NATO’s Cyberdefense Readiness
By Adm. James Stavridis, dean emeritus of the Fletcher School of Law and Diplomacy at Tufts University
As we saw again at last week’s NATO summit, virtually all of President Donald Trump’s focus on NATO has been over its members not living up to spending pledges. Here he is right: The U.S. shoulders far too much of NATO’s overall defense spending, although most of the allies are getting better. But lurking under the broad debate over what percentage of GDP should be spent on the military is a more important and nuanced metric.
The most pressing concern for the alliance in today’s world is overall cyber-defense readiness. After all, it is highly unlikely that Vladimir Putin will choose to cross a NATO border with tanks, troops and jets. But he has shown again and again a willingness to attack digitally.
Last week, the Ukrainian government confirmed that Kremlin-sponsored hackers targeted its water sanitation infrastructure. Days later, special prosecutor Robert Mueller’s grand jury indicted 12 Russian intelligence officers for their involvement in the hacking of the Democratic National Committee. Earlier this year, the U.S. and U.K. jointly published an alert detailing the technical nature of Russia’s efforts to gain a foothold in Western critical infrastructure.
What should the alliance be doing to counter Moscow? Unlike conventional defense from kinetic threats like missiles and submarines, defending against cyber-threats isn’t best measured in dollars and cents, but in action. There are four clear areas of cybersecurity to which each NATO member should increase its contributions — all without requiring digging too deeply into their pockets.
The first is sharing intelligence on threats. Each NATO member possesses a unique perspective on its particular cyber-threat landscape. But in most cases, the dangers are not unique to one country or another, yet shared awareness is stifled by each member’s posture on restrictions in sharing. The alliance pledged last year to spend more than $3 billion to protect itself from hacking, but a paltry $100 million has actually been spent on defenses. NATO’s 10-year-old Cyber Defense Center of Excellence in Tallinn, Estonia, does good work, but it is focused completely on policy and governance, not operational issues.
By fusing together threat-intelligence sources from each of the NATO countries, the alliance would be uniquely positioned to connect the dots and gain a common operational picture of cyber-threats on a global scale that doesn’t exist today. Here NATO can take a page out of the U.S. financial sector’s playbook. While each of America’s large banks has its own threat intelligence apparatus, they all participate in the Financial Services Information Sharing and Analysis Center, which was created under a 1998 presidential directive. By exchanging threat intelligence with each other and contributing to an aggregated pool of diverse data sets, the sector becomes “stronger together” (the motto of the U.S. European Command when I led it a few years ago and saw firsthand our weaknesses).
Second, the alliance must take a global lead when it comes to establishing international norms of behavior for cyberspace. NATO has already contributed a great deal of thought leadership to this field in the form of the Tallinn Manual — the most comprehensive analysis to date on how existing international law applies to cyberspace. But greater contributions from each member are needed to achieve broader consensus and adoption.
For starters, NATO should define precisely what technically constitutes a “use of force” in cyberspace, and most importantly, what nations should expect if that threshold is reached. This is crucial because the NATO treaty has specific definitions for what constitutes a traditional “attack” that rises to the level of the Article 5 mutual-defense threshold. There is still considerable ambiguity among allied nations about how to measure non-kinetic force. One thing is clear: a cyberattack need not result in physical harm or real-world effects to rise to the level of force projection, much less violation of sovereignty.
Third and closely related, the alliance must get contributions from all members to establish a credible cyber-deterrence regime. Secretary General Jens Stoltenberg added some teeth to the NATO stance by saying publicly that a cyberattack could trigger Article 5. But this isn’t enough. Unlike nuclear deterrence during the Cold War, cyber-deterrence unfortunately will probably require at some point an actual use of offensive cyber-weapons for it to be deemed credible. NATO needs to draw up and agree on a shared set of contingency plans should going on the offensive be called for. Many details of these plans, by the way, need not be secret.
Finally, all NATO members should join forces to develop defensive countermeasures and to research cyber-threats and vulnerabilities. The best model is to leverage existing capacity and resources within NATO member-states, especially some of the former Soviet bloc countries like Estonia that are particularly advanced in this field. There is a model for this: the NATO Special Operations Command in Mons, Belgium — right next to my former headquarters when I was the alliance’s supreme allied commander. The pooling and sharing in special-ops is a good model for doing the same in cyberspace. In addition to the U.S., both the U.K. and France are exceptional in cyber.
We’ve also witnessed the military benefits and cost saving of jointly developing and maintaining conventional weapons platforms with allies in partnership with industry — on NATO’s Alliance Ground Surveillance system and Awacs airborne-warning system, for example. But countries have been slow to do the same with cybertools. As the NATO commander, I was unable to bridge this divide because each country wants to protect its “crown jewels” in both offensive and defensive cyber, even though they are willing to share on air defense, special operations, strategic airlift, unmanned vehicles and many other areas.
In this respect, NATO should bring together the research and development of all members to not only establish a common operational infrastructure, but also to examine vulnerabilities and hunt for threats to the benefit of organizations and users throughout alliance countries. The Tallinn cyber center just does not “do” operations or research in that regard.
Of course, contributing to all of these areas will cost money — but the economic commitment pales in comparison to traditional defense spending. Last year NATO committed only $72 million to upgrading cyber-defenses and around $200 million to secure mobile communications for personnel in the field. Yet the collective defense budget of the alliance nations is north of $900 billion. More spending on cyber is a no-brainer.
Still, if NATO is going to get serious about cybersecurity, bigger budgets alone are not the answer. Members need to learn to work together, or Russia will make them pay.
This article was co-authored by James Stavridis and Dave Weinstein. This piece was republished from Bloomberg Opinion.