Supreme Allied Commander Europe U.S. Air Force Gen. Phillip Breedlove speaks during a media briefing at NATO headquarters in Brussels on Thursday, Feb. 11, 2016.

Supreme Allied Commander Europe U.S. Air Force Gen. Phillip Breedlove speaks during a media briefing at NATO headquarters in Brussels on Thursday, Feb. 11, 2016. AP / Virginia Mayo

Former NATO Commander: Alliance Needs to Take Cyber Fight to Russia's Door

In May, a former NATO supreme commander urged the alliance to plan an offensive cyber policy to combat Russian information influence operations.

Philip Breedlove was getting hacked by the Russians before it was cool. In 2016, the same group that penetrated the Democratic National Committee also stole the former supreme commander of NATO’s personal emails, and published them to a Kremlin-produced website called DC Leaks. Recently the Air Force general advocated for a strong alliance pushback on Russian cyber-influence operations.

He says it must start with a strong NATO policy that would allow the alliance to conduct offensive cyber and information operations against Russia. His views contrast with those of President Donald Trump who, on the eve of his first meeting with Vladimir Putin, again refused to acknowledge the extent of the Kremlin’s actions aimed at the U.S. election and declined to voice support for tough measures.

Speaking at a May security forum, Breedlove said that it was up to the U.S. and NATO to hold Russia accountable for its actions, and that accountability should take the form of offensive cyber and information attacks. “We in NATO have incredible cyber capability. But we in NATO do not have an incredible cyber policy. In fact, our policy is quite limiting. It really does not allow us to consider offensive operatives as an alliance in cyber,” he said.

One of the tenets of the NATO alliance is that a military attack on one member triggers the collective-defense provision dubbed Article 5. But alliance leaders are still trying to figure out when a network attack might constitute an act of war. In June 2016, NATO Secretary General Jens Stoltenberg told reporters that a cyber attack on an ally could trigger an Article 5 response. But he said that the threshold would have to be very different than it is for a bombing, firefight, or some other violent, physical act of war. “It's hard to imagine a conflict without a cyber dimension. So, yes, cyber can trigger Article 5, but the same time I think it's also important to understand that cyber is not something that always triggers Article 5,” he said.

A month after Stoltenberg spoke, NATO nations signed a Cyber Defense Pledge to increase collective funding for cyber deterrence and training and to seek industry partnerships. NATO nations also stepped up their cyber exercises. The largest one so far April’s Locked Shields took place in Estonia and featured 800 participants from 25 nations and more than 2,500 simulated cyber attacks.

Neither the secretary general’s words nor the stepped-up preparations stemmed the Russian attacks. The July 2016 attack on the DNC was followed in October by attacks on U.S. voting infrastructure. In January, the same Kremlin-backed group also began targeting the French elections.

German officials believe  that Russia will also target their upcoming elections through similar influence operations. All of this begs the question: what good is a military alliance of collective defense if it doesn’t collectively defend?

This June, Stoltenberg reiterated that a cyber attack on a NATO-aligned nation could trigger an Article 5 response. But it came off as less like a warning than a marketing gimmick. “We have … decided that a cyber attack can trigger Article 5 and we have also decided and we are in the process of establishing cyber as a military domain, meaning that we will have land, air, sea and cyber as military domains. All of this highlights the advantage of being an alliance of 29 allies because we can work together, strengthen each other and and learn from each other,” he said.

In general, NATO leaders appear less eager than Breedlove to go on the cyber offensive. When Defense One asked about the former general’s comments, NATO Acting Spokesperson Piers Cazalet said, “NATO is a defensive alliance and cyber defense is part of our core task of collective defense. NATO will always act in line with its defensive mandate and in accordance with international law … ‘Hacking back’ is not the only possible answer to a cyber attack. The best response is to prevent the attack from happening in the first place. This is why bolstering NATO and allies’ cyber defenses and resilience is a top priority.”

The problem is that NATO is a military alliance, and Russian cyber and information operations are precisely designed not to provoke a military response. Indeed, that is one of the primary values of cyber operations to Russia.

This year’s edition of the Pentagon’s Russia Military Power report described cyber and influence operations as core capabilities, and included a section on indirect warfare. It was the first DIA Russia report since the fall of the Soviet Union. Much had changed.

“Indirect action is a component of Russia’s strategic deterrence policy developed by Moscow in recent years. Its primary aim is to achieve Russia’s national objectives through a combination of military and non-military means while avoiding escalation into a full blown, direct, state-to-state conflict,” the report says.

This idea, commonly referred to as the Gerasimov Doctrine, is typically credited to Gen. Valery Vasilyevich Gerasimov, who leads the Russian General Staff of the Armed Forces. It refers to an article lays out a framework to determine how to attack an enemy without provoking a direct military retaliation. It’s war by persistent annoyance. 

The originator of the term, Prague-based Russia expert Mark Galeotti, has since distanced himself from the term saying that Gerasimov's article doesn't meet any real definition of a "doctrine," and that some of Gerasimov's comments were taken out of context. However, Galeotti does not dispute the reality of what the label describes, constant Kremlin destabilization efforts that occur beneath the threshold of conflict. 

“Russian security and military theorists have posited in recent years that conflict has begun to increasingly be characterized by integrated military and non-military actions. Chief of the General Staff Gerasimov's article in early 2013 was one of the most prominent discussions of how these types of actions characterize modern warfare, and he explicitly claimed that the West uses such techniques. Though these articles typically ascribe ‘indirect actions’ to what Russia claims is the Western way of war, Moscow itself used some of these de-stabilization techniques in its operations in Ukraine,” a spokesperson for the Defense Intelligence Agency said. “While the article was seized upon by some commentators as representing a new ‘Gerasimov doctrine’, the article is only one of numerous Russian articles discussing the increasing importance of non-military tools in modern conflict.”

For Breedlove, the idea is not just theoretical construct, it’s the reason his email was hacked. “It’s active in almost every nation. This is certainly active in my nation.”

Countering indirect cyber operations won’t be easy. But Breedlove believes that NATO’s current response stops short of even trying. That lack of resolve shows the Kremlin that the strategy is effective. “The enemy is bringing information warfare to us in all of our capitals and to us as an alliance. We have elected again to act reactively and defensively,” he said. “A disruptive answer to these cyberattacks might first be a policy that will allow us to return fire to offensively take the fight to the enemy, which is what we in the military want to do. As a fighter pilot … we always say that the best defense is a good offense. If you have a missile in the air headed at your opponent, he’s not worried about attacking you right now. He’s worried about survival. “

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.