The Ripon Forum

Volume 51, No. 4

Aug/Sept 2017

NATO, Cyber and Article 5

By on September 5, 2017

Creating the intellectual framework to defend the digital domain

by IAN WALLACE

In June of this year, in the aftermath of another round of ransomware attacks, NATO Secretary General Jens Stoltenberg captured the headlines by drawing on the now oft-repeated talking point that a cyber attack could trigger Article 5, the mutual defense clause.1 The true significance of the Secretary General’s remarks lies in the fact that NATO sees an increasingly significant role for itself in this area. And the reason for that lies in a major shift over the past couple of years in the way in which NATO thinks about the topic.

Article 5 and the potential for cyber attacks to take us into war remain an understandable concern for many. Unfortunately, it risks deflecting attention from more immediate and pressing cyber issues with which the Alliance is currently grappling. Besides, if the North Atlantic Council were to decide that the harm done to an ally warrants a collective response from the rest of the Alliance, it would be immaterial whether that harm was caused by a cyber attack, terrorists on an airplane, a missile, or a tank.

But cyber capabilities are changing the Alliance in important ways. Indeed, at the Warsaw Summit in July of last year, after years of politically driven equivocation, the allies finally accepted the fact that they must view cyber not just in the context of their own networks, but in the context of a military domain, akin to land, sea and air. As a result, in a short period of time we have seen significant developments in this area. Across the senior reaches of the NATO hierarchy, officials and military officers are drafting new doctrine, creating new committee structures, and, for the first time, formally considering how to integrate national cyber capabilities into NATO planning.

Across the senior reaches of the NATO hierarchy, officials and military officers are for the first time, formally considering how to integrate national cyber capabilities into NATO planning.

This is essential work, not least because it goes to the core of keeping NATO relevant for the 21st century. The question now is: how do we ensure its success?

First, NATO’s political masters need to build on the momentum created by the designation of cyber as an operational domain to signal a willingness to work through the full implication of thinking of cyber in the context of collective defense, including perhaps even some kind of extended deterrence, and not just protecting NATO networks. This is an aspect of the mission to which other organizations, like the European Union and NATO partner nations, can contribute. But for that to work, the mission needs to be clearly articulated.

Second, allies need to work together to boost capabilities. Fortunately, this is one area where allies are investing their own resources, and the Cyber Defense Pledge of July last year was a step in that direction.2  In addition, through the NATO Industry Partnership, NATO is encouraging closer cooperation with the private sector. But this is not just about building up military strength in the traditional sense. For reasons set out above, central to NATO’s future cyber resilience is going to be the ability to work with owners and operators of critical infrastructure (often from the private sector). Some of this is about technology, but more often than not it is about institutions and workforce development. This is a leadership opportunity for U.S. defense companies and the U.S. private sector, and one that should be embraced.

Allies must be encouraged to invest real resources in thinking through the detail of what this new type of warfare really means.

Third, allies must be encouraged to invest real resources in thinking through the detail of what this new type of warfare really means. Beneath the political level, NATO has now begun a process to develop the structures and doctrine that will be necessary for it to meet the challenges it will face. But NATO itself is under-resourced for this task. Moreover, no one institution can handle these intellectual challenges on its own.

If we assume that these wars will have a coalition dimension, NATO is the place to start with key questions that need to be answered in this regard. For example, how do we bring national cyber assets to bear in support of cyber operations (hint: probably much the same as we do Special Forces)? How do we factor the threat to national critical infrastructures into our military planning? And, perhaps most vexing and urgent, how do we deal with cyber enabled information operations?

It is all very well to invest in technology to address our cyber challenges. But all that will be for naught if we are unable to create good frameworks within which to organize our thinking. If we can make that investment now, however, there is a real opportunity to shape NATO thinking at a crucial moment. Let’s not miss it.

Ian Wallace is co-director of New America’s Cybersecurity Initiative, and a senior fellow in the International Security program.

______________________________________________

1) www.telegraph.co.uk/news/2017/06/28/nato-assisting-ukrainian-cyber-defences-ransom-ware-attack-cripples/

2) www.nato.int/cps/en/natohq/official_texts_133177.htm

Print Friendly, PDF & Email

Subscribe

If you enjoyed this article, subscribe now to receive more just like it.

Comments are closed.

Top