Skip to content
The Russia/Ukraine conflict offers an opportunity for NATO in strengthening & enlarging the military alliance.
Finland has joined NATO, Sweden has applied to join NATO, & Ukraine strongly wants to join NATO. These discussions will likely provide the major headlines coming from the 2023 NATO Summit taking place July 11-12 in Lithuania.
However, NATO has another opportunity to benefit from the war in Ukraine, namely a closer & more integrated cyber-security program.
Politically Diverse
The problem for NATO is it is dominated by European countries — some are rich & sophisticated, others less so, & is politically diverse (many members are within the EU, some of them ‘fractious,’ & other members are outside of the EU). Europe is historically ‘tribal,’ which makes NATO ‘somewhat’ fragmented.
The severity of the perceived Russian military threat, as shown in the war in Ukraine, has brought NATO unity closer than it has possibly ever been, militarily.
Now is the time to do similar in the world of cyber. This does not imply that NATO does nothing (it has its own Special Operations Centre in Belgium), but NATO could & should do more.
Difficulties
There are extra difficulties in a fully unified NATO cyber-security program.
The 1st is one of definition. NATO is primarily a military alliance formed for kinetic defence. There is no easy correlation between ‘kinetic’ warfare & cyber-warfare. From the start, it is difficult to define the purpose of NATO cyber-security since it is primarily a ‘kinetic’ defence alliance.
The 2nd is the difference in the physical size & cyber complexity of the NATO members, & the residual suspicion of ‘tribal’ national outlooks. Given the global nature of cyber–attribution is very difficult, & misdirection is easy, it would be unsurprising to discover that NATO members undertake cyber-espionage against other members.
Unrealistic
The 3rd is that it would be politically unrealistic to expect the cyber ‘giants’ of NATO (US, UK, Netherlands, France etc.) to fully share their cyber capabilities with countries such as Hungary & Turkey.
Nonetheless, the cyber world would be safer if there were a NATO cyber-security alliance as strong as the NATO military alliance.
Ross Brewer, Chief Revenue Officer (CRO) at SimSpace, offers a 2-pronged approach to NATO cyber-security. The 1st is to refocus. “Countries need to stop looking out the window at the ‘Big Bad Wolf’, & look over their shoulder. The problem is not external, it is internal & that applies to every country, industry sector or company.”
He does not suggest there is no threat from adversarial nation states, e.g. Russia, but the cyber battle is waged locally, not on some foreign battlefield. It is the same local battle that must be fought against cyber-criminals & state players.
Helping Entities
While the military alliance can benefit from looking outward at physical foes, NATO cyber-security should focus on helping entities, especially those belonging to national critical infrastructures, at the local level.
Brewer’s 2nd suggestion offers an approach to achieving this. Here he is less concerned with the ‘shiny new security widgets of defence,’ than with the capabilities of the people using them. This can be both assessed & improved through regular use of cyber range stress-testing.
He suggests that NATO should be guided by the experience of the US Cyber Command (USCYBERCOM). This has 3 primary missions: defending DOD networks & systems, conducting offensive cyber operations, & building cyber partnerships.
Stress-Testing
It uses cyber range personnel stress-testing as part of its own training process. Here, the argument stems from the successful Navy, Marine Corps & Air Force famous ‘Top Gun’ training program, established in 1969.
During the Vietnam War, the US lost 1 aircraft to every 2.8 lost by the enemy. This loss rate was considered too high & ‘Top Gun’ was established to teach pilots advanced manoeuvring techniques. Its success can be measured by the Gulf War& 37 Iraqi fighters shot down without losing one US aircraft.
‘Top Gun’
Cyber ranges can be seen as a cyber version of ‘Top Gun’, teaching security defenders how to defend networks under simulated battle conditions. Brewer believes that a NATO Cyber-security alliance could help the critical industries of member states become more resilient to both criminal & nation state attacks.
The suggestion from Brewer implies that a NATO Cyber Command would help secure the critical industries of all NATO members in the same way that US Cyber Command helps secure the US.
USCYBERCOM
This does not imply that USCYBERCOM does not already assist its allies (it has teams that will, as required & requested, help its allies to clear intruders from their networks).
But a NATO Cyber Command would be more effective in imposing the trickle-down security effect upon NATO national infrastructures.
In terms of cyber-security, the ‘big bad wolf’ is already here & not over there in Russia or China.
NATO Cyber Command
Assuming NATO can play a greater part in the cyber-security of its members, possibly through a more formal NATO Cyber Command, the question then becomes ‘what should we hope for?’
A common hope is that NATO should become more initiative-taking – as a bloc – against cyber threats. “Practically, this would require allies to openly share attack information, threats, and as importantly, partner with the private sector to build resilient environments to attacks,” suggests Dave Gerry, CEO at Bugcrowd. “Threats from countries like Russia, China & Iran have never been higher and NATO members must actively respond accordingly.”
More Assertive
A more assertive & active role by NATO would underline that this defence ‘has teeth.’
“NATO has made it clear that an intense cyber-attack on a member nation could be ‘tantamount to an act of war,’ potentially invoking Article 5 of the North Atlantic Treaty,” comments Callie Guenther, cyber threat Research Senior Manager at Critical Start.
“It signifies that the international community is starting to view cyber-attacks not just as criminal or disruptive activities but as potential acts of aggression that may warrant collective defence.”
‘Locked Shields’
Coming from a military alliance, a NATO Cyber Command would alter the perception of Locked Shields (NATO’s annual international cyber defence exercise organized by the NATO Co-operative Cyber Defence Centre of Excellence, CCDCOE, in Tallinn, Estonia) to Shields with Spear. Cyber should perhaps be more openly considered a ‘deterrence’ option.
Also, Craig Jones, VP of Security Operations at Ontinue, would like to see more cyber diplomacy from NATO. “Establish a NATO Cyber Ambassador role, someone who can advocate for cyber-security norms & practices on a global stage,” he says.
Cyber Treaties
“This individual could negotiate cyber treaties with other countries, including the likes of Russia, China, Iran, & North Korea. That office could also work to de-escalate tensions & prevent cyber conflicts.”
Outwardly, a NATO Cyber Command would show conciliatory stance – ‘we mean no harm to anyone, but do not test us.’
However, almost all cyber-security experts agree that NATO should spend greater effort in improving the security of nations’ critical industries & that much of this can be done through testing & training.
Criminal Extortion
NATO’s defence cannot simply rely on deterring nation state aggression. The same harm could be done to national economies through criminal extortion against the critical industries as through nation state aggression.
“It is always essential to put 100% effort into protecting critical infrastructure,” warns John Anthony Smith, CEO at Conversant Group.
“Threat actors probe & make attack attempts virtually continuously & the consequences of complacency could be catastrophic (including but not limited to war). We often find time & effort is not being spent in the right places to properly defend against actual attacks.
Regular Assessments
Since there is no overseeing authority over critical infrastructure bodies, we recommend each entity undergo regular assessments to understand & prioritise existing weaknesses.”
A NATO ‘Cyber Command,’ with specific oversight of critical industries, would go a way to solving this.
Jones lists some of his hopes, including national cyber-security ‘scorecards,’ similar to individual company scorecards but on a national scale. “This would evaluate each country’s cyber-security efforts, infrastructure, readiness, & response capabilities.
‘Scorecards’
The scorecards could be used to identify weaknesses, enhance accountability, & drive improvement,” he suggests.
Stress testing would simulate worst-case scenarios, such as simultaneous cyber-attacks from multiple adversaries, to assess how well the alliance can respond & recover. A citizen training campaign should be implemented.
“It could cover online hygiene, recognising phishing attempts, & securing personal data. An informed public can be the 1st line of defence against cyber threats,” he observes.
NATO Innovation Challenge
On innovation, he would like to see a NATO innovation challenge. “This could speed up innovation, uncover novel solutions, & attract fresh talent to the field. Invest in advanced technologies like artificial intelligence (AI) & machine learning (ML) to predict & detect cyber threats in real-time.
These tools can process vast amounts of data to identify patterns & anomalies that could signify an impending cyber-attack.”
Improved threat & intelligence sharing could be promoted through an international cyber-security exchange program, where cyber-security professionals from 1 country spend time in another. “This would encourage the sharing of knowledge, foster stronger relationships, & promote a unified approach to cyber defence,” he adds.
Cyber-Security Posture
NATO should promote a more unified & aligned cyber-security posture.
“Cyber-security is both national and international security & must be prioritised as such.
Protecting the critical infrastructure of NATO nations & the services that people rely on from cyber-attacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating,” summarises Darren Guccione, CEO & Co-Founder at Keeper Security.
A formal NATO Cyber Command could do as much for the cyber-security of individual members of NATO as ‘USCYBERCOM’ already does for the US.
