We Need a NATO/EU for Cyber Defense

The role of military cyber is expanding in the westernized democracies, from simply protecting the militaries’ own networks to supporting the national cyber defense of their economies. Whole-of-society defense strategies and more tightly integrated civil-security forces relations have emerged. These national efforts are critical to the survival of democratic societies in an increasingly cyber-enabled authoritarian world, but they do not go far enough.

Now is the time to take these internal civil-military defense efforts to the next step. We must build a NATO/EU equivalent for the cyber conflict age — call it a Cyber Operational Resilience Alliance, or CORA — to defend across the whole of the democratic community. 

Although NATO is building cooperation and coordination among the cyber components of allied militaries, it is not designed to tie together whole-of-society efforts to protect civil commercial infrastructure and the economic system that it sustains. And the EU is not designed for defense missions coordinating processes from intelligence to proactive coordinated operations. 

A CORA would operationally blend the cyber defense actions of aligned nations with the critical roles played by the telecommunications networks that provide the cyber backbones to these nations and by the critical IT capital goods industries that provide the tools, talent, and equipment that enable national cyberspaces to function. It would integrate these sectors to the extent needed for a shared cyber defense of these democratic allies for the near term. And it would buy time for a vital transformation: rebuilding the democracies’ share of cyberspace into a defensible substrate.

Related: An Alliance Too Far: The Case Against a Cyber NATO

Related: Rethink 2%: NATO ‘Defense Spending’ Should Favor Cyber

Related: In Cyberspace, Governments Don’t Know How to Count

After winning the Cold War, western powers slumped into complacency. The internet rose on infrastructure built with minimal concern for security. Cyberspace is now being exploited, literally to death, by a tsunami of state and nonstate actors. The internet is rapidly being fragmented into national cyber jurisdictions, responsibilities, and obligations. The free, open, safe, and globally available internet created in the democracies is dying.

For the first time, the United States and its allies face adversaries able to reach into all layers of the socio-technical-economic system through cyberspace at will, over time, deceptively, and opaquely. These adversaries can steal (or alter) critical information, using it to bury, bribe, bully, or blackmail corporate and political leaders. And they can leave backdoors to allow future actions from theft to destruction.

Rising authoritarian adversaries have developed “not directly kinetic but no less disruptive” campaigns intended to “hollow out” economic rivals. These include using state proxies to subvert democracies by slowly displacing or buying up their IT capital goods and telecommunications industries. There is no guarantee that in twenty years any democratic nation will have the resources in talent, technologies, and institutional will to counter authoritarian demands in technology or policy choices.

The overwhelming scale and variety of malignant cybered challenges – especially those by authoritarian states, their corporate state-champion proxies, and huge state-encouraged patriotic or mercenary criminal classes – have overmatched Western civil societies. The economic losses – estimated at 1 to 2 percent of annual GDP across the U.S. and her allies and partners – are alone enough to hamper the western democratic community in their efforts to secure their national cyberspace assets.

Western leaders are slowly making efforts to reverse the tide. The United States has at last included the defense of its economy as a national security mission for its key cyber unit. A handful of nations, France most recently, have recognized that defending their economies may require actions previously forbidden, such as persistently proactive cyber actions against foreign perpetrators. 

But individual national steps are insufficient. No single state, not even the United States, can resist the whole of the authoritarian world’s cyber onslaughts. So CORA’s first mission is to consolidate the cyber infrastructure of democracies. 

Why is scale important? The democratic community needs an IT capital goods industry and a telecommunications industry that can operate independently of the authoritarian world. The only practical way to do this is to create a market large enough to sustain them. The 35 or so nations that would form CORA would represent a market of more than 900 million people free of authoritarian proxy corporate subversion, hostile or coerced ownership, or tainted market competition.

After ensuring their survival, CORA would push these industries to reinvent the internet with products and protocols engineered from the outset for security. The organization would organize a massive joint investment in academic, commercial, and military cybersecurity R&D, shepherd a new internet into being, and foster the operational civil-military-commercial partnerships that would keep its members safe.

Operationally, CORA would coordinate the cybersecurity processes of governments, companies, organizations — and militaries. Coordinating the latter will enable more comprehensive tracking, analyzing, and modelling of threats; and the development of better ways to defend the government, commercial, and civilian sectors. CORA will integrate the various capabilities and skills of its members’ militaries, putting each to optimal use and organizing support and training as needed.

Militaries in a CORA would have much closer relations with their civilian peers through the joint operations, each contributing through the overarching framework and advancing in cyber competence collectively. The cyber defenders of the telecommunications backbone organizations operate and defend the cyber infrastructure of communities, with the IT capital goods providers generating the product design, maintenance, and commercial actors key to the health of the allied shared IT market. The researchers and students of the universities and labs would be the basic source of the transformation research. Policymakers would provide complementary legal regimes and overarching statutory guidance, as well as funding for both defense and transformation research expenses. 

But the CORA must be, first and foremost, be an operational alliance, not a planning, discussing, policy-exhorting group. Only such an organization will ensure that its member nations can act in unison with respect to system-wide socio-technical-economic cybered threats. Defense threat analysts would work with all three types of organizations directly and across allies to ensure a collective awareness of and response to emerging threats, campaigns, defense gaps, and losses and successes. Cyber defenders would operate in response to or in anticipation of attacks through joint allied centers or in national operations centers hosted by states designated as leads in specialized capacities. 

As goes the democracies’ collective cyber defense, so goes the United States’ future wellbeing. An international CORA is vital.

All the ideas in this work are solely those of the author and do not reflect the position of any element of the U.S. government.