A Missed Chance for NATO’s Cybersecurity Future

NATO defense ministers including Defense Secretary Chuck Hagel met in Brussels, Oct. 22, 2013.

DOD photo by U.S. Marine Corps Sgt. Aaron Hostutler

AA Font size + Print

NATO defense ministers including Defense Secretary Chuck Hagel met in Brussels, Oct. 22, 2013.

On the back of NATO’s defense ministerial, member-states still need to address the alliance’s major cybersecurity shortfalls – and there are plenty. By Daniel Pitcairn

After a meeting of NATO defense ministers in Brussels this week, questions loom large for the alliance’s cyber strategy. Defense Secretary Chuck Hagel said the ministers “agreed that the alliance must do more to deal with cyber threats,” but they did not take the opportunity to elaborate on its cybersecurity role and potential responses in case of cyber warfare.

In the aftermath of major cyberattacks on Estonia in 2007 by ‘patriotic’ hackers in Russia, NATO moved quickly to update its then-primitive cyber defenses. Within a year, NATO countries laid some groundwork for a centralized defense of NATO networks. The alliance created Rapid Reaction Teams to aid member-states under cyberattack and established a state-of-the-art cyber research center. At the 2010 and 2012 summits in Lisbon and Chicago, the alliance developed and affirmed a defensive cyber strategy. However, more than six years after the Estonia attacks, NATO is still behind the curve in two crucial ways: cyber warfare is not incorporated into its strategic doctrine and member-states’ individual cyber weaknesses are becoming a major liability for the entire alliance.

The outstanding question for NATO’s cyber strategy is whether or not its famous Article 5 — the statute asserting, “an armed attack against one or more… shall be considered an attack against them all” — should apply to cyberattacks. Those allies and scholars who oppose extending the collective defense trigger argue that cyber deterrence is nearly impossible because cyberspace provides anonymity to adversaries. However, extending the application of Article 5 to cyberattacks that meet a certain threshold of severity might actually give NATO more flexible response options. In the case of a severe cyberattack, the alliance would not be required to act militarily — it would simply have the authority to do so to the fullest extent. Just as the U.S. has asserted that it “will respond to hostile acts in cyberspace just as [it] would to any other threat,” so should NATO be prepared to use its full capabilities to counter cyberattacks.

The adoption of Article 5 also could help stabilize the growing cyber arms race. The lack of established conventions and norms governing conflict in cyberspace has generated uncertainty that translates into a lingering security dilemma. By extending Article 5 to the cyber domain, NATO would link military action in cyberspace to international law — the Law of Armed Conflict — the set of governing rules for inter-state conflict agreed to by the international community.

At the national level, some member-states do not yet have robust cybersecurity strategies of their own. While the U.S. and U.K. have given their defense agencies a primary role in developing cybersecurity, several allies including Germany, the Czech Republic, Slovakia and Romania have given leading roles to their interior, finance or communications ministries.

Hagel said that NATO’s cyber defense capability “is on track to achieve full operational capabilities next week,” but the integrity of allied information sharing is only as good as its member-states’ networks. Due to national sovereignty concerns of member-states, NATO decided it would not be responsible for national network security. This presents a particular problem for countries like the U.S., which have a great deal to lose through vulnerable networks of weaker member-states. The security of these networks is essential for the safeguarding of critical information on key U.S. military assets and strategies. Of greatest concern is the information allies are permitted to receive regarding U.S. nuclear weapons. The ATOMAL Agreement of 1965 allows NATO allies to receive confidential information on U.S. nuclear weapons capabilities and strategy in order to ensure the alliance’s effective collective military capacity. New and aspiring members of NATO may not be prepared to defend their networks from the growth in cyber attacks they will face when they become privy to critical U.S. national security information.

At a time when NATO’s future is unclear, the alliance cannot afford to have cybersecurity concerns jeopardizing working relationships between allies. NATO should move beyond statements and prioritize setting minimal security requirements for member-states’ networks. If the alliance is to cement its role as a reliable provider of stability and security for the transatlantic community in the 21st century, it must tackle the most fundamental cyber issues head on.

Daniel Pitcairn is a research fellow with Government Business Council.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.