Updated: Mar 4, 2021
The purpose of policy in NATO offers a broad directive multilaterally agreed by all allied states which guides the Alliance in their coordination, action, strategy, amongst other aspects. While NATO’s conventional capabilities such as nuclear weapons, are traditionally instructed by its policies, they themselves have evolved and been adapted to better suit the circumstances of contemporary challenges. Similarly, in confronting new challenges with emerging technologies and an ever-change landscape of different domains of warfare, the Alliance, starting from its first recognition of the need to bolster cybersecurity and cyber defence at the Prague Summit in 2002, has made continuous efforts in shaping and reshaping its policy in cyberspace (Davis, 1). However, unlike other capabilities in the conventional sense, NATO has yet to announce and adopt a cyber offensive policy, as its current cyber policy is based mainly on cyber defence and cyber deterrence. In the meantime, not only have allied states suffered substantial cyberattacks by Russia with the wake-up call conflict that is the 2007 cyberwar on Estonia, other NATO adversaries and select allies have also been developing increasingly sophisticated cyber offensive capabilities, in short starting an arms race to gain superiority in this domain. For the Alliance to remain credible, it needs to achieve and maintain the two-pronged aspects of the allies’ political commitment to collective defence, as well as its military capability, which is the insurance to the former (Jonson 2). Its credibility in cyberspace is currently maintained by a number of allied states each with their own national cybersecurity capabilities and some with cyber offensive policies. Yet, for NATO to adopt similar cyber capabilities and coordinate them across its allies, it would require an institution-wide policy to guide it. But is an offensive cyber policy for NATO politically feasible?
The present paper examines this question by first 1.) explaining NATO’s institutional lenience towards allied offensive cyber capabilities in recent times despite its policy only in the defensive arena, and addressing areas of strength and deficiency in the Alliance’s comprehension and coordination without an offensive policy. Secondly, 2.) areas of allied rift and agreement are identified by discussing issues surrounding cyber offensive policies with previous research into the Alliance’s deterrence purpose and its decision-making and strategic challenges. Finally, it will conclude by 3.) proposing general recommendations for NATO’s approach in considering an offensive cyber policy.
Offensive Capabilities under a Defensive Policy
Like NATO’s many conventional assets, in terms of offensive cyber tools, it is precisely because its allies have agreed to not conduct offensive cyber operations as NATO that it relies on the contribution of such capabilities from allies who possess them to volunteer them to the Alliance (NATO Cyber Defence Factsheet). The strictly defensive policy does not stop allies’ decision to conduct offensive cyber operations individually or with each other, and as long as these possibilities are willingly offered by allies, NATO can play a coordination role in aligning the offensive operation from allied state(s) with the Alliance’s collective defence ones (Freedberg). With the decision to integrate offensive capabilities into a defensive policy, NATO has already signalled its interest in strengthening its own offensive capabilities by building its cyber command with the ability to conduct its own cyber attacks (Emmott). From a capability standpoint, this command will have coordination and capacity-building functions for NATO allies to develop offensive capabilities on an institutional level together rather than relying on the United States’ command.
The benefits of having offensive cyber capabilities have also been widely studied; and it is generally considered that cyberspace is more offensive-focused and those superior offensive capabilities including demonstrating strategic, operational, and tactical versatility and precision to paralyze the adversary gives one the upper hand (Saltzman 42-44). Developing a certain capability does not necessarily mean that the Alliance’s cyber policy will definitively expand to include offensive operations, but it will increase the Alliance’s credibility in deterring possible cyber risks from adversaries. On one hand, NATO’s cyber defence policy is in line with its founding identity as a collective defence alliance; on the other hand, in other domains where capabilities are matched with their respective policies and doctrines, NATO allies receive clear guidance across the board on the conditions of proliferation or nonproliferation of these capabilities whether the response takes place on land, in the sea, or air. It may be then advantageous for NATO to provide a clear direction to allies on its cyber policy involving both its defensive and offensive capabilities upon the refinement of the latter.
Another key consideration is the ascension of cyber to being on the same level as other operational domains at the Wales Summit in 2014, insinuating that a cyberattack could trigger Article 5 (Oolup 28). Considering the event of NATO’s response to entail kinetic measures, cyberattacks successfully operated to a targeted and effective extent may not cause physical destruction but other types of large-scale damage, such as information loss or political undermining (Roggeveen). For NATO to thus engage adversaries in such an event, multiple levels of cyber aggression need to be addressed separately to provide proportional and appropriate offensive responses. Furthermore, contrary to claims which often point out an engagement in cyberwar can escalate a conflict to other domains, scholars have also found that although offensive cyber capabilities are not particularly effective in deterring military action of an adversary unless the threat of proliferation comes from credible actors, they are useful in compellence while the secrecy of their operation can potentially de-escalate a conflict by saving the adversary face (Smeets & Lin 55). Given the strategic value and the complexity of possessing cyber offensive capabilities, a NATO-level multilateral policy would distribute the knowledge of such advantages and disseminate strategic bargaining power amongst allies in a way that does not clash with collective defence goals.
One may speculate that NATO’s integration of allied offensive capabilities is beneficial until the performance of natively-researched and developed tools reach a highly advanced and well-funded level to supplement and even match its defensive capabilities, because strategically speaking, the supremacy of defence capabilities should precede offensive ones in anticipation of adversary attack. According to research in the theory of cyber offence-defence balance, the race to develop effective offensive capabilities globally may contribute to the destabilization of the international security system, especially when these actors do not possess adequate defensive ones (Shaheen 77). This guiding theory informs the historical reluctance of NATO towards an offensive cyber policy, although the offence-defence balance also suffers from an interpretation of traditional warfare’s narrative of escalation and destabilization. Therefore, for NATO to better coordinate allies' offensive cyber operations, a guiding policy may aid crucial posturing and strategy of its engagements in both low-intensity and high-intensity contexts, instead of for NATO to coordinate each operation individually. By extension of this forecast based on NATO’s current stance on cybersecurity, a multilateral offensive policy may be on the horizon with time and political will but its negotiation and agreement face significant issues politically, technically, and strategically. The following summary will provide an overview of popular political and strategic challenges connecting to the consensus-based direction and deterrence-based foundation of the Alliance in the formulation of a NATO-level cyber offence policy.
Reforming the Deterrence Doctrine The Alliance seeks to contribute its overall defence and deterrence posture using cyber capabilities, and offensive cyber capabilities announced by a guiding policy may signal clearly to the adversaries of NATO’s posture and credibility. The integration of cyber offensive capabilities and policy with other domains of warfare may provide strategic benefits to the Alliance by upping its credible firepower. Though without integration into physical force in this coercive sense, deterrence-by-punishment posturing in cyberspace through retaliatory measures may also legitimize offensive cyber operations’ use and may present risks towards collective cooperative security amongst allies and even potentially undermining political policies (Burton, 8). The preference for deterrence-by-denial as a result of the consideration for these important risks is additionally problematic, as the passive strategy runs counter to some allied states’ political will to establish a more proactive policy (Ibid.). Out of the number of NATO allies who have volunteered their offensive capabilities to the Alliance, the United Kingdom expresses the most obvious intent in using its capabilities for both deterrence and operational means as stated in its National Cyber Security Strategy (HM Government 25). Evidence of the UK’s political will for a more proactive policy and posture can be seen in the policy prioritization of its national investment into cyber offensive capabilities and its demonstration of offensive operations in Russia and the Middle East. It is explicit in its national policy in identifying exactly the deterrence aims that UK is aiming to accomplish with its offensive operations, while the US also takes a preemptive approach in using offensive capabilities in deterrence and in gaining other types of advantages across domains to ensure US superiority (Oolup 40).
Comparatively, European Union allies seem to favour the more passive policy as it suffers similar coordination and policymaking problems like NATO. That being said, the European Parliament welcomed the European Commission’s cyber package, in which reinforcements to European offensive and defensive capabilities at both civilian and military levels are recommended to be implemented due to the EU’s fragmentation in joint defence strategies and member states’ lag in exchanging knowledge and warnings about cyber attacks (European Parliament). This need for a joint policy and the approval of an EU-wide cyber package including offensive capabilities may signal more political will for an interoperable NATO policy as well as bolster collective deterrence and security. As the allies of differentiated capabilities debate on the value of offensive cyber deterrence in their national policies with discretion for the inapplicability of nuclear-era deterrence theory to cyberspace, the decision-making and organizational fashion of NATO inflame internal political complexities and may discourage consensus. Testing Alliance Consensus and Decision-making The Alliance’s decision-making principle of consensus further complicates the negotiations and agreement of a NATO offensive cyber policy. The above-mentioned nuclear example almost exclusively concerns kinetic and state-level physical destruction of massive proportions. The dire consequences of the extremity of possible nuclear proliferation are enough to establish credibility, deterrence, and is a comparatively simpler way in getting its 30 member states on board, especially in the context of Cold War bipolarity. Cyberspace as a domain of war contains a myriad of vested technical issues including the difficulty of attributing attacks to specific adversaries. Even though this is one the most prominent difficulties according to a variety of research in cybersecurity, more recent analyses published by NATO's Cooperative Cyber Defence Centre of Excellence have suggested that the attribution gap is gradually decreasing in size due to heavy research and development investment into web tracing and identification designs largely spearheaded by the US (Burton 11). A dynamic understanding of deterrence in cyberspace as formerly suggested by taking into consideration social and historical context will also alleviate the traditionally ‘impossible’ problem of attribution. While such technical capabilities play a crucial role in swaying the allies’ considerations and decisions, the political and strategic issues of simply conceptualizing an offensive cyber policy are examined in closer detail here.
Trust and Transparency The transparency and capability-sharing quality of NATO may give way for disagreement amongst allies. Although the Alliance’s communication on a strategic and policy level is transparent, it still possesses enough opaque room to maneuver on an operational and tactical level. Furthermore, the problem of American supremacy in cyber capabilities and NATO’s reliance on its critical perspective may displease EU member states like France in their pursuit of strategic autonomy aside from its prevailing aversion to today's American leadership. A new demand for cross-alliance intelligence-sharing on offensive cyber capabilities can also exacerbate internal trust issues with the US. The global surveillance disclosures from 2013 onwards revealed allied surveillance and spying activities which damaged confidence in NATO (Smeets; 2018). Discussion of further integrated intelligence-sharing strategy under an offensive cyber policy can create tension between Five Eyes states (Canada, the US, and the UK) and other NATO allies. Doctrine Diversity Another overarching aspect with the potential to determine allies’ reception and leniency towards an offensive cyber strategy is the diversity of threat perception among NATO allies. The diversity across allied standards in defining the parameters of cyberattacks and the lack of overarching offensive cyber policy could result in strategic ambiguity and discourage retaliation (Arts 2). These differences stem from varied threat perceptions and cyber norms. Nationally, both threat perception and cyber norms are influenced by the state’s experience with malicious cyberattacks and its media and public opinion; and externally, the state’s engagement in bilateral and multilateral engagements are the most effective ways in which threat perception and cyber norms are shaped (Lewis 575). This hints at the political interest of near-Russia states like Estonia and Finland to possess well-rounded cyber norms and threat perception. Conversely, policy engagements on offensive capabilities would also shape NATO allies’ understanding as a whole. Without multilateral definitions, allies like Luxembourg and Iceland who have not experienced similar events do not benefit from harmonized knowledge and may not find justification to prioritize the strengthening of cyber capabilities when allocating funds from the common NATO budget. Not to mention the financial commitment issue affects trust in the Alliance overall as well.
Recommendations and Conclusion The present memo provided an overview of the most pressing issues related to a possible NATO offensive cyber policy with a particular focus on the Alliance’s fundamental deterrence purpose and its policymaking structure. Since supporting volunteered cyber offensive operations on a case-to-case basis does not provide overarching guidance to NATO allies on cyber threats and norms even though offensive capabilities can conceivably function as a credible and powerful deterrent, allies have different understanding of NATO’s evolving offensive cyber leniency’s specific rules of engagement, aim, intended effects etc. But the Alliance’s decision-making structure and cyberspace’s technical complexity offers a wide range of challenges to allies as identified previously.
Going forward, NATO allies need to first revise its cyber deterrence approach to modernize its offensive cyber capabilities framework. Then, it needs to draw on the new cyber deterrence framework to work with specialized allies such as Estonia and the UK to examine the wide range of existing threat perceptions and cyber norms in the Alliance. Lastly, confidence-building measures between the US and NATO need to be strengthened upon commencing extended intelligence-sharing schemes. The achievement of these goals will give a clearer image of the allies’ political will, renew commitments for harmonization and interoperability of the Alliance’s offensive capabilities, and by extension boost its security cooperation.
- Arts, Sophie. "Offense as the New Defense: New Life for NATO’s Cyber Policy." The German Marshall Fund of the United States, Policy Brief 39 (2018): 1-9.
- Burton, Joe. "Cyber Deterrence: A Comprehensive Approach?." CCDCOE. https://ccdcoe. org/uploads/2018/10/BURTON_Cyber_Deterrence_paper_ April2018. Pdf. Accessed 6 May, 2020.
- Davis, Susan. "NATO in the Cyber Age: Strengthening Security & Defence, Stabilising Deterrence." NATO Parliamentary Assembly, 18 Apr. 2019, https://www.nato-pa.int/ download-file?filename=sites/default/files/2019-04/087_STC_19_E%20-%20NATO.pdf. Accessed 6 May, 2020.
- Emmott, Robin. “NATO Cyber Command to Be Fully Operational in 2023.” Reuters, Thomson Reuters, 16 Oct. 2018, www.reuters.com/article/us-nato-cyber/nato-cyber-commandto-be-fully-operational-in-2023-idUSKCN1MQ1Z9.
- “European Parliament Resolution of 13 June 2018 on Cyber Defence.” European Parliament, 13 Jun. 2018, https://www.europarl.europa.eu/doceo/document/TA-8-2018-0258_EN. html?redirect. Accessed 6 May, 2020.
- Freedberg Jr, Sydney J. “NATO To 'Integrate' Offensive Cyber By Members.” Breaking Defense, 16 Nov. 2018, breakingdefense.com/2018/11/nato-will-integrate-offensive-cyber -by-member-states/.
- Jonson, Pal. “The debate about article 5 and its credibility. What is all about?” Research Paper, no. 58. Rome, NATO Defence College, 2010. 1-12.
- Lewis, James A. "National Perceptions of Cyber Threats." Strategic Analysis, vol. 38, no. 4, 2014, pp. 566-576.
- “National Cyber Security Strategy 2016-2021,” HM Government. https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national _cyber_security_strategy_2016.pdf. Accessed 6 May, 2020.
- “NATO Cyber Defence Factsheet.” NATO Public Diplomacy Division Press & Media Section, Feb 2019, https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2019_02/ 20190208_1902-factsheet-cyber-defence-en.pdf. Accessed 6 May, 2020.
- Oolup, Laura. Cyber as a deterrent: utilizing offensive cyber capabilities in NATO's deterrence posture. Diss. Tartu Ülikool, 2019, https://web-proxy.io/proxy/dspace.ut.ee/bitstream/ handle/10062/64338/oolup_laura_ma_2019.pdf?sequence=1&isAllowed=y. Accessed 6 May, 2020.
- Roggeveen, Barbara. “NATO Needs an Offensive Cybersecurity Policy.” Atlantic Council, 8 Aug. 2017, www.atlanticcouncil.org/blogs/new-atlanticist/nato-needs-an-offensive -cybersecurity-policy/. Accessed 6 May, 2020.
- Saltzman, Ilai. "Cyber posturing and the offense-defense balance." Contemporary Security Policy 34.1 (2013): 40-63.
- Shaheen, Salma. "Offense–defense balance in cyber warfare." Cyberspace and International Relations. Springer, Berlin, Heidelberg, 2014. 77-93.
- Smeets, Max, and Herbert S. Lin. “Offensive Cyber Capabilities: To what Ends?”, NATO CCD COE, 9 Jul. 2018, https://ieeexplore.ieee.org/abstract/document/8405010. Accessed 6 May 2020.
- Smeets, Max. “NATO Allies Need to Come to Terms With Offensive Cyber Operations.” Lawfare, 31 Oct. 2019, www.lawfareblog.com/nato-allies-need-come-terms-offensive -cyber-operations.
Yiran Zhang is APRA's Head of Communications.