By BROOKS TIGNER
BRUSSELS – Cyber defence has grown from a side-show only a few years ago to a major – if not the – focus of attention for any organisation with critical information or infrastructure to protect. For international organisations with a security mandate such as NATO, there is the additional challenge of how and whether to engage in cyber-offence manoeuvres. The UK’s 12 March announcement that cyber-offence is now “game on” against Russia for its nerve gas tactics on British soil is only the latest sign of the central place cyber now occupies in the policy tool box.
Indeed, NATO is quietly shedding its defence-only cyber stance to make room for cyber-offensive options if needed. But across town at the EU the official mantra rests insistently on a cyber-defensive basis.
How the two will reconcile this strategic divergence is not obvious. Nor is it evident how they will attain the cyber cooperation objectives they’ve already agreed to pursue in common. Why? Because two substantial obstacles stand in their way: one short-term, the other long-term.
The short-term problem is linked to the allies’ 14 February decision to reform their military command structure. Most of the reform is focused on speeding up NATO’s ability to respond to physical threats to its home territory by deploying troops and material faster across Europe.
But part of the command reform also calls for creating a new cyber operations centre (CoC) within SHAPE. It would coordinate and exploit the cyber capabilities of national militaries. Those capabilities could be used help defend NATO’s own IT and battlefield networks or exploited as a resource for NATO’s military commanders during operations and missions. The overall reform awaits allied leaders’ approval in July 2018.
CoC’s structure is more or less agreed and would be similar to that of Europol, the EU’s police agency. National cyber liaison officers will work alongside NATO’s operations and technical experts within SHAPE’s military headquarters in Mons.
There is a struggle between NATO and the allies, however, over the control of the allies’ cyber skills within CoC. NATO wants iron-clad assurance it can turn to those skills when needed and, when necessary, fold them into its command chain during a crisis. National capitals are pushing back against this, arguing that their liaison officers will “facilitate” cyber-operations by reaching back to their national commands on behalf of NATO without assigning the assets to SHAPE. They fear that the nature of their cyber capabilities – or their vulnerabilities – could be revealed.
As one NATO official told SECURITY EUROPE on 27 February, “There are a lot of national sensitivities involved [and] we’ve only got about four months to get this arranged.”
One suspects that whatever arrangements are made, they will be hedged with options for yanking back national capabilities if circumstances dictate. But even if CoC’s arrangements satisfy both sides, the question remains: how easily will that fit into the cyber cooperation ambitions of NATO and the EU?
If the allies resist so much the transfer of their cyber skills to NATO, would they accept the idea of the latter autonomously deploying those skills on the EU’s behalf? That seems very doubtful.
Which points to the other, long-term obstacle to EU-NATO cyber cooperation. So far, their collaboration has entailed the following: exchanges of policy documents and doctrine, exchanges of malware threats between SHAPE and the European External Action Service (the EU’s foreign policy wing), alignment between NATO and the European Defence Agency of their respective cyber-training curricula, cross-participation of observers at NATO and EU cyber exercises, consultations between experts, and so forth.
Both side will insist that these are big steps forward compared to even just a few of years ago. And they are – in relative terms. But in absolute terms, these are not big leaps of substance.
Substance would involve the organisation of full-fledged joint EU-NATO cyber exercises or the sharing of classified information about cyber threats or the exchange of detailed real-time threat data beyond tagging new malware to each other. What about sharing capabilities or divulging to one another how each is protecting or tracking attacks against Europe’s critical infrastructure. NATO and the EU do none of those things.
Why aren’t they doing these things, which common sense would suggest are critical if serious cyber-attacks are to be averted?
Two reasons here. One is the usual red herring of mistrust – or the military’s innate reluctance to release anything beyond officially approved statements (in other words nothing).
The other reason is Turkey. Shared EU-NATO situational awareness, deep-focus threat assessment and sensitive lessons learnt cannot advance as long as Ankara’s allied veto stands in the way of official EU-NATO cooperation.
While Turkey has long let pass the informal exchanges of unclassified and low-clearance documents between the two organizations, one doubts it would ignore unfettered exchanges of highly sensitive or classified operational cyber data. All the more so, given Ankara’s increasingly touchy political relations with both NATO and the EU.
That touchiness and Turkey’s long-standing membership spat with the EU look set to continue for well into the future. If so, then the prospects for deep-dive operational cooperation in cyber between NATO and the EU look equally distant.