Novi Elysa

An Alliance Too Far: The Case Against a Cyber NATO

Should such an organization even get off the ground, it would soon fall apart. But there are other paths to take.

Former Estonian President Toomas Ilves delivered a familiar speech at the recent CyCon conference in Tallinn, reprising last year’s call before the U.S. House Foreign Affairs Committee for “a new form of defense organization, a non-geographical” and “strictly criteria-based organization to defend democracies” in cyberspace. Conceptually, a “cyber NATO” that would go beyond North America and Europe is an interesting idea – and not only because it subtly implies that in its current form neither NATO nor the EU are able to hold the line. But can Ilves’ idea of a league of democratic nations survive analytical scrutiny? Let’s fire a few shots to see whether we can sink it.

In his CyCon speech, Ilves says the membership of his envisioned cyber NATO would be restricted to “countries that genuinely are democracies as defined by free and fair elections, the rule of law, and the guarantee of fundamental rights and freedoms.” This sounds as if those criteria are not merely entry requirements, but also describe a set of minimum standards that each member would have to consistently adhered to. Non-compliance or a failure of maintaining said standards would presumably lead to the revocation of membership and expulsion from the cyber alliance.

But discerning which democracies would qualify for membership is not as straightforward as Ilves suggests. In both his House testimony and the CyCon speech (and this essay for Defense One) he entrusts liberal democracies to carry the torch, because they share a “true dedication to democracy” and are unable to use illiberal methods to symmetrically defend themselves against threats emanating from cyberspace.

Related: We Need a NATO for Infowar

To build his case, Ilves notes that “Australia, Japan, Uruguay, and Chile, all rated as free democracies by Freedom House, are just as vulnerable as NATO allies such as the United States, Germany, or my own country, Estonia.” What Ilves does not say is that, if this Freedom in the World Index is applied, all nations in the Middle East—except for Israel—and the majority of African and Asian states, including Singapore, would be disqualified from membership. As it currently stands, only 88 out of the 195 countries assessed by Freedom House received the label “free” in 2018.

Granted, 88 is a big number—almost triple the size of NATO—so in terms of quantity this would definitely be a step up. But what if we use a more specialized measurement, such as the Democracy Index maintained by the Economist Intelligence Unit? By its measure, there were only 19 “full democracies” in 2017, meaning those countries “in which not only basic political freedoms and civil liberties are respected, but which also tend to be underpinned by a political culture conducive to the flourishing of democracy.” The next category, “flawed democracies,” encompasses 57 countries that hold free and fair elections and respect basic civil liberties, yet “exhibit significant weaknesses…including problems in governance, an underdeveloped political culture and low levels of political participation.” If we apply Ilves’ membership definition as of only those “showing a true dedication to democracy,” then obviously flawed democracies cannot be part of the equation. That essentially disqualifies countries such as Poland, Hungary, and Italy, but also India, Brazil, Chile, France, Japan, South Korea, and even the United States.

The fact is that there is no established consensus on how to adequately measure democracy or freedom for that matter. Research conducted by Sarah Sunn Bush, assistant professor of political science at Temple University, even suggests that “although country rankings give the appearance of neutrality, they involve subjective decisions about how to define key concepts,” which explains why “countries aligned with U.S. foreign policy tend to receive better scores in Freedom House than in other prominent indicators.”

So let’s look past democracy and freedom indexes. Can we find an existing organization that is (a) larger than NATO, (b) has “a strategic, diverse, and geographically representative membership,” (c) is committed to “uphold the values of democracy based on the rule of law and human rights,” (d) “aims to make life harder for terrorists, tax dodgers, crooked businessmen and others whose actions undermine a fair and open society,” and (e) “focuses on the development of better policies to ensure that security and privacy foster economic and social prosperity in an open and interconnected digital world”? Lo and behold, the OECD fulfills all those criteria.

Obviously, the OECD is not a defensive alliance nor a security organization. Its convention does not include a collective self-defense clause nor does it encourage its member states to progressively improve their military capabilities. But let us envision how we might pitch the idea of a global “cyber NATO” to its members. We would have to explain how a domain-specific defense alliance would not expose its members to new dependencies and security threats elsewhere. For example, if Germany joins the cyber alliance, will it be expected to take diplomatic action (say, economic sanctions) if the Chinese government runs an information-warfare campaign against the Chilean national election? What if Israel joins and its critical infrastructure is targeted by a threat actor from Iran; could this spill over and sink the EU position on the Iranian nuclear deal? If in both cases the answer is “no,” then—apart from political symbolism—why should states care to join an alliance of unequals?

Ilves’ cyber NATO actually does open up a few interesting academic questions, such as: How do alliances form in cyberspace? Do they require pre-existing military or security cooperation in one of the four other warfare domains (land, air, sea, and space)? How can such a cyber alliance maintain diplomatic cohesion when its threat landscape is divorced from the physical realm? And can states balance, bandwagon, or even exercise neutrality in cyberspace?

I do not have any good answers to these questions, primarily because there is not enough historical data yet to make those calls. Therefore, from an academic point of view, one could argue that the only way to prove Ilves’ idea wrong is to implement it and see what happens.

However, going back to the practical side of things, there is one fundamental problem that will sink Ilves’ criteria-based approach: alliance instability. On the one hand, the envisioned cyber alliance is tasked to continuously build trust between its members, which in turn will foster increased cooperation. On the other hand, the alliance will have to be agile enough to expel any member state whose national election catapults anti-liberal forces into government. So the basic question comes down to this: Would a cyber NATO kick out the United States under a confrontational and inward-looking Trump administration, even though Ilves himself stressed that “only the U.S. is capable of putting [a cyber NATO] together, only the U.S. has the possibility of providing leadership”? Would the cyber alliance expel the Visegrad Four for their political stance on immigration? What about Italy under a 5 Star-Lega coalition? And how might it handle a country like Ukraine, which Freedom House judged a “free” democracy between 2005-2010 but is now deemed only “partially free”? Does Ukraine not deserve protection especially in times of political upheaval?

The idea of creating a cyber NATO of likeminded liberal democracies is not a bad one – far from it—but it is highly doubtful whether it can actually function in practice and whether it will bring anything substantially new to the table. Qualitatively, the same results can be achieved within existing security and defense structures. NATO could simply be encouraged to create specific cyber tracks within its Partnership for Peace initiative. The EU could adapt its outreach mechanism on cyber defense within the context of CSDP. And Europol and Eurojust could improve international cooperation in their fight against cybercrime and money laundering by expanding on the Joint Cybercrime Action Taskforce, or J-CAT, model.

In the end, however it will all come down to one thing: a functioning deterrence posture in cyberspace. As with all the other domains, the old deterrence dictum of “if you do not send a message, you send a different one” still holds true. And as long as liberal democracies believe that they will fix this mess peacefully and through diplomatic means, the longer they will be stuck in a detrimental situation of escalating cyber threats.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.