Protecting the Global Commons: NATO and Cyberspace
Cyberspace, the “wild west of the global commons”, is a
domain characterised by speed, automation, anonymity
and a rapid pace of technological advancement, rendering
it a very difficult environment for security actors. Vital
international financial transactions and confidential alliance
military data traverse the cyberspace domain. Yet
the relatively low cost of a sophisticated attack makes it
an asymmetric field. A major cyberattack has the potential
to destroy fundamental infrastructures on a massive
There is thus “dire need for urgency” in improving NATO
cyberdefence, as cyberspace has already proven to be
an area of immense vulnerability. The compromise of US
military databases in 2008 and the cyberattack on Estonia
in 2007 were cited as major breaches of alliance security.
These attacks, largely untraceable, demonstrated
the “advanced persistent threat” faced by NATO member
states in cyberspace.
The basis of an effective cyberdefence strategy is a proactive
stance. Passive defences such as healthy computer
maintenance can only go so far. To truly protect
assets in cyberspace, NATO will need to look beyond its
own systems. This will require technical expertise largely
beyond the military competency of the alliance, making
industry and commercial actors key partners of a comprehensive
approach to security.
Potential tools for identifying and neutralising weaknesses
include an increased intelligence awareness of
the cyberspace environment. In spite of the work of the
Cooperative Cyber Defence Centre of Excellence, the
historical difficulty of identifying perpetrators after an attack
illustrates the need for increased alliance tracking
capabilities. This is an area where the US is leading
within the alliance, raising the question of burdensharing.
Several key conceptual questions remain when outlining
exactly what kind of responses NATO could prepare for
cyberdefence. A lack of “red lines” in cyberspace means
that the alliance’s existing collective defence guarantees
are vague. NATO may even need to redefine the parameters
of an “attack” to include cyber threats.
Yet the question of retaliation raises concerns with some,
who do not feel comfortable advocating offensive capabilities
that may form some sort of “cyber-deterrence”
regime. The likelihood that future cyber-attacks will originate
from far outside the north Atlantic area provides
challenging questions about NATO’s “out of area” defence
remit. Therefore a counter-attack across cyberspace
as an Article 5 response, though not theoretically
inconceivable, is currently unlikely.
However, the sheer size of cyberspace diminishes
NATO’s role in this global common. The combined internet
users of China and India alone far outnumber the
alliance states. There is currently no “natural leader” in
NATO has to accept that much of cyberspace’s infrastructure,
and many of the actors within it, are beyond
the reach of the alliance. Yet this lack of leadership also
gives NATO the opportunity to step forward and set the
international agenda on securing cyberspace, ensuring
its interests are represented in this rapidly evolving field.
Intercepting cyber-threats will require NATO to rely upon
the assistance of non-military security services, as well
as the technical co-operation of industry experts.
Atlantic Council: Protecting the Global Commons