Incyder news

 

21 July 2016


Subscribe

NATO Recognises Cyberspace as a ‘Domain of Operations’ at Warsaw Summit

It also reaffirms the applicability of international law and NATO’s defensive mandate for cyberspace. In addition, it pledges to further develop NATO-EU cyber defence cooperation, and to commit more resources to cyber defence capabilities.

 

The NATO Warsaw Summit, held on 8 – 9 July 2016, brought together the heads of state and government of NATO countries, along with representatives from other nations including Montenegro, Ukraine, Georgia, and Russia. Apart from reaffirming existing commitments, such as on strengthening cyber defence capabilities and the applicability of international law, the Summit recognised cyberspace as a ‘domain of operations’.

 

Context

The Warsaw Summit took place almost two years after the Wales Summit, at which NATO recognised that international law applies to cyberspace and that cyber defence is part of NATO's core task of collective defence. The Enhanced Cyber Defence Policy was also endorsed in Wales.

The Warsaw Summit took place amidst the persistent migrant crisis in Europe, the ongoing armed conflicts in Syria and Iraq, the partly-frozen armed conflict in Ukraine, and in the aftermath of the so-called ‘Brexit’ referendum in the United Kingdom, and the issue of cyber defence was rather overshadowed by these events. Curiously, some NATO websites suffered from outages during the summit, prompting some officials to suspect malicious activity. Other recent incidents, such as the infiltration of the U.S. Democratic National Committee's computer network, have shown that covert cyber and information operations targeting decision-making processes in NATO countries remain a major issue.

 

Cyberspace as a ‘domain of operations’

Cyber defence is dealt with in two paragraphs of the Warsaw Summit Communiqué, paragraphs 70 and 71. In these, the heads of state and government ‘reaffirm NATO’s defensive mandate’, that ‘cyber defence is part of NATO’s core task of collective defence’, and that NATO is ready for the Allies to invoke collective defence in response to a significant cyberattack, the equivalent of an armed attack through cyberspace. This repeated what had been declared following the Wales Summit.

However, the Allies now ‘recognise cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea’. The sentences following this statement, which are supposed to shed more light on the practical implications, are difficult to decode, but they mention  ‘broader deterrence and defence […,] integrat[ion] into operational planning and Alliance operations and missions […,] more effective organisation of NATO’s cyber defence and better management of resources, skills, and capabilities’. It takes some reading between the lines to understand the intentions of the drafters.

First, equating cyberspace with the other domains when talking about defence should mean that there is no longer a fundamental difference between them. The core assets of NATO in the other domains are capabilities with which it can defend itself, so now NATO should be prepared to develop these in cyberspace as well. A recent policy paper by the NATO CCD COE and a Tallinn Paper from 2015 view this as a desirable development, but they hasten to add that more practical steps need to be taken. It remains unclear if NATO now officially recognises this and is willing to accept drawing the logical conclusions.

Second, the use of the word ‘deterrence’ in connection with cyberspace is significant, because it is another step towards the acceptance of offensive cyber capabilities as part of collective defence. However, linking deterrence to cyber defence is difficult. The line of argument is simple: how can you achieve deterrence when your adversaries are not afraid of you, because they do not know what offensive capabilities you have and when and how you would use them? Others view the term more broadly, and they are willing to admit that there exists something like ‘deterrence by denial’. The extension of deterrence to the cyber realm should be considered by NATO, but it relies primarily on the will of nations.

Third, the idea of moving towards recognition of offensive cyber capabilities is supported by the statement that cyber defence will be integrated into operational planning and NATO’s operations and missions. As NCIA is already responsible for protecting NATO networks in an operational setting, this statement makes little sense if it only refers to passive capabilities. Nevertheless, no official commitment was made in this regard, as the Alliance continues to avoid public statements about offensive cyber capabilities.

Fourth, when talking about ‘more effective organisation’, NATO may be hinting at the possibility of establishing its own Cyber Command, even though the path will be long and hampered by the natural tendency of most Allies to keep their cyber capabilities to themselves rather than committing their resources to NATO.

 

Capabilities development

According to the Communiqué, the Allies ‘have committed to enhanc[ing] the cyber defences of [their] national networks and infrastructures, as a matter of priority’. They will improve their national capabilities to respond to cyberattacks, including in hybrid contexts, and NATO’s capabilities will be undergoing ‘continuous adaptation’. It is not clear what the curious introduction of hybrid contexts in this commitment actually entails.

The Allies are also ‘expanding the capabilities and scope of the NATO Cyber Range’ (para 71). In practice, this means that further investments are to be made to the NATO Cyber Range facility in Estonia. These investments will enable an expansion of the number of participating teams and increase the complexity of such exercises as Locked Shields or Cyber Coalition.

The Communiqué then refers to another document approved at the Summit, the Cyber Defence Pledge, which states that the Allies will ‘ensure [that] the Alliance keeps pace with the fast evolving cyber threat landscape’. In it, the Allies stipulate that they will prioritise the development of ‘the fullest range of capabilities to defend national networks and infrastructures’, which means that cyber defence will be addressed at the ‘highest strategic level’ nationally, and that it will be further integrated into operations and its coverage extended to deployable networks.

The division of labour in cyber defence, meaning that NATO will protect its own systems and member states will protect theirs, is preserved, but the pledge puts an emphasis on ‘[e]xpedit[ing] implementation of agreed cyber defence commitments including for those national systems upon which NATO depends’. The progress on the delivery of the pledge will be tracked by an annual assessment based on agreed metrics and reviewed at the next summit.

The Cyber Defence Pledge was taken alongside the Commitment to Enhance Resilience, in which the Allies reiterate their pledge on defence investment made at the Wales Summit. Increased defence investment is seen as key to enhancing resilience, as is the protection of supply chains. These guidelines fully apply to cyber defence.

 

External cooperation

The summit documents highlight the importance of cyber defence cooperation both among the Allies and with third countries and other parties. Only Jordan is mentioned specifically in the Communiqué (para 106), but it can be assumed that other countries will be receiving assistance from NATO in cyber defence. For example, Ukraine will receive a Comprehensive Assistance Package, according to the Joint statement of the NATO-Ukraine Commission at the level of Heads of State and Government, and although cyber defence does not appear in the statement, it is likely that the package will include it. A few weeks before the Summit, the Minister of Defence of Ukraine presented the Ukrainian Strategic Defence Bulletin to NATO Defence Ministers. The bulletin describes the planned reform of Ukrainian Defence Forces with a view to adopting NATO standards, including in cyber defence. The issue is also tackled by the Trust Funds established following the Wales Summit.

Much attention was also devoted to the cooperation between NATO and the EU. The parties signed a Joint Declaration, which explicitly lists cyber security and cyber defence among its major topics. The Technical Arrangement between the NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team for the European Union (CERT-EU) was signed on 10 February 2016 (its text is not publicly available). According to news from Finland’s Yle TV, NATO and the EU are considering the establishment of a hybrid threat defence centre, which would be a natural development of a common interest, expressed by the EU in April 2016. The organisations could also share some of their technical tools and assets, such as NATO’s Cyber Range or the NATO Cyber Information and Incident Coordination System (CIICS). Three EU countries (Austria, Finland, and Sweden), which are not NATO members, are already contributing staff and resources to the NATO CCD COE, showing that they value cyber defence cooperation with NATO members.

The NATO Industry Cyber Partnership was also noted in the Communiqué and continues to be an important initiative for the Alliance.

 

Hybrid threats

Hybrid threats are dealt with more prominently in the Warsaw Summit Communiqué than in the Wales Summit Declaration, and they are now directly linked to cyber threats (paras 71, 72 and 135). A strategy and actionable implementation plans on NATO’s role in countering hybrid warfare were also adopted (para 72). This is a more general trend, in which states seem to be seeking closer integration of cyber operations and ‘information environment operations’ (compare the US Department of Defense Strategy for Operations in the Information Environment from June 2016).

Cyberattacks and hybrid threats are also mentioned side by side in another Summit document, the Warsaw Declaration on Transatlantic Security.

The NATO CCD COE has explored the information warfare aspect of current conflicts and its link to cyber defence and security in a few recent publications, such as the book Cyber War in Perspective: Russian Aggression against Ukraine, and the article ‘Influence Cyber Operations: The Use of Cyberattacks in Support of Influence Operations’ (CyCon 2016 Proceedings, pages 113-126). The conclusion of this research is that some non-NATO countries and non-state actors do not distinguish between influence operations and cyberspace operations, so NATO has to be prepared to face such combined operations when these two notions overlap.

 

Main conclusions

  • Cyber defence was clearly prioritised at the Warsaw Summit and linked to the protection from hybrid threats.
  • NATO-EU cooperation in cyber security and defence was highlighted.
  • Overall, the Warsaw Summit Communiqué, the Cyber Defence Pledge, and the other Summit documents reiterate the achievements of the previous summits, but they also introduce several new ideas, such as treating cyberspace as a domain of operations, which may and should lead to more practical results in the future.
  • However, NATO is still treading carefully around open acceptance of offensive cyber operations as part of collective defence.

 

Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.