NATO's summit this September, as it stands now, looks a little thin on bold new ideas. If the Alliance is looking for a way to inject more innovation, it should redouble its efforts between now and September to put forward the most comprehensive agenda possible on cyber security.
To NATO’s credit, cyber is already slated to be a summit initiative but sources inside the Alliance have indicated that the cyber part of the summit will simply consist of 'more of the same' – a focus on exercises, enhanced training, standards and greater work with partners.
These are important and critical parts of NATO’s cyber security work but they fail to do two things. One, they fail to get to the heart of the quintessential question about NATO’s cyber security obligations: what constitutes an 'attack' and what capabilities might be provided to a member experiencing an attack?
Two, the current list of summit cyber deliverables won’t do much for those countries inside NATO that find themselves on the wrong side of the digital divide. Too many member states still lack basic information on the evolving nature of cyber threats and the different types of possible attacks. Some members have also avoided developing cyber strategies and tools, fearing the high costs of doing so. In reality, though, there are a number of low cost 'cyber hygiene' measures − such as taking an inventory of authorized and unauthorized devices and software, securing configurations for hardware and software on mobile devices and servers, and conducting continuous vulnerability assessments and remediation – that can significantly reduce risks.
So how did the Alliance get into such a vulnerable position? There has long been a collective of nations within NATO, consisting mainly of the larger countries in the Alliance, that has opposed an enhanced dialogue on cyber issues.
This group has essentially put forward three core arguments. First, they argue that NATO should ensure that its own internal networks were secure before it did anything more ambitious in the field of cyber security. Second, they claim that European members of the Alliance should leave cyber to the EU. Third, there is concern over who would foot the bill on new capabilities.
NATO set out to tackle the first of these objections last year, hiring Finmeccanica and Northrop Grumman to develop, implement and support NATO’s Computer Incident Response Capability. They installed state-of-the-art sensors and scanners to better prevent and respond to cyber threats at 50 separate NATO sites and headquarters in 28 countries. As an added measure, NATO stood up two Rapid Reaction Teams that can help protect and troubleshoot NATO networks in the event of an attack. It has also launched an exercise and training programme.
The Alliance needs more work on some of the other objections. The EU recently launched its own cyber security strategy, the first comprehensive policy document that it has produced on these issues. But, as in other spheres, dialogue is still needed to enhance cooperation between the EU and NATO and avoid duplication of efforts, particularly on cyber defence issues.
Some of the larger members that currently contribute the most to NATO’s overall budget also worry about who would pay for new capabilities. It is no secret that most NATO members, having faced multiple rounds of steep budget cuts in recent years, are having a hard time maintaining conventional military capabilities. How then, the more capable NATO members have asked, would other members realistically be able to afford any offensive or defensive cyber capabilities that the Alliance deemed critical?
While purchasing new cyber capabilities (other than what is required to secure internal NATO networks) seems too ambitious, NATO members have come to the conclusion that they need to at least begin a dialogue on the biggest question facing the Alliance on cyber: NATO’s Article 5 obligations to defend a member state in the face of an attack on its territory.
Article 5 commitments require member states to reveal what capabilities they actually have on offer in the face of an attack. For some countries like the US, making that list available even to NATO member states would reveal highly sensitive information about cyber capabilities. At the same time, NATO members don’t want anyone to assume − particularly those countries that have already experienced cyber attacks − that NATO’s support is in question.
Clearly there is a gap that needs to be bridged. But if NATO managed to address such questions in the nuclear field, which is equally as sensitive in terms of revealing allies’ capabilities, it should be able to do so in the area of cyber as well.
NATO has recently made moves that indicate it is taking some of these issues more seriously. Without much fanfare, the North Atlantic Council held its first ever meeting on cyber issues in December. It may not seem like much of a milestone, but the meeting was an important turning point given the level of opposition to the cyber conversation in other areas.
While the December meeting and two others that took place earlier last fall have finally launched a useful and important internal dialogue on cyber security, NATO still faces a long list of unanswered questions about its overarching purpose, required capabilities and security obligations in the rapidly evolving field of cyber security.
To comment on this article, please contact Chatham House Feedback