An Alliance Too Far: The Case Against a Cyber NATO

Former Estonian President Toomas Ilves delivered a familiar speech at the recent CyCon conference in Tallinn, reprising last year’s call before the U.S. House Foreign Affairs Committee for “a new form of defense organization, a non-geographical” and “strictly criteria-based organization to defend democracies” in cyberspace. Conceptually, a “cyber NATO” that would go beyond North America and Europe is an interesting idea – and not only because it subtly implies that in its current form neither NATO nor the EU are able to hold the line. But can Ilves’ idea of a league of democratic nations survive analytical scrutiny? Let’s fire a few shots to see whether we can sink it.

In his CyCon speech, Ilves says the membership of his envisioned cyber NATO would be restricted to “countries that genuinely are democracies as defined by free and fair elections, the rule of law, and the guarantee of fundamental rights and freedoms.” This sounds as if those criteria are not merely entry requirements, but also describe a set of minimum standards that each member would have to consistently adhered to. Non-compliance or a failure of maintaining said standards would presumably lead to the revocation of membership and expulsion from the cyber alliance.

But discerning which democracies would qualify for membership is not as straightforward as Ilves suggests. In both his House testimony and the CyCon speech (and this essay for Defense One) he entrusts liberal democracies to carry the torch, because they share a “true dedication to democracy” and are unable to use illiberal methods to symmetrically defend themselves against threats emanating from cyberspace.

Related: We Need a NATO for Infowar

To build his case, Ilves notes that “Australia, Japan, Uruguay, and Chile, all rated as free democracies by Freedom House, are just as vulnerable as NATO allies such as the United States, Germany, or my own country, Estonia.” What Ilves does not say is that, if this Freedom in the World Index is applied, all nations in the Middle East—except for Israel—and the majority of African and Asian states, including Singapore, would be disqualified from membership. As it currently stands, only 88 out of the 195 countries assessed by Freedom House received the label “free” in 2018.

Granted, 88 is a big number—almost triple the size of NATO—so in terms of quantity this would definitely be a step up. But what if we use a more specialized measurement, such as the Democracy Index maintained by the Economist Intelligence Unit? By its measure, there were only 19 “full democracies” in 2017, meaning those countries “in which not only basic political freedoms and civil liberties are respected, but which also tend to be underpinned by a political culture conducive to the flourishing of democracy.” The next category, “flawed democracies,” encompasses 57 countries that hold free and fair elections and respect basic civil liberties, yet “exhibit significant weaknesses…including problems in governance, an underdeveloped political culture and low levels of political participation.” If we apply Ilves’ membership definition as of only those “showing a true dedication to democracy,” then obviously flawed democracies cannot be part of the equation. That essentially disqualifies countries such as Poland, Hungary, and Italy, but also India, Brazil, Chile, France, Japan, South Korea, and even the United States.

The fact is that there is no established consensus on how to adequately measure democracy or freedom for that matter. Research conducted by Sarah Sunn Bush, assistant professor of political science at Temple University, even suggests that “although country rankings give the appearance of neutrality, they involve subjective decisions about how to define key concepts,” which explains why “countries aligned with U.S. foreign policy tend to receive better scores in Freedom House than in other prominent indicators.”

So let’s look past democracy and freedom indexes. Can we find an existing organization that is (a) larger than NATO, (b) has “a strategic, diverse, and geographically representative membership,” (c) is committed to “uphold the values of democracy based on the rule of law and human rights,” (d) “aims to make life harder for terrorists, tax dodgers, crooked businessmen and others whose actions undermine a fair and open society,” and (e) “focuses on the development of better policies to ensure that security and privacy foster economic and social prosperity in an open and interconnected digital world”? Lo and behold, the OECD fulfills all those criteria.

Obviously, the OECD is not a defensive alliance nor a security organization. Its convention does not include a collective self-defense clause nor does it encourage its member states to progressively improve their military capabilities. But let us envision how we might pitch the idea of a global “cyber NATO” to its members. We would have to explain how a domain-specific defense alliance would not expose its members to new dependencies and security threats elsewhere. For example, if Germany joins the cyber alliance, will it be expected to take diplomatic action (say, economic sanctions) if the Chinese government runs an information-warfare campaign against the Chilean national election? What if Israel joins and its critical infrastructure is targeted by a threat actor from Iran; could this spill over and sink the EU position on the Iranian nuclear deal? If in both cases the answer is “no,” then—apart from political symbolism—why should states care to join an alliance of unequals?

Ilves’ cyber NATO actually does open up a few interesting academic questions, such as: How do alliances form in cyberspace? Do they require pre-existing military or security cooperation in one of the four other warfare domains (land, air, sea, and space)? How can such a cyber alliance maintain diplomatic cohesion when its threat landscape is divorced from the physical realm? And can states balance, bandwagon, or even exercise neutrality in cyberspace?

I do not have any good answers to these questions, primarily because there is not enough historical data yet to make those calls. Therefore, from an academic point of view, one could argue that the only way to prove Ilves’ idea wrong is to implement it and see what happens.

However, going back to the practical side of things, there is one fundamental problem that will sink Ilves’ criteria-based approach: alliance instability. On the one hand, the envisioned cyber alliance is tasked to continuously build trust between its members, which in turn will foster increased cooperation. On the other hand, the alliance will have to be agile enough to expel any member state whose national election catapults anti-liberal forces into government. So the basic question comes down to this: Would a cyber NATO kick out the United States under a confrontational and inward-looking Trump administration, even though Ilves himself stressed that “only the U.S. is capable of putting [a cyber NATO] together, only the U.S. has the possibility of providing leadership”? Would the cyber alliance expel the Visegrad Four for their political stance on immigration? What about Italy under a 5 Star-Lega coalition? And how might it handle a country like Ukraine, which Freedom House judged a “free” democracy between 2005-2010 but is now deemed only “partially free”? Does Ukraine not deserve protection especially in times of political upheaval?

The idea of creating a cyber NATO of likeminded liberal democracies is not a bad one – far from it—but it is highly doubtful whether it can actually function in practice and whether it will bring anything substantially new to the table. Qualitatively, the same results can be achieved within existing security and defense structures. NATO could simply be encouraged to create specific cyber tracks within its Partnership for Peace initiative. The EU could adapt its outreach mechanism on cyber defense within the context of CSDP. And Europol and Eurojust could improve international cooperation in their fight against cybercrime and money laundering by expanding on the Joint Cybercrime Action Taskforce, or J-CAT, model.

In the end, however it will all come down to one thing: a functioning deterrence posture in cyberspace. As with all the other domains, the old deterrence dictum of “if you do not send a message, you send a different one” still holds true. And as long as liberal democracies believe that they will fix this mess peacefully and through diplomatic means, the longer they will be stuck in a detrimental situation of escalating cyber threats.