Cyber is already an integral part of all conflicts and wars in today´s world. For NATO there is plenty of work and planning ahead, before it, as alliance, is a credible player in the cyber domain. NATO must pay special and rapid attention improving its Article 5 policy and collective cyber capabilities, and also remind its member-states that collective cyber credibility begins with countries´ own cyber defences. Decisions and guidelines are needed in the Nato Summit in September.
One trend in warfare is clear: using cyberspace when pursuing political goals and trying to gain geopolitical advantages is increasing and intensifying at an accelerating pace. Nation-states are pouring massive amounts of money into capability development and hiring skilled people to do the job. This development is part of an on-going trajectory: strategisation of cyberspace and its traction into national security sphere.
There are already about 35 countries with both the capabilities and doctrines to conduct offensive cyber operations. The world is moving toward a greater strategic use of cyber-weapons. The reality is that if you want to be a credible player in world politics, economics and military battlefield, you must possess strong cyber capabilities.
Evolution, not revolution
Cyberspace and the changes it has brought forth in warfare and security production are not "everything" or a revolution. The increasing importance of cyber is a phase in normal evolution. The world is becoming ever more digitalised and societies in their daily activities as well as in warfare ever more dependent on the digitalised infrastructure. Nato operations rely heavily on cyber-enabled networks. Therefore, cyber needs to be taken seriously and perceived primarily as a strategic issue, but not exaggerated as revolutionary.
All contemporary conflicts – and future crises even more so – contain a cyber-element. Building and maintaining security without taking cyberspace into consideration has become impossible. This, of course, concerns also on Nato and its future.
There are three main challenges in cyber for Nato and its member-states.
First, how to integrate cyber capabilities to other military operations and activities? This area remains relatively unexplored. Cyber is understood too often as a standalone approach to security and warfare. The primary challenge is to integrate cyber into a broader strategic and operational concept, both in defence and offence.
The challenge is more cultural than technical. We have to keep in mind that there will never be "a pure cyberwar" and cyber operations should not be separated from the broader context of war. Cyber is a significant part of all wars and conflicts. Ukraine crisis is the showcase of this kind of strategic integration, called hybrid warfare. The approach combines conventional military forces with information operations, provocateurs, cyber, and economic measures. Ukraine crisis also tests Nato´s ability to persuade its members to face the "grey zone war" which lies just below the threshold of a traditional Article 5 response.
2. Article 5
The second challenge is the Article 5 itself. The crisis in Ukraine indicates that the time has come for Nato to substitute strategic ambiguity with clarity in formulating how the collective defence pledge plays out in the face of cyber threats. In order to be a credible military alliance Nato must possess credible cyber policy.
The alliance has recently updated its cyber defence policy to make it clear that a major digital attack on a member-state could be covered by the Article 5, the collective defence clause. This is a very important announcement. Nonetheless, the real question is: What kind of circumstances would trigger a response under the Article 5, in other words, when would a cyber attack against one be considered an attack towards all? The answer is ambiguous.
One of the key elements in hybrid warfare is credibility – of both policy and capabilities. Member-states must have a crystal clear trust on the alliance's will and capabilities to respond if one of them is confronted with a severe cyber-attack. As long as the threshold to invoke the Article 5 stays unclear, it is understandable that member-states cannot have full confidence in collective cyber-defence.
Especially, when there are no precedents and cyber-attacks bring with them the tricky problem of attribution. On the other hand, it would be a dangerous policy to define and expose the actual threshold. In the context of "grey zone war" particularly it is not wise to expose what is acceptable and what is not.
Otherwise the opponent will intentionally act below the threshold of open warfare to avoid a collective Nato response. Most probably a cyber attack which invokes article 5 will include mass casualties and major physical damage. However, the decision will always be political, as it is in the case of physical attacks, and it will be decided on a case-by-case basis. Most importantly, cyber attacks are clearly nowadays treated as the equivalent to kinetic attacks.
3. Real Capabilities
Talks and practices are never enough if there are no real capabilities. This is Nato´s third cyber challenge. Differences in the stage of development of cyber capabilities (defence, intelligence, offence) are huge between Nato member-states. Currently, there also seems to be a lot of suspicion about others' capabilities even between the closest allies. Since we are just living the dawn of the cyber era, it is unclear how strong will the advanced cyber member-states have to expose and use their intelligence and offensive capabilities on behalf of the other member-states.
It is positive that information sharing, mutual assistance, cooperation with industry and exercises are increasing and deepening within Nato.
The development of cyber capabilities is mainly taking place on a national basis. Without broader and deeper internal cooperation Nato is severely impeded in its ability to play a more sophisticated role in the cyber domain. Developing genuinely shared cyber capabilities does not seem real at the moment which weakens the credibility of the alliance's collective defence.
An inseparable part of future Nato
Nate must be developed into a more cohesive cyber-community. But it has to be understood that cyber-defence starts at home. In other words, member-states need to invest human and financial capital in order to improve their own cyber-defences. At the end of the day, cyber-defence does not take much, but if Nato is to improve its collective capabilities in cyberspace, it begins with nations doing their homework.
Hence, it is the responsibility of Heads of State and Government to take Nato forward by taking the issue forward not only in Brussels, but also in their countries.
Cyber is an inseparable part of future Nato and its fundamental principle of collective defence. Incorporating cyber into other activities, clarifying the cyber policy with regard to the Article 5 and readiness to conduct full-spectrum cyber operations with shared capabilities are not just a wish for Nato. They are a necessity in today´s dynamic and uncertain world, and should be on the top of the agenda in the upcoming September Summit in Wales.
Jarno Limnéll is Director of Cyber Security in McAfee, and Professor of Cyber Security in Aalto University. Twitter at @JarnoLim
The views expressed here are his own.