Start your day with intelligence. Get The OODA Daily Pulse.

Given the proximity of the conflict to neighboring NATO member states, it is unsurprising that the cyberwar between Russia and Ukraine has extended beyond the borders of the two countries, as state and nonstate actors expanded their targeting to third-party countries, including those in the NATO alliance, who have taken sides in the conflict.  To be fair, NATO expected a cyberwar to erupt toward the end of 2022 when it expedited its Cyber Coalition exercise, which tested how the coalition and other allies would collaborate in response to simulated cyber attacks on critical infrastructures.  So, the fact, that at least Russian nationalist hackers targeted those NATO countries actively providing support to Ukraine has not been a total surprise.

But the cyber part of the Ukraine conflict has raised important questions as to NATO’s role in geopolitical cyber conflicts, and how the alliance can become a valuable resource in helping reduce the volume and severity of attacks that occur during these periods.  An alliance consisting of 31 members, NATO has visibility over a lot of geographic territory that should enable them to be more proactive and act promptly to natural, humanitarian, and geopolitical conflicts before they escalate.  As cyberspace has demonstrated numerous times, this ability is essential when it comes to cyber attacks that occur instantaneously and often without warning where immediate sharing of threat intelligence is essential to managing attacks and mitigating consequential effects.

While NATO already benefits from its members’ various degrees of cyber expertise, the situation in Ukraine has underscored the possibilities of the alliance forming a more formal Cyber Command (N-CYBERCOM), mirroring the mission responsibilities of U.S. Cyber Command, with specific oversight of critical infrastructure protection of its member states.  Presumably, N-CYBERCOM would have similar components and capabilities as its American counterpart, featuring both defensive and offensive missions.  Ostensibly, N-CYBERCOM could be the key organization within NATO to assist each member state country’s cybersecurity efforts, help identify weaknesses, provide best practices, and thereby drive standardization across the alliance with respect to security standards and accountability. When cyber incidents impact member states, N-CYBERCOM tiger teams can quickly deploy to the areas while maintaining operational reach-back to capitalize on the technical expertise of the command.

But perhaps the truly compelling aspect of a formalized N-CYBERCOM is the potential offensive capabilities such an entity could bear, especially drawing upon the skillsets and resources of countries like the United States, Canada, France, Germany, Netherlands, and the United Kingdom.  Considering these countries also ranked in the 2022 Belfer Study’s top ten nations in national cyber power, the prospect of melding these capabilities creates an understandable excitement.  Hunt-forward operations as conducted so far by the U.S. Cyber Command would certainly send a message to hostile state actors that their activities may fall under their scrutiny of NATO if deemed to meet a threshold for retaliation.  While this wouldn’t necessarily deter state activity, it might reduce its volume, or at least, make states think twice before sanctioning a cyber attack.  Furthermore, an N-CYBERCOM would give NATO more bite to its bark.  The ability to implement such resources such as hunt forward teams backs up the alliance’s assertion that a cyber attack could invoke Article 5 responses if deemed severe enough.  Via N-CYBERCOM, NATO would have the formalized resource to conduct swift cyber retaliation.  

What’s more, such a body would be instrumental in addressing brutal nonstate actor cyber attacks against a country’s critical infrastructure.  Two examples of this are the 2007 distributed denial-of-service (DDoS) attacks that targeted Estonia after the removal of a Soviet era war memorial, and the 2022 series of ransomware attacks against Costa Rica’s critical infrastructures.  In the former case, the DDoS last 22 days resulting in temporary degradation or loss of service on many commercial and government servers.  In the latter, the Costa Rican government declared a state of emergency as the ransomware attacks impacted civilian life and caused severe economic damage.   Both of these instances illustrate how nonstate actors not only have an interest in causing harm when it suits their interests, but that they represent a clear threat to governments with the necessary capabilities to disrupt and even destroy systems if so desired.  Their neutralization at the onset would have gone far in the resiliencies of the targeted countries.

At a time when geopolitical events and tensions are playing out in cyberspace, the potential of an N-CYBERCOM seems beneficial and promising on paper, especially for the 31 countries in the alliance.  However, there are some serious challenges that need to be addressed before it can become an effective and meaningful organization and not just one meant for optics.  There would have to be strong guidelines and policies in place, given the different stakeholders that make up NATO, which in and of itself could be a hurdle.  The degree to which NATO friendly countries might call upon the alliance for assistance remains a question, as does the criteria by which N-CYBERCOM might go into action in response to a global cyber event not impacting NATO members.  Per the NATO website, “All NATO decisions are made by consensus, meaning that all NATO member countries have reached agreement after discussion and consultation.”  When it comes to engaging state actors in cyberspace, NATO members might find consensus on actions to be taken against an offender more challenging, as some may have political and economic interests to be considered that would influence their positions on such matters.

Another potential issue is the possibility that any cyber action may not be the triumph as some would hope or expect.  Not all of NATO’s operations have proven successful in the past, and the same bureaucratic issues that plagued conventional missions might come into play here as well.  Some obvious successes of NATO include helping constrain the Soviet Union during the Cold War, protecting its members from kinetic attack, and providing support to global crisis management operations.  But there have been NATO operations where its involvement didn’t quite match expectations including campaigns in AfghanistanBosnia, and Libya.  Any N-CYBERCOM activity would have to have clear rules of engagement and mission expectations, and not be allowed fluid latitude of its operations lest risking unsanctioned overreach.  This would have to be closely monitored with strict oversight to ensure that cyber activity does not cause the very escalation the deployment of such a capability is trying to prevent.

It’s clear that geopolitical conflicts draw in both state actors and nonstate sympathizers in cyberspace, a realm in which NATO needs to establish a credible presence.  And given how cyber attacks are continuously used in these situations, and how the global community continues to struggle with identifying thresholds for response, an N-CYBERCOM could provide prompt defensive/offensive support to member states before they get out of hand.  However, N-CYBERCOM would need to be judicious about when they help out non-member states.  

As already stated by one opinion piece, NATO cannot replace the United Nations as the global hub to resolve state differences, and as such, cannot and should not assume the role of the world police for cyberspace.  Therefore, it will need to be able to judge for itself what conditions need to be met before coming to the assistance of those states outside its alliance purview.

Nevertheless, a centralized body monitoring NATO members’ cyberspace makes sense given the capabilities and resources at the alliance’s disposal.  The trick will be trying to harmonize such an enterprise and streamline its operational structure.  But that just requires careful planning and a clear understanding of the mission it intends to follow.  It could benefit from member states with already such structure in place such as the Netherlands, Spain, the United Kingdom, and the United States for example, and would require members to share at least on some level cyber weapons (which they currently do not) or work collaboratively on cyber weapons for the sake of the alliance.  NATO’s future successes will largely depend on its ability to adapt to the times and change as needed.  And after what’s transpired in and around Ukraine, and an eye toward other potential geographic hotspots that could quickly erupt, this is clearly one of those times.

Tagged: Cybersecurity
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.