By Sharon L. Cardash

At the beginning of June, NATO marked a first — namely the “first-ever” Alliance meeting of ministers dedicated exclusively to the subject of cyber defense. For months, if not years, cyber threats have seized prime space above the fold and around the world. From Manhattan to Paris and beyond, the fifth domain after land, sea, air, and space has brought us vulnerabilities, as well as amazing advances. And just as NATO has grappled with re-defining its mission and revisiting its capabilities to deal effectively with threats in the post-Cold War world, the Alliance now faces the vexing challenge of figuring out how best to secure itself while its constituent members — including those most militarily powerful — each tackle the same question from their respective national perspectives. All of this comes at a time when countries are strapped for funds and citizens have little appetite for additional defense expenditures.
In the months ahead, NATO will decide how to support members that are the target of cyber attack and request aid.

Understandably, the focus to date has been on network defense at the Alliance level, to support the operations of NATO headquarters and deployed forces. While acknowledging the primacy of these coalition-level measures and stating that cyber defense is ultimately the responsibility of individual nation-states, NATO Secretary General Rasmussen has likewise suggested that “as the threats continue to evolve, NATO should be prepared to consider an enhanced role.” To this end, in a recent Wall Street Journal op-ed, he cited the following elements as existing, emerging, and potential future complements and supplements to national efforts (the list is meant to be illustrative rather than exhaustive):

  • Cyber defense training for national experts, conducted regularly, to cultivate and eventually ensure a baseline level of knowledge and a common vocabulary across the Alliance, which would facilitate the exchange of information and the ability to work together effectively in a crisis situation.
  • Additional sharing of information, intelligence, and best practices between and among Alliance members.
  • Identification of linkages between national and NATO networks, in order to shore up points that fail to meet standard.
  • Rapid Reaction Teams to assist in protecting NATO networks and in the future, perhaps national networks too, at member country request.
  • Further research, training, and exercises to test Alliance response capabilities (over and above that being done already by NATO’s Cooperative Cyber Defense Center of Excellence based in Estonia).
  • Work more closely with the European Union, where possible, to enhance one another’s cybersecurity efforts and initiatives.

In principle, both NATO and its members are now on track to assessing and addressing their gaps in cyber defense. At the Alliance level, work is underway to bring cyber defense planning into the regular NATO planning channels and processes that apply to other military capabilities. In parallel, at the national level, members have “committed to introducing a national policy on cyber defense, a national cyber defense authority and an instant response capability to cyber threats.” The good news is that this commitment represents multilateral recognition that the NATO chain is only as strong as its weakest link, and reflects agreement across 28 countries to keep that chain intact, at minimum, if not better.

As always, however, the real test resides in the manner and extent to which principles are operationalized. Time will tell, but already, there are indications that the road ahead may be bumpy. In particular, the Alliance is currently split on the question of whether and if so, how, NATO assets and resources should be used in support of specific member countries with lesser cyber capabilities who ask for NATO’s help to defend against cyber-attack. The fault line reflects differences in size, capability, philosophy, and practice — with the bigger Alliance partners (the United States, France, Germany, etc.) aligned against their smaller, generally less capable and less prepared counterparts, who would appreciate an assist and who espouse collective responsibility in this area.

Other vexing and related questions also remain unresolved. These include the best way forward for protecting member states’ critical infrastructure, which underpins and enables military action that is coordinated and executed through the Alliance. Given the challenge posed by these fundamental matters, discussion and debate about other important capacities and ideas — such as the potential development and implementation of an offensive capability for NATO — is not even on the table. Against this background, a trio of principles may prove useful to help think through and deal with existing gaps and shortfalls in the cyber defense mechanisms at the Alliance and the member-state levels:

Policy without resources is rhetoric. Promoting investment in and ultimately undertaking the cyber measures necessary at the national level to bring individual member countries into line with their more advanced and more prepared NATO partners is a tough sell at a time of global economic difficulty and stagnation. Yet, the importance and value of the exercise stands undiminished — both as a national responsibility to a country’s citizens and as a commitment to collective security via the coalition. Interdependence without commensurate burden-sharing (geared toward the redress of shared vulnerabilities) is an unstable condition that may prove to be unsustainable for the group in the long run. Similar to other NATO missions, countries could also specialize according to their particular strengths and focus on building out those specific abilities and architectures.

What gets measured gets done. The old adage is trite but true, as it is hard to dispute figures and indicators, derived through consensus formula, that reveal the bottom line. Moving forward, it is crucial that member states make good on the cyber commitments they have made, and the sooner the better. A readiness index that is applied NATO-wide could encourage the realization of this goal, especially if there are timelines attached to the achievement of constituent elements, as well as consequences for failure to comply without acceptable justification. Students in GW’s Executive MBA Program in Cybersecurity have developed such an index tool, in fact, and the leading paper on the subject was shared recently with NATO officials. Others have likewise noted the importance of exploring “whether certain policies can measurably reduce cyber risk at the national level,” and have generated models accordingly.

All for one and one for all — except when solidarity is deemed premature by key actors and an effective stopgap is needed. Transnational threats require transnational solutions, but realities on the ground may place obstacles in the way of widespread cooperation and collaboration. In present context, certain measures may be a bridge too far for NATO as a whole to embrace at this time; however, the underlying threat persists, even if a broad-based response is not yet ripe. In such circumstance, an interim remedy of some sort is needed to avoid ceding advantage to the adversary. One possibility in this regard would be the negotiation of tailored bilateral agreements between NATO partners to stop the particular gap(s) at issue. This type of instrument could provide a framework for concerted action to address the most pressing problems faced by the paired parties, as taken and grounded in a larger NATO context.

Although such agreement would reflect alignment (or complementarity of values and mechanisms, etc.) of the parties in question, their arrangements could serve as a baseline template for other pairings within the Alliance that could be adjusted accordingly, making each successive agreement somewhat easier to reach than that which preceded it. While arguably a patchwork approach to addressing underlying challenges, such a way forward would buy NATO some time — but not at the expense of security — to figure out how to forge a prudent cyber path for individual Allies and the Alliance as a whole to take, certainly from a defensive perspective, and possibly from an offensive one as well. Ideally, NATO measures and the various pairs’ agreements would be mutually reinforcing, with each bolstering rather than undercutting the other.

If the past is any indication of the future, cyber threats will continue to expand and evolve, posing an ongoing challenge for the Alliance and its members. Even the more skeptical and slower to prepare among them are likely to be faced with pressure from a variety of sources, both internal and external to the country, to up their game. For example, the European Union has identified cybersecurity as an issuefor priority action and has called upon NATO to work ever-more closely with the EU to further that end, including through the provision of technical expertise. While there is room for flexibility of approach in terms of how we achieve our key security and defense objectives related to the fifth domain, the indispensable element that cannot be compromised is an ongoing and robust commitment — individually and together — to achieve those goals. Leadership in the face of possible setbacks and in a global climate of restricted resources will be required, but the alternative is not something that we should want to countenance.

Sharon L. Cardash is Associate Director of the George Washington University Homeland Security Policy Institute.