Over the past decades, cyberspace has transformed societies around the world, reshaping economies, politics, social affairs, and, increasingly, militaries. The first cyber attacks launched as part of a military conflict are now twenty years old.1 In the last decade, cyberspace has become a central aspect of military operations.
The acceleration of the military use of cyber capabilities and the simultaneous militarization of cyberspace create new threats and opportunities for NATO. The alliance must respond in a number of ways, including by increasing investment, strengthening technical cooperation with the European Union (EU), and seeking political consensus on the attribution of, and responses to, cyber attacks.
Issues at Stake
Armed forces and vital civilian organizations, such as operators of energy networks, rely more and more on computer systems for their operations. This increases both their efficacy and their vulnerability. NATO saw the significance of this trend some time ago, and since 2016, the allies have recognized cyberspace as a domain in itself. The alliance integrates cyber capabilities into its thinking and planning for operations, even if mainly in defensive terms. The alliance’s 2016 Cyber Defense Pledge helped member states strengthen their national cyber defense capabilities by working together.2
Twenty-four of NATO’s twenty-nine member states have issued public cyber doctrines that deal with military issues.3 Dedicated units are being created across NATO countries, either with a unified cyber command, as in France and the United States, or with a devoted cyber force, like in Germany. This is the right step overall, although allies’ differing approaches to cyber strategy and organization could cause challenges when it comes to joint and combined operations.
NATO is responsible for protecting its networks and infrastructure, as well as promoting cooperation among allies and with partner nations. For the moment, the alliance’s most important prerogatives and capabilities lie in the defensive use of cyber capabilities, although individual countries can volunteer various cyber services—not only defensive ones—to NATO commanders. In 2018, the alliance set up the Cyberspace Operations Center in its command structure to help nations and commanders better understand these possible national contributions and their uses. NATO also strengthened its cooperation on cyber matters with the EU through a joint declaration at the alliance’s 2016 summit in Warsaw.4
There is often little difference in offensive cyber capabilities between criminal groups and some military forces. Hacking tools are becoming more accessible. In 2017, the U.S. National Security Agency’s sophisticated offensive suite was stolen or leaked and subsequently used in attacks.5 In parallel, critical civilian infrastructure, such as the networks that govern energy or water distribution, is becoming more dependent on the internet, making it a target in potential conflicts. This infrastructure could even be used as a tool for a large attack: if corrupted by hackers, it could be turned into a botnet—a network of computers linked by malware. It has become possible, in theory, to achieve a strategic effect with cyber attacks on civilian facilities and infrastructure, which tend to be less protected than military equipment. As a result, the line between the defense of military and nonmilitary assets in cyberspace is becoming increasingly blurred.
One consequence of this trend is closer military cooperation with civilian authorities, including law enforcement. However, military organizations and armed forces tend to invest more than civilian ministries or agencies in cyber defense and cybersecurity. In the United States, for example, the Department of Defense accounted for more than 50 percent of the 2018 federal cybersecurity budget, representing $8.5 billion out of $15 billion.6 Unchecked, this trend creates a growing gap between military and civilian spending.
Several international organizations and, more recently, companies have decided to address stability in cyberspace and the regulation of cyber conflicts. Some states and nonstate actors are even suggesting the adoption of a treaty on the use of information technology and international security. After meetings of the United Nations (UN) Group of Governmental Experts failed in 2017 to reach a consensus on what constitutes states’ responsible behavior in cyberspace, the UN initiated two new negotiation processes. One is a resolution, sponsored by the United States and European countries, to create a new group of governmental experts.7 The other is a Russia- and China-sponsored resolution to set up an open-ended working group.8 The two tracks have different calendars and mandates, including on consultative meetings. The outcomes of their work, and the potential codes of conduct for cyber conflict they could generate, will provide guidance for how all countries, including NATO allies, should behave in the future regarding cyber operations.
Research and development policies and investment strategies in cyber and military technologies are key elements to ensure that armed forces are equipped with up-to-date capabilities. The fast pace of technological evolution requires NATO member states to make significant, continuous investments to avoid falling behind in terms of capabilities.
Alongside investments in technology, allies need to strengthen education in cyber matters, not only in engineering, but also in strategic thinking and social use. All military personnel have to be involved to ensure greater cybersecurity awareness and a better integration of cyber capabilities into military operations. The most important challenge for NATO as an alliance is to bridge the gap between those states with first-rate cyber capabilities and awareness and those that lag behind. Currently, a handful of member states are pulling away from the others in terms of the mass integration of connected devices, quantum computing, and artificial intelligence–based systems. This gap could have a major impact on burden sharing in NATO, because a low level of spending by one or more countries would need to be compensated by the others to maintain a satisfactory global level for the alliance.
Allies should draw up national cyber rules of engagement for offensive operations in accordance with principles of international law. Certain policies espoused by some member states, such as hack-back, which allows private firms to pursue attackers into other companies’ networks, or cyber deterrence, could lead to uncontrolled escalation.9 International law tends to limit this escalation to mainly economic responses, such as sanctions and countermeasures. All NATO allies also need to ensure that their rules of engagement are compatible with the alliance’s agreed approach to cyber defense. At present, different countries have different views on offensive cyber policies, in particular.
The alliance should give technical assistance to member states that are willing to share information and national best practices. NATO should expand its rapid-response system to cover attacks that blur the line between the military and nonmilitary realms, such as an attack on critical nonmilitary networks in the context of a NATO military mission.
Unity is important when it comes to external communications by the allies, or by NATO’s secretary general, on attribution. While the decision to attribute an attack to a particular entity remains a sovereign and political one, allies should discuss any such communication from individual capitals before it is made. This would not only prevent uncontrolled escalation but also preserve the strength and unity of the alliance.
NATO should develop standards on the security of emerging cyber technologies in close partnership with the EU. Allies could address the interoperability and security of connected devices in the defense sector by devising a common policy in the alliance. NATO should also impose a minimum standard of cybersecurity in products, such as connected devices and systems; computer-based technologies; and command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) systems during the acquisition process.
Quantum computers deserve particular attention from NATO, because they can be game changers in the military domain. The alliance should act as a gateway between member states’ militaries and defense companies to promote further industrial cooperation, notably on technical standards. Such cooperation should be based on the NATO Industry Cyber Partnership, which provides platforms for the exchange of information, threat trends, and best practices. The alliance must foster the maximum possible level of cooperation to ensure that NATO countries are the first to implement this technology.
NATO should strengthen cyber cooperation with the EU more generally, in accordance with the 2016 joint declaration. The EU has broad experience in cybersecurity regulation, in particular. The alliance should lend its political weight to the adoption of recent EU cyber laws, such as the directive on the security of network and information systems. This directive improves cybersecurity in two ways: first, by imposing tighter obligations on the operators of critical equipment to report incidents and, second, by requiring Europe-wide cooperation between cybersecurity agencies and computer emergency response teams.
NATO should continue to work with the EU in educating and training military staff and officials on cybersecurity—for example, as the two organizations do via the Cyber Defense Smart Defense Project. Common exercises such as the annual Locked Shields form an important framework in which to develop common views and capabilities. The alliance could use facilities such as the NATO School in Oberammergau, Germany, or the NATO Communications and Information Systems School in Latina, Italy, to train officials and operators on cybersecurity.
The alliance should support the public political goal of building a predictable, secure, and stable cyberspace. There is a risk that cyber conflicts could escalate to open military confrontations and that the uncontrolled spread of offensive cyber technologies could create an era of permanent low-level conflict. The international community has an interest in strengthening peace and stability in cyberspace, and NATO has an important role to play here.
The alliance should also make its views heard in international negotiations on stability in cyberspace, especially at the UN. Some important issues remain open in these talks, such as the possible application of the right to self-defense in cyberspace, and military alliances such as NATO should promote their views on such topics. In particular, NATO has to be proactive in opposing the militarization of private cyber actors and offensive operations by nonstate entities, which are major possible sources of instability in cyberspace. NATO’s contribution could consist of advising member states on the issues involved, as well as feeding into international negotiations on stability and regulation in cyberspace.
NATO could participate in new forums created to promote a secure and stable cyberspace, such as the Paris Call, a declaration launched by French President Emmanuel Macron in November 2018 to encourage the development of common principles for securing cyberspace.10 The alliance’s position should be to encourage respect for international law in cyber conflicts. The NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) has contributed to this goal by supporting the development and publication of two editions of the Tallinn Manual.11 This expert work is not an official document of NATO, the CCDCOE, or the member states, but it offers a comprehensive analysis of how existing international law applies to cyber operations. With other publications on this topic, it offers a valuable resource for policymakers and experts on the legal framework of cyber defense.12
More broadly, NATO should take into account existing initiatives aimed at promoting peace and stability in cyberspace, such as the Global Commission on the Stability of Cyberspace, as well as the ways in which the alliance’s policies and actions may influence such initiatives. International law is a key element to avoid uncontrolled escalation, because many cyber attacks remain under the threshold of an act of war.
The authors are grateful for the contributions of François Delerue, research fellow at the Institute for Strategic Research (IRSEM); Frédérick Douzet, director of GEODE; Aude Géry, doctoral candidate at the University of Rouen and researcher at GEODE; and Olivier Kempf, associate fellow at the Foundation for Strategic Research.
1 François-Bernard Huyghe, Olivier Kempf, and Nicolas Mazzucchi, Gagner les cyberconflits, au-delà du technique [Winning Cyber Conflicts, Beyond Technology] (Paris: Economica, 2015), 176.
2 “Cyber Defense Pledge,” NATO, July 6, 2016, https://www.nato.int/cps/en/natohq/official_texts_133177.htm.
4 “EU-NATO Cooperation—Factsheets,” European External Action Service, June 11, 2019, https://eeas.europa.eu/headquarters/headquarters-homepage/28286/eu-nato-cooperation-factsheet_en.
5 “Report: Shadow Brokers Leaks Trace to NSA Insider,” BankInfoSecurity, December 20, 2016, https://www.bankinfosecurity.com/report-shadow-brokers-leaks-trace-to-nsa-insider-a-9596.
6 “Budget of the United States Government,” U.S. Government Publishing Office, accessed October 21, 2019, https://www.govinfo.gov/app/collection/BUDGET/2018.
7 “Resolution Adopted by the General Assembly on 22 December 2018,” United Nations General Assembly, resolution A/RES/73/266, January 2, 2019, https://undocs.org/en/A/RES/73/266.
8 “Resolution Adopted by the General Assembly on 5 December 2018,” United Nations General Assembly, resolution A/RES/73/27, December 11, 2018, https://undocs.org/en/A/RES/73/27.
9 Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica: RAND Corporation, 2009), 213.
10 “Cybersecurity: Paris Call of 12 November 2018 for Trust and Security in Cyberspace,” French Ministry for Europe and Foreign Affairs, November 12, 2018, https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in.
11 Michael N. Schmitt (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017), 598.
12 François Delerue, Cyber Operations and International Law (Cambridge: Cambridge University Press, 2019); Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford: Oxford University Press, 2014), 336; and Heather Harrison Dinniss, Cyber Warfare and the Laws of War (Cambridge: Cambridge University Press, 2012), 360.