing that emerging capabilities in cyberspace represent a significant technological threat to NATO member-states’ security. These threats include attacks on computing infrastructures as well as new types of kinetic attacks controlled through digital technologies. “At the opening ceremony of last year’s Winter Olympics,” recounted Stoltenberg, “we saw one pilot control more than 1200 drones in a stunning light show. The display was beautiful. But imagine that same technology being used to cripple a state-of-the-art aircraft carrier, or even to destroy a seat of government.” Capabilities in cyberspace offer unprecedented opportunities for destruction, from large-scale attacks like the one alluded to by Stoltenberg above to disruptions of energy and power grids to hybrid warfare campaigns, including hacks of political party and private corporation servers. Because of the immensely disruptive and potentially destructive nature of cyberwarfare, NATO has determined that cyberattacks will be treated in the same way as kinetic attacks. “We have decided that a cyberattack can trigger Article V,” Stoltenberg explained in his speech, “meaning that we regard cyberattacks potentially as damaging and as dangerous as conventional attacks or any other attacks.”

This has been the official NATO policy since the 2014 Wales Summit, which was the first time that the alliance agreed to include cyber operations under the Article V framework. This declaration built on a decade of discussions among member-states about the increasing importance, and vulnerabilities, of cyber capabilities. The alliance reconfirmed its position on cyber at the 2016 Warsaw Summit, which recognized “cyberspace as a domain of operations in which NATO must defend itself.” In essence, the Warsaw Summit confirmed cyberspace as a NATO theater of operation, alongside the traditional theaters of land, sea and air.

The alliance has slowly been building up its capabilities in cyberspace, starting with the creation of the Cooperative Cyber Defence Centre of Excellence in 2008. Based in Tallinn, Estonia, the Centre develops cyber defense education programs and trains NATO units in cyberspace operations. It also works to integrate the cyber capabilities of member-states as well as facilitate advanced information sharing in the cyber domain. This is, however, a voluntary association, with member-states choosing to join the educational and integrative initiatives conducted by the Centre. Furthermore, the Centre does not hold a mandate to conduct its own cyber operations; this prerogative remains solely in the remit of individual member-states. NATO offers support for these operations but as of yet cannot conduct cyber missions under its own flag.

A prominent example of this type of coordinated-but-separate activity is recent NATO member-states’ activities to disrupt ISIS propaganda campaigns. As Stoltenberg acknowledged in May 2019, the United Kingdom conducted a successful operation to disrupt ISIS propaganda activities on the Internet. This was done with the approval and support of NATO but was not a NATO operation itself. Other member-states with advanced cyber capabilities, including the United States and Estonia, also frequently conduct cyber operations with the approval of NATO. Nevertheless, these operations remain under the command structure of individual member-states’ militaries.

This may change in 2023, when NATO’s Cyber Operations Centre (CyOC) will become fully operational. First announced in 2017, CyOC is to be the alliance’s cyber command center, tasked with integrating cyber capabilities with other NATO military operations. With a staff of 70 cyber experts, CyOC will focus on enhancing NATO’s cyber deterrence capacities in regards to actions conducted by both state and non-state actors. CyOC is viewed as a step forward from the Tallinn Centre of Excellence in that it is less focused on education and information sharing and more focused on conducting integrated cyber operations under the NATO flag. That said, it is not yet clear to what extent the command center will be empowered in the realm of cyberwarfare. In fact, one of CyOC’s initial duties is to develop an overall operational doctrine, which will then have to be approved by the alliance’s member-states.

The development of this doctrine raises important, and as of yet unresolved, questions about the nature and extent of future NATO cyber operations. In particular, the alliance must determine to what extent NATO can conduct offensive moves in cyberspace. Will CyOC just further coordinate individual member-state actions in cyber space? Or will it be empowered to proactively conduct actions with a broad mandate from member-states? Resolving these questions and establishing a set of cyber warfare principles could allow for cyber integration into future alliance operations, with command duties residing within the NATO military structure as opposed to within individual member-states’ militaries. According to Major General Wolfgang Renner, who is in charge of CyOC, this is technically and logistically feasible. What remains to be seen, however, is whether the political will exists among member-states to empower NATO with such broad duties in cyberspace.

Nick Cohen is an MA Student in the European History, Politics, and Society program at the European Institute, Columbia University.

The views expressed in this article are those of the author and do not necessarily reflect the views of the European Institute.