Sean Gallup/Getty Imagess
- NATO has increased its focus and spending to confront cyber threats.
- However, it's still not clear that the alliance has unifying standards and definitions for those threats.
- A lack of unity creates problems for the public in understanding the threat and for governments in responding to them.
NATO leadership appears to be in agreement that cyberattacks and forms of hybrid warfare that involve it are a growing threat to the alliance, but it's still not totally clear how its members define and evaluate that threat, and that raises questions about how they'll respond to an attack.
In late 2014 - several months after the Russian annexation of Crimea and incursion into Ukraine - NATO leaders agreed that a large-scale cyberattack on one member could be considered an attack on the entire alliance, potentially leading to a military response.
"Today we declare that cyber
REUTERS/Ints Kalnins
The emphasis on the cyber realm grew considerably in 2017.
At the beginning of that year, NATO announced plans to spend more than $3 billion to upgrade its satellite and computer technology over three years, including some $900 million on computer systems that help command air and missile defenses and $80 million to improve protection against cyberattacks at NATO's 32 main locations.
At the end of that year, NATO announced plans to increase its cyber-defense capabilities, adapting its command structure to integrate cyber weapons into its military operations in what one of the alliance's former cyber-defense advisers called one of the organization's biggest policy changes in years.
Cyberattacks, along with other forms of hybrid warfare that fall short of open combat, have complicated things for NATO, current Secretary General Jens Stoltenberg said in September.
With cyber operations, Stoltenberg said, "it's very hard to tell exactly who attacked you. It's very hard to say exactly where it takes place."
"So we live in a ... completely different security environment with a more blurred line between peace and war," he added.
In an interview on the sidelines of the UN General Assembly in New York City, Spanish Prime Minister Pedro Sanchez echoed that view.
"In my opinion, cybersecurity, a fight against hybrid wars or strategies, is one of the major challenges for NATO," Sanchez said during an interview with Reuters, adding that the alliance needs to remain vigilant on its eastern and southern frontiers as well.
Despite the growing focus and increased spending, NATO's response to cyber threats appears to have a problem with definitions - namely, what constitutes an attack and how severe it is.
In late 2017, after officials from France, NATO, and the EU offered several widely varying tallies of cyberattacks in 2016, Stefan Soesanto, a former cybersecurity and defense fellow at the European Council on Foreign Relations, asked their agencies to ask what incidents were included in their totals and if their standards were public, receiving no response or no comment from each.
"But without published standards and discernable metrics, such warnings are of no real value to the public," Soesanto wrote for Defense One in September.
US Cyber Command
"We simply do not know whether 6,000 annual attacks against NATO's infrastructure is a lot or whether any of the 24,000 attacks against the French [Ministry of Defense] were serious," Soesanto added. "All we know is that something was counted by someone somehow to somewhat explain the threat environment."
Further inquiry found that even within countries, different agencies had different definitions for what constituted a cyberattack and different ways of determining their severity.
This incoherence creates several problems, according to Soesanto.
The lack of a unifying standard will lead public officials to over- and under-state such incidents, which in turn undermines the public's ability to understand the threat.
A lack of cohesion also hinders cyber-defense efforts within and between governments, and, perhaps most important, muddies the rules of engagement.
"NATO member states are embroiled in discussing cyber deterrence frameworks, offensive operations, and creating norms and rules for state behavior in cyberspace, they have still not reached consensus on how to actually count and categorize cyber incidents across the alliance," Soesanto writes.