The new realities of cyber threats and interconnected networks have forced one of the world's top military alliances to make necessary adjustments to its doctrine and operations.
Following NATO’s decision to declare cyberspace an operational domain of warfare leading up to the 2016 summit in Warsaw, Poland, the alliance signed a cyber defense pledge outlining how member states will ensure proper cybersecurity and defense of networks.
The pledge, signed on July 8 by member nations, makes enhancing cyber defenses of national networks and infrastructure a top priority. "We will ensure that strong and resilient cyber defences [sic] enable the Alliance to fulfill its core tasks. Our interconnectedness means that we are only as strong as our weakest link," the pledge states.
As part of this effort, the alliance is not only focusing on systems and networks but people as well. "We will ensure that our Alliance is cyber aware, cyber trained, cyber secure and cyber-enabled," it said.
Concrete steps member nations pledged to take include developing a full range of capabilities to defend national networks and infrastructure, allocating adequate resources to strengthen cyber defenses, improving understanding of threats in the cyber domain, enhancing skills and awareness, fostering cyber education and training and expediting implementation of cyber defense commitments, especially among systems NATO depends upon.
NATO previously tackled cyber defense in the 2014 summit in Wales. As a July 2016 NATO fact sheet notes, "To keep pace with the rapidly changing threat landscape, NATO adopted an enhanced policy and action plan on cyber defence [sic], endorsed by Allies at the Wales Summit in September 2014. The policy establishes that cyber defence [sic] is part of the Alliance’s core task of collective defence [sic], confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry. The top priority is the protection of the communications and information systems owned and operated by the Alliance."
NATO's updated cyber defense posture and its recognition of cyberspace as an operational domain of warfare will both "improve NATO's ability to protect and conduct operations across these domains and maintain our freedom of action and decision, in all circumstances," the fact sheet said. NATO Secretary General Jens Stoltenberg also reaffirmed this position during a July 11 Twitter Q&A.
Despite these positive steps the coalition has taken, some still have criticisms regarding NATO's cyber posture.
"[T]he accepted core responsibility of the Alliance in cyberspace is to defend the Allies against armed attacks through cyberspace, when necessary through military means. However, the only means at its disposal is the protection of its own networks and systems," read a report from the NATO Cooperative Cyber Defense Center of Excellence, a NATO-accredited research and training facility. "This means that while the Alliance recognises [sic] that cyberspace can be used by adversaries to launch an armed attack against it, it is impossible for the Alliance to counter such an attack in and through cyberspace. For NATO, this is rather a novel approach to its responsibilities. It would, for instance, be unimaginable that in response to an armed air attack, NATO would not allow for the use of air power, but would limit its response to the use of air defence [sic] systems."
While the report's authors note declaring cyberspace an operational domain of warfare is a step in the right direction enabling defined doctrines and procedures, they maintain the critical component will be aligning cyber defense policy with "the overall, conventional, strategic posture as detailed in the Strategic Concept." The Strategic Concept is a document adopted in 2010 and serves as NATO's roadmap for the next decade reconfirming the commitment to defend member states.
The recognition of cyberspace as a domain of war will also provide a better framework to manage resources, skills, capabilities and coordinate decisions, NATO's fact sheet said. NATO develops targets for allied countries' implementation of national cyber defense capabilities with the goal of maintaining a unified, common approach. Alliance members in doctrinal documents say they aim to agree upon further cyber defense targets in 2017; progress on the delivery of the cyber defense pledged will be reviewed at the next NATO summit.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
