In Ukraine, on December 2015, an energy facility was hit by Russian-affiliated cyber group, and 225.000 people between 1-6 hours were affected from this outage. (1)
Outage assuming as first well documented successful cyber-attack on a power grid. This recent incident also revealed that cyber capabilities would be one of the most devastating ones NATO’s adversaries would have.
Over the last decade, NATO’s cyber posture has been one of the hot topics discussed among the allies. Should NATO develop more cyber capabilities including offensives or just keep focusing on the defense of its networks and leave the rest to the member nations?
As a matter of fact, when someone goes through the NATO summit declarations s/he can/may assume that NATO puts emphasis on a strong cyber capability and deterrence.
‘A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.’(2)
‘Cyber attacks present a clear challenge to the security of the Alliance and could be as harmful to modern societies as a conventional attack. We agreed in Wales that cyber defence is part of NATO’s core task of collective defence. Now, in Warsaw, we reaffirm NATO’s defensive mandate, and recognize cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea.’ (3)
These sentences are quoted from Wales and Warsaw Summit Declarations respectively. Regarding the last two Summit declarations, NATO has demonstrated its intention and determination against the cyber-attacks by recognizing cyberspace as a new domain.
In Wales Summit, a cyber-attack was recognized as a valid reason to trigger the invocation of Article 5 depending on its severity as part of NATO’s collective defense. In Warsaw Summit, NATO accepted the cyberspace as a new domain of operations like air, land and sea. However, is NATO really ready to assume this responsibility? After all these statements, are the planners in the new cyber command structure upgrading the current plans to include allies’ cyber capabilities?
Unfortunately, the statements are reflecting only the wishes, but not the realities.
Over the last two decades, NATO for itself has developed a good cyber image. While Emerging Security Challenge Division in NATO HQ is responsible for strategic cyber issues, NATO Communications and Information Agency (NCIA) is providing technical cyber support to NATO and besides these entities a cyber division was established in Supreme Headquarters Allied Powers Europe (SHAPE) after the Warsaw Summit. The developments of doctrines and policies continue rapidly as planned and cyber injections are becoming one of the core elements of all military exercises. So, what is the actual problem here? The problem stems from the NATO members’ approach to cyber. Currently, members want NATO to focus only on the defense of its internal network systems and to provide a platform for allies to conduct cyber exercises or to share cyber technical information. This means that NATO is currently far away from any cyber offensive applications and for sure any cyber command or using any allies cyber capabilities…
Photo: Ambassador Sorin DUCARO, NATO Assisting Secretary General for Emerging Security Challenge Division (http://bucharestforum.ro/speakers/sorin-ducaru)
Actually, this issue wasn’t so important until the cyber injections became a crucial part of the NATO exercises and then operations planners started asking more what if questions like:
- If a NATO member becomes the target of severe cyber-attacks, how is NATO going to react?
- For effective cyber defense, what kind of cyber capabilities do member states provide to NATO or does NATO have to build?
- Is Cyber really a military business?
- Are all nations really willing to share this unique capability with the allies?
Researchers from the NATO Cooperative Cyber Defense of Excellence (CCDCOE) also, may be the first time, publicly discussed this issue in their June 2016 paper “Is NATO ready to cross the Rubicon on cyber defence”. (4) Based on this paper, NATO will have to develop offensive cyber capabilities in the near future. However, how NATO will achieve this goal remained unanswered due to the unwillingness of particular member states which have cyber offensive capabilities.
How is it possible for NATO to achieve this goal if some member states are part of the problem?
Military planning process is actually simple and easy. If threat based planning has base; define threats, plan measures against to these specific threats, procure the necessary systems/weapons and integrate these systems into training. In cyber domain, building or developing cyber defense or offense capability is not as easy as it seems due to publicly unavailability of cyber capabilities. On the other hand, just a couple of allies have these capabilities but they are not willing to share. Moreover, some allies don’t consider building of cyber offensive capabilities as a military necessity and leave it to civilians.
While the situation is clearly as described as above, how can NATO solve this problem? One of the solutions is that NATO can solely be responsible for the defense of its networks regardless of the use of member states’ capabilities. In my opinion, this reflects NATO’s current cyber posture. The other option is that NATO can push nations to take more initiatives to be more active. Mainly, NATO can use its past nuclear experience. Nuclear is a unique capability under the umbrella of NATO and nations who have this capability established Nuclear Planning Group and all nuclear planning activities are being conducted by this special group.
During any severe cyber incidents or attacks, NATO planners may consider to employ another method which member states can provide necessary support and tools to the targeted ally. For example, two years ago, Turkey requested air defence assets against Syria. USA, Germany, Netherlands, Italy and Spain provided this support. However, this kind of easy solutions doesn’t work in cyber domain. We don’t have a silver bullet for this type of scenarios. In air defence case, some NATO allies already possessed the necessary air defense systems. But when an ally faces a severe cyber-attack, it is not easy to find a plug-in cyber defense solution. In cyber domain, detection and prevention phases take longer than any other operation domain. Occasionally, best defense approach would be the use of attack methodology, but in cyber domain we don’t have any ready to go a cyber weapon.
Allies need to develop proper offensive and defensive cyber capabilities that would provide cyber deterrence. As Libicki mentioned in his testimony, four pre-requisites for the establishment of the cyber deterrence would be;
- attribution capability,
- thresholds establishments for punishment,
- credibility (promises to retaliate),
- capability for the reprisals. (5)
Cyber deterrence capability development may seem very troublesome. But in cyber domain already a brutal war is going on. International regulatory organizations’ amendments are not effective as some nations do not agree on applying international agreements to cyberspace. This situation creates a gray zone for the terror organizations and their supporting states.
At this point, NATO staff has to be more active in bringing the real problems on to table and produce reasonable solutions. But also, NATO member nations have to be more eager to support these activities. For NATO, the development of offensive cyber capabilities is not supported by most of the nations due to the legal issues and extreme budget requirements. Therefore, NATO will use only that specific nation’s cyber capabilities to defend herself or any ally. However, threat scenarios can be defined in advance. In accordance with these scenarios, handling procedures, responsibilities and capabilities should be defined. In the exercises, this type of cyber events need to be exercised, otherwise simple cyber-attack simulations such as web defacements, distributed denial of service attacks (DDoS attacks) or malware injections are not reflecting cyber domain’s real problems
All these activities have to serve development of cyber deterrence capability. Libicki’s proposed four steps for the deterrence can be a good start to begin; otherwise NATO’s cyber posture is not going to be named more than network security.
- Analysis of the Cyber Attack on the Ukrainian Power Grid, March 2016
2. NATO Wales Summit Declaration, Sept 2014, para 72,73
3.NATO Warsaw Summit Declaration, July 2016, para 70,71 http://www.nato.int/cps/en/natohq/official_texts_133169.htm
4. Matthijs Veenendaal Kadri Kaska, Pascal Brangetto, ‘Is NATO Ready to Cross the Rubicon on Cyber Defence?’, CCDCOE, June 2016, https://ccdcoe.org/sites/default/files/multimedia/pdf/NATO%20CCD%20COE%20policy%20paper.pdf
5. Martin C. Libicki, It Takes More than Offensive Capability to Have an Effective Cyberdeterrence Posture, 1 March 2017,
http://www.rand.org/pubs/testimonies/CT465.html or for the full document http://www.rand.org/pubs/research_reports/RR1114.html
 Article 5 refers to the Washington Treaty. It commits the Alliance to protect and defend the Allies’ territory and populations against an armed attack.