The alliance has made strides toward its 2016 Cyber Defense Pledge. But more must be done, and urgently.
It’s no surprise that NATO Secretary General Jens Stoltenberg and U.S. President Donald Trump spent much of their recent White House meeting talking about boosting alliance members’ spending; that’s been a focus of Trump’s since the campaign trail, and a target of NATO members since 2014. But it’s not the only, nor the most recent and urgent of the alliance’s pledges. That would be the two-year-old Cyber Defense Pledge.
Stoltenberg understands this. A few days before his American swing, he told a Paris audience that the pledge isn’t getting the attention it deserves. “Today’s great leap forward is not physical, but digital,” the secretary-general said. “Nowhere is the ‘fog of war’ thicker than it is in cyberspace”; some are using “software to wage a soft war.”
These “soft wars” have very real, complex, profound, and potentially deadly consequences. NATO has long prepared to fight in the physical domains of land, air, and sea. But we are currently under attack in cyberspace, and the attacks are ever growing in sophistication and effect. We must prioritize cyber defense.
This was the idea behind the pledge adopted two years ago at the Warsaw Summit. Allies committed to give the matter strategic-level attention; strengthen national cyber resilience, develop adequate organizational frameworks and relevant information exchange mechanisms; introduce modern capabilities; boost related spending; and keep up with training, education, and exercises.
The pledge has had some positive effects. It has raised member governments’ awareness of the need for a whole-of-society approach to cyber defense. “The Cyber Pledge has a multiplier effect across the Alliance,” Stoltenberg said, helping “nations to look at their cyber-defences in a far broader, more holistic way, involving government departments, public sector organisations, private companies and individual citizens.”
Meanwhile, NATO itself has extended the centralized the protection of its networks, and is improving its ability to coordinate cyber defense capability development, offer cyber situational awareness, facilitate joint training and exercises, and develop international cyber partnerships, including a dedicated NATO-industry team-up launched four years ago.
And alliance members took the opportunity in Warsaw to make this explicit: “cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea.” This has been followed by an agreement, highlighted by Stoltenberg in November, to integrate voluntary national cyber contributions into NATO’s operations. In cyberspace as in other domains, the alliance will rely on the capabilities offered voluntarily by allies to support and conduct its operations. This will be done within a principled political-legal framework, agreed by allies, in line with NATO’s defensive mandate and in full compliance with international law.
In February, the allies’ defense ministers agreed to create a Cyber Operations Center as part of the new NATO command structure, the first cyber-dedicated entity within this structure. This will contribute to more effective and comprehensive integration of cyber into NATO planning and operations at all levels.
But more must be done. We must overcome the old “analog hangover” and evolve past our traditional habit of planning defense around mainly physical factors and prepare instead for an increasingly digital battlefield. This will require a change of mindset, and recognizing the strategic and tactical implications of an evolving cyber threat landscape and the deep dependence of all our physical capabilities upon digital enablers. We must continuously increase cyber resilience, which is fundamental for defense.
We need to further embrace innovation and new technologies, such as artificial intelligence, by streamlining the IT acquisition procedures that were designed for long-lifecycle physical capabilities. We should also improve the information exchange for joint cyber situational awareness and upgrade training and military planning, with the specific goal of operating in a degraded cyber environment. And we should look to integrate voluntary national cyber contributions into NATO’s operations.
Cyber is now a key part of NATO’s deterrence and defense posture and its modernization process will be a theme at the upcoming Alliance Summit in Brussels this July. It is therefore important to make sure that neither NATO’s developments in the cyber domain nor its evolving challenges are “lost in translation.”