NATO’s 2022 Strategic Concept reaffirmed its commitment to NATO’s founding principles and to its core mission of collective defence and security in a Euro-Atlantic zone definitively ‘not at peace’.
It also reiterated its long-held view that cyberspace, the global domain of interconnected information technologies and data, is ‘contested at all times’ by a range of state and non-state actors. Set against the backdrop of widespread competition in cyberspace between military and intelligence agencies, firms, criminals, hackers, hacktivists and assorted adventurers, this assertion is hard to deny.
Awareness of this situation is heightened by the cyber campaign integral to Russia’s ongoing war on Ukraine. This war has demonstrated the stakes of strategic competition in cyberspace, as Russia seeks to degrade and disrupt Ukraine’s military, government and civilian networks and all that depend upon them. That Russia has so far failed to achieve strategic effect in Ukraine through cyber means should not distract from the potential to do so, nor from the friction introduced into the Ukrainian war effort and wider society by Russian military-intelligence cyber operations. Russian attempts to derail Ukraine’s military defence and to disrupt civilian life have demonstrated the limited utility of cyber operations to strategic coercion, but we should remain mindful of the resources and resolve necessary to rebuff Russian cyber operations over long periods of time. The possibilities for miscalculation and horizontal escalation also remain pertinent to our long-term assessment of Russian offensive cyber operations in Ukraine.
NATO has been vocal in its political support for Ukraine, and for the provision of bilateral military assistance by individual Allies. However, NATO is not a direct party to the war, and Ukraine is not a member-state. NATO will need to think beyond the war in Ukraine as it determines its future role in strategic cyber competition. We suggest that beyond deterrence and warfighting, an alternative lens through which to view NATO’s possible contribution is stability, a founding tenet of Alliance purpose since 1949.
What does NATO need to do to enhance Alliance stability on cyber issues, ensure the international system is not destabilised further by hostile cyber operations, and guard against the internet itself becoming destabilised by the misuse of technologies? These are big tasks and will define the success or otherwise of NATO as a cybersecurity actor. Our view is that if NATO does want to compete in cybersecurity, it should compete to be at the forefront of providing cyber stability.
NATO’s internal stability as an alliance has, despite occasional low points, been remarkably consistent since its inception. This is partly due to committed American leadership but also to the desirability of membership: NATO’s security guarantee is worth paying for and maintaining over extended periods, for both small and large Allies. Arguably, despite ongoing calls for European strategic autonomy and the ruptures in transatlantic security politics during the Trump administration, NATO’s internal stability is greater now than in many years, not least as a result of solidarity engendered by Russia’s war on Ukraine.
In terms of cyber defence, a myriad of NATO capacity-building initiatives has served to bolster Alliance stability, including training and education programmes, exercises and war games, and joint doctrine and strategy allied to clearly articulated visions like the Cyber Defence Pledge. Whilst internal stability can never be taken for granted, and while there are ongoing adversarial efforts to cause intra-Alliance divisions between NATO member states through digital subversion and disinformation, our broader concern here is with NATO’s role in fostering cyber stability in two other areas: the international system, and cyberspace itself.
As the world’s premier military alliance, what NATO says and does influences international stability, even if the interpretations of those actions often differ markedly. NATO’s designation of cyberspace as an operational domain, for instance, fed Russian and Chinese narratives of Western ‘militarisation’ of cyberspace. Some may also look askance at NATO’s Cyber Operations Centre (CyOC) and the integration of offensive cyber capabilities into mission planning and operations through the Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) framework. In peacetime, however, NATO does not undertake cyber operations outside of the defensive space, and it is individual Allies whose activities affect strategic cyber competition. The US, through its persistent engagement doctrine, for example, stresses the need to take the fight to the enemy in ‘out of area operations’ in contested digital space, a view broadly shared by the UK. The aim is to shape adversarial behaviour and the norms of ‘agreed competition’ in cyberspace, rather than wait for diplomats to agree on global terms of state behaviour that are likely to be ignored anyway.
This presents a challenge for NATO. It has treaty-based obligations to peace and stability, yet the actions of individual major Allies may undermine international cyber stability. If they do, how does NATO position itself with respect to influential Allies and with its legal and normative stance in other domains? How might it counter the inevitable accusations that NATO is itself contributing to net international cyber instability? If, however, the US and its close partners are correct and they achieve a reduction in hostile cyber activities, how might NATO adjust its doctrine and peacetime activities to support a more interventionist and proactive posture in cyberspace in pursuit of international stability? Returning to internal stability for a moment, how will it square away emerging disagreements between allies as to the proper balance of defence and offence in cyberspace? Resolution of these issues will require deft and responsive political management.
With respect to cyberspace stability, NATO has traditionally had little reach into the technical, policy and civil society communities of the global multi-stakeholder community that maintains cyberspace as, effectively, a common good. The standards, protocols, norms, laws and regulations of cyberspace are, whilst sometimes fragmented, the product of cooperative frameworks within which military alliances usually have little influence. NATO’s own cybersecurity ambitions, though, require that it engage directly with national cyber authorities, industry and other supranational organisations like the European Union.
Its commitment to the cyber resilience of Allies, for example, means that its overlapping membership with the EU brings it into close contact with European cyber resilience agendas and initiatives. NATO’s 2022 Strategic Concept recognises explicitly the need for closer EU-NATO partnership in defence and security, as does the EU Cybersecurity Strategy (2020). Arrangements exist to share cyber threat intelligence and best practices, as well as cooperation on training and research, but more joint work is required. NATO can help not only with the development and implementation of cyber defence and cyber resilience measures that improve the stability of cyberspace overall, but also by bolstering the normative aspects of these forms of regulation and governance. That is, by demonstrating the importance of shared values and approaches in improving cyber stability beyond the narrow, military concerns of NATO alone.
NATO has also committed to improved engagement with industry and academia through the NATO Industry Cyber Partnership (NICP). This is primarily an information exchange mechanism, sharing non-classified cyber threat intelligence between the Alliance and firms in NATO countries. The NATO 2030 Reflection Group recommended that NATO look beyond its ‘classical’ partners in the defence industry to leverage the skills and expertise of the wider private sector, academia and non-governmental organisations. In other words, these types of partnerships should not be restricted to client-vendor relations but find new sources of creativity and relevant experience. How this translates into cyberspace stability remains uncertain, but there are openings for increased cyber threat intelligence sharing, cyber resilience, technical assistance, policy development, and other forms of productive engagement that will improve domain stability.
These comments about the stability of the international system and cyberspace in no way exhaust their possible dimensions and futures. They also interact in various important ways, as they do with the internal stability of the Alliance itself. Internal stability is the foundation upon which effective activity within an alliance is built: without internal agreement on key cyber issues, NATO will be slow to develop meaningful courses of action that affect international and cyberspace stability in a beneficial way. Disagreement may even engender negative effects, which will undermine NATO coherence and its stability mission. Even more importantly, what NATO’s strategic adversaries do creates constraints and opportunities for the Organization’s policy and action. In terms of strategic cyberspace competition, Russia and China in particular pose distinct political and technological challenges that NATO will have to work hard to counter. Russia presents the more immediate threat, as exemplified by its cyber operations in Ukraine and elsewhere, but China is the more persistent long-term competitor and is experimenting and investing in a wide range of deleterious cyber operations on a global scale.
One avenue for NATO to pursue is to strengthen and redefine its international partnerships in this policy field. While there is more talk of the partners in the Indo-Pacific region (Japan, South Korea, Australia and New Zealand) in NATO’s Strategic Concept, there are opportunities to further develop these as global partnerships for cybersecurity. It is noteworthy that the UK, France, the US and EU are all deepening their partnerships with these countries (including through such mechanisms as AUKUS, and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, or CPTPP). NATO needs its own processes and mechanisms to engage with these partners further on cybersecurity.
Just as importantly, deepening and strengthening ties with the tech sector will be fundamental to the global stability of cyberspace. The war in Ukraine has demonstrated the impact of non-state actors in cybersecurity and the importance of civil-military cooperation; from the technical assistance provided by firms like Mandiant to Ukrainian engineers, and the initiatives by Microsoft and others to ensure their platforms remain available and functional in the face of Russian cyber aggression, to efforts by Elon Musk to provide Starlink satellite internet access to Ukraine. Doubling down on engagement with these sectors will be important as NATO continues to fulfil its role to provide peace and stability in the North Atlantic area and beyond.
It is clear too that NATO’s cyber defence will be impacted significantly by emerging technologies, such as cloud computing, artificial intelligence and machine learning, the military Internet of Things, and hybrid human-machine systems. Operational flexibility and strategic weight depend on the adoption of these novel technologies, but all have cybersecurity implications, both in terms of their defence and resilience to external interference, and in their possible effects on the stability of cyberspace, the stability of the Alliance, and indeed the international system. NATO is working to integrate these technologies into its planning and operations, including through the creation of the Defence Innovation Accelerator for the North Atlantic (DIANA) and the development of the NATO AI strategy. A focus on the ways such technologies can be used to stabilise or destabilise the Alliance will need to be maintained.
NATO has always been in the stability business. Its opportunity now is to rethink how it can provide stability in a new strategic environment characterised by the simultaneous and convergent challenge of geopolitical aggression and technological revolution. NATO could become a cornerstone of cyber stability, both internally and externally, but it has to remain agile and innovate. NATO’s cyber policy and doctrine – whether in the area of deterrence, resilience, or persistent engagement with adversaries – need to keep pace with challengers and with technological change, but also provide a bulwark against inadvertent escalation of cyber conflict and further destabilisation of the global internet.