16 August 2014

NATO’s September Summit Must Confront Cyber Threats

August 11, 2014 

Jarno Limnéll is the Director of Cyber Security at McAfee (now part of Intel), a PhD in military science, and a former officer in the famously tough Finnish armed forces, where he spent five years as a strategic analyst. He spoke to us in June about the Russian threat in cyberspace, which many analysts consider far more dangerous than the Chinese (whom we know more about because they keep getting caught….). In this article, he lays out the cyber challenge facing the impending NATO summit in Wales. The views expressed here are his own. – the editors. 

Cyber is already an integral part of all conflicts and wars in today’s world. But there is plenty of work and planning ahead before NATO, as an alliance, is a credible player in the cyber domain. Most urgently, in the ongoing hybrid warfare in Ukraine, where the border between peace and war is intentionally blurred and where armies do not take on the role of a direct aggressor, NATO must improve its collective capabilities in cyberspace and its interpretation of Article 5, the famous treaty provision which says an “armed attack” – a term never defined – on one member of the alliance is an attack against all. President Obama and his European counterparts must make tough decisions and clear guidelines at the NATO Summit in September. 

We are living in an ever more dynamic, disordered and demanding world in which the adaptability and resilience are essential to our security. We keep forgetting that the world keeps changing, constantly and unpredictably, and the meaning of . A year ago, who could have predicted the current situation in Ukraine? The challenge is not responding to what we know today, but rather preparing for what tomorrow might bring.. It is the country or alliance which is most adaptive and most resilient that will survive and prevail through the next series of shocks. 

One trend in security is clear: the rapidly increasing use of cyberspace to pursue political goals and seek geostrategic advantage. Nation-states are pouring massive amounts of money into developing technological capabilities and hiring skilled people. There are already about 35 countries with both the capabilities and doctrines to conduct offensive cyber operations. The world is moving toward a greater strategic use of cyberweapons. The reality is that if you want to be a credible player in world politics, in economics, and on the battlefield, you must possess strong cyber capabilities. 

That does not mean we need to panic and throw out everything that’s worked well in the past. Cyberspace and the changes it has wrought are not “everything” or a revolution: Instead, the increasing importance of cyber is a phase in normal evolution. Societies in their daily activities as well as in warfare ever more dependent on the digitally connected infrastructure. NATO operations rely heavily on cyber-enabled networks. Therefore, cyber needs to be taken seriously as a strategic issue, but not exaggerated as revolutionary

There are three main challenges in cyber for NATO and its member-states: 

First, how to integrate cyber capabilities with other military activities? This area remains relatively unexplored. Cyber is understood too often as a standalone approach to security and warfare, unconnected to traditional means of defense. The primary challenge is to integrate cyber into a broader strategic and operational concept, both for defense and offense. It is a challenge more cultural than technical. We have to keep in mind that there will never be “a pure cyberwar” and cyber operations should not be separated from the broader context of war. Cyber will be a significant part of all wars and conflicts. 

The Ukraine crisis is the showcase of this kind of strategic integration, called hybrid warfare. The Russian approach combines physical military forces, both regular and irregular, with information operations, provocateurs, economic measures, and actions in cyberspace. The Ukraine crisis also tests Nato´s ability to persuade its members to confront the “grey zone war” which lies just below the threshold of a traditional Article 5 response. 

The second challenge is Article 5 itself. The crisis in Ukraine shows that the time has come for NATO to replace strategic ambiguity with clarity about how the collective defense pledge plays out in the face of cyber threats. In order to be a credible military alliance today, NATO must possess credible cyber policy. The alliance has recently updated its cyber defense policy to make it clear that a major digital attack on a member-state could be covered by the Article 5, the collective defense clause. This is a very important announcement. Nonetheless, the real question remains what kind of circumstances would trigger a response under the Article 5? When would a cyber attack against one be considered an attack towards all? The answer is ambiguous. 

A central element in all warfare is credibility – credibility of both capabilities and policy. Member-states must have a crystal clear confidence in the alliance’s will and ability to respond if one of them is confronted with a severe cyber attack. As long as the threshold to invoke the Article 5 stays unclear, member-states cannot have full confidence in collective cyber defense, especially, when there are no precedents and cyber attacks create complex problems of attribution. 

On the other hand, it would be a dangerous policy to define and reveal the actual threshold. Particularly, in the context of “gray zone war” it is not wise to tell the adversary what is acceptable and what is not. Otherwise the opponent will intentionally act just below the threshold of open warfare to avoid a collective NATO response. Most probably, a cyber attack which triggers Article 5 will include mass casualties and major physical damage. However, the decision will always be political, as it is in the case of physical attacks, and it will be decided on a case-by-case basis. Most importantly, cyber attacks are clearly nowadays treated as the equivalent to kinetic attacks. 

Of course, policy and practices are never enough if there are no real capabilities. This is NATO´s third cyber challenge. There are huge differences between NATO members in the development of their cyber capabilities. Currently, there also seems to be a lot of suspicion about others’ capabilities even between the closest allies. Since we are still living in the dawn of the cyber era, it is unclear how willing the advanced cyber member-states have to reveal and use their cyber intelligence and offensive cyber capabilities on behalf of the other member-states. (We faced similar uncertainty throughout the Cold War over whether NATO’s nuclear-armed members would really use their nuclear weapons on behalf of the others and risk Soviet retaliation, the so-called “extended deterrence” dilemma). 

It is a positive trend that information sharing, mutual assistance, cooperation with industry and exercises are increasing and deepening within NATO. Nonetheless, it seems that cyber defense will be carried out on a national rather than collective basis for a long period of time. Cyber capabilities are mainly being developed on a national basis, after all. Without greater cooperation among the member nations, NATO cannot play a sophisticated role in the cyber domain. Developing genuinely shared cyber capabilities seems a distant prospect at the moment, which weakens the credibility of the alliance’s collective defense. NATO must evolve into a more cohesive cyber community. 

Jarno Limnéll 

Cyber is essential to the future of NATO and its fundamental principle of collective defense. Incorporating cyber into other activities, clarifying the cyber policy with regard to the Article 5, and preparing to conduct full-spectrum cyber operations with shared capabilities are not merely “nice to have” for NATO. They are a necessity in today’s uncertain world, and they should be on the top of the agenda in the upcoming September summit in Wales. 

Jarno Limnéll (@JarnoLim) is director of cyber security at McAfee and Professor of Cyber Security at Aalto University in Helsinki. The views expressed here are his own.

No comments: