WASHINGTON: While NATO won’t conduct offensive cyber operations as an alliance, it will coordinate cyber attacks any of its member nations launch on their own as sovereign states, NATO officials say. It’s a subtle distinction, but a fraught one, and one that officers of the alliance’s brand-new Cyber Operations Center labored mightily to explain.
“NATO is clear that we will not perform offensive cyberspace operations,” Maj. Gen. Wolfgang Renner, the German air force officer who heads CYOC, said at a conference this week. “However, we will integrate sovereign cyberspace effects from the allies who are willing to volunteer.”
But what does that actually mean? The official answer is complex and probably not entirely final. That’s in part because of the political sensitivities of the alliance’s 29 member nations, who must all agree to any new policy. It’s in part because the Cyber Operations Center and indeed NATO’s role in cyberspace are both so new.
The US created its Cyber Command in 2010 and only promoted it to a top-level Combatant Command (COCOM) last year. Even so, the US is still wrestling with basic issues of how to train, equip, command, and set the legal boundaries of cyber forces. But NATO didn’t officially acknowledged cyberspace as a domain of warfare alongside land, air, and sea until its 2016 summit in Warsaw. The alliance only ordered the creation of a Cyber Operations Center — reporting directly to the Supreme Allied Commander, American Gen. Curtis Scaparrotti, and theoretically co-equal to NATO’s longstanding component commands for land, air, and maritime operations — at the Brussels summit this July.
So CYOC officially stood up August 31st, only 11 weeks ago, Renner said. It’s still putting together its staff, drawn for now from other parts of SHAPE (Supreme Headquarters Allied Powers Europe), that will initially number “below one hundred for sure.” And it isn’t even ready to announce its projected date to achieve Initial Operational Capability (IOC), though Renner promised rapid progress.
“We have to mature it,” Renner told reporters Wednesday after his remarks to the US Army-NATO CyCon US conference. “We are in the crawl phase.”
“I would remind you again just how nascent all this is,” added Renner’s deputy, US Air Force Col. Donald Lewis. NATO has defended its networks from attack for years, in the same way any large organization’s IT staff must do, he said. But now it’s taking a huge step beyond that by creating brand-new doctrine, organization, and policy that acknowledges cyberspace as a battlefield for military operations — albeit constrained by a tricky legal distinction between member nation’s independent cyber attacks and NATO’s collective cyber defense.
Because the new Cyber Operations Center will help “integrate” those two functions — national and collective, offensive and defensive — it’s important to understand what CYOC actually does.
“If you know your enemy and know yourself, you need not fear the result of one hundred battles,” Sun Tzu wrote 2,500 years ago. That ancient maxim applies even more forcefully to cyberspace, where the “terrain” of the battlefield and who can act in it are defined as much by data — by who knows what — as by physical infrastructure. But Sun Tzu’s first step, “know yourself,” is especially difficult in cyberspace, because the complex interconnections and mutual dependencies among networks make it hard to say where “yourself” actually ends.
A foot soldier can fight as long as he has a weapon and ammunition, which military logisticians can supply. A cyber warrior can’t operate without electricity or web access, which come from civilian utilities, which in turn may not be able to defend themselves against attack without the military’s help. Figuring out that civil:military relationship is hard enough for Cyber Command. NATO’s new Cyber Operations Center has the additional challenge that even the specifically military networks it must protect belong, not to one country, but to 29.
So CYCON’s first task is simply gaining “situational awareness” of who’s doing what where, Renner said. It’s linked closely to the NATO Communications & Information Agency (NCIA), which actually runs alliance networks day-to-day, and to the NATO Cyber Incident Response Capability (NCIRC), which reacts to attacks and provides intelligence on threats. But CYCON also needs to reach out to a long list of organizations both in and out of NATO, Renner said, getting information from national governments, private corporations, and even the media. Then CYCON has to make sense of all this information and provide a coherent picture to the Supreme Allied Commander and the member nations.
Only once you have that shared awareness of the situation — once you know yourself and your enemy as much as possible — can you act.
“If you have that, then you can think about effects, defensive or even offensive,” Renner told reporters. “(But) for NATO, offensive is difficult.”
That’s not just a matter of cyber policy but a founding principle of the alliance that applies to all operations on land, air, and sea as well: “The Parties to this Treaty …. are resolved to unite their efforts for collective defence and for the preservation of peace and security,” says the preamble to the 1949 North Atlantic Treaty.
“However,” Renner continued, “if a nation would be ready (as) a voluntary national contribution to field a cyber effect….under the national responsibility, then this could be an option as well.”
Independent Assets, Coordinated Action
It’s crucial to understand that NATO doesn’t have its own combat units in any domain. It pulls together assets provided by its 29 members. “It’s the nations who actually provide the forces, through the NATO force structure,” Col. Lewis emphasized. “They bring their ships, their planes, their tanks…. Those sovereign capabilities are exactly that: sovereign.”
“They’re responsible for defending those things,” including in cyberspace, Lewis continued. “It’s out job to make sure we have situational awareness of how they’re defending those things and how their success may or may not have an impact on the overall operation.”
In cyberspace as on land, air, or sea, NATO member nations can act either collectively, through the alliance, or individually, as sovereign states. But acting outside alliance channels doesn’t bar them from coordinating with each other: Contrast the war in Afghanistan, which was long run as a NATO operation, and the war in Iraq, waged by a “coalition of the willing” outside the alliance but involving multiple nations that happened to be NATO members. A NATO member can even divorce itself from the alliance’s military structure but still participate in NATO operations, as France did from 1966 to 2008.
So while NATO, by charter, renounces offensive operations, its members can still conduct them — on their own legal authority as sovereign states, but, if they wish, in coordination with each other and in consultation with NATO.
With that in mind, here’s a more formal and precise description, which I drafted but which NATO officials read, revised and agreed is accurate:
- “In all domains — land, air, maritime, and (as of 2016) cyber — NATO relies on forces contributed by its member nations to conduct military operations.
- “In all domains, NATO operations are governed by the consensus of all 29 member states, executed by SACEUR and subordinate commanders in accordance with the constraints of the approved operation.
- “In all domains, if a NATO member state decides to conduct an operation using its own forces and its own legal authorities, it may choose to inform NATO command structures and coordinate with NATO plans and operations.
- “How this applies in the cyber domain specifically: NATO policy, as set by the consensus of the 29 members, is that the alliance itself, in keeping with its defensive mindset, shall not conduct offensive cyber operations.
- However, this does not restrict unilateral or multilateral offensive operations by NATO member states. NATO policy — again, by member consensus — does provide for the integration of sovereign cyberspace effects provided by Allies with the ability and willingness to provide them. That integration into Allied operations and missions will be orchestrated by the NATO CYOC (Cyber Operations Centre).”
As I interpret this, a NATO commander, acting in his or her alliance capacity, couldn’t order anyone to conduct an offensive cyber operation. But the same commander could suggest an offensive cyber operation, and one or more of the member states could then voluntarily conduct it.
Or a commander with a dual NATO and national role could simply take off his NATO hat and use the authority granted him by his own nation to order his own nation’s forces to conduct a cyber attack. The obvious candidate here is Gen. Scaparrotti, who is both NATO’s Supreme Allied Commander Europe (SACEUR) and Commander, US European Command (EUCOM).
In either case, the national forces conducting the attack can coordinate with other alliance members, through NATO organizations, to “integrate” the attack with the alliance’s collective defense operations. For cyberspace specifically, this coordination and integration role is played by the new Cyber Operations Center. It’s as a logical extension of CYOC’s “situational awareness” mission to share information among the member states about what each of them is observing and doing in cyberspace.
“NATO doesn’t do offense, but it will integrate sovereign effects from the nations that are capable and willing to provide them,” Lewis said. “Some nations have stated their willingness to provide those effects. The role of the CYOC is simply to integrate it into the operations in the same way we integrate all the other arrows in the quiver.”