What Is NATO Really Doing in Cyberspace?

NATO Cyber_edited

Two years ago, I received orders to NATO and arrived at Supreme Headquarters Allied Powers Europe in Mons, Belgium in July 2017, thinking this would be my sunset vacation tour: a great way to wrap up 28 years of service in the Air Force by taking in all the sights and flavors Europe has to offer. In fact, I think that’s exactly how my assignments officer described it to me. Those thoughts were quickly dashed when realized I had landed on the bow wave of a historical undertaking: For the first time in its nearly 70-year existence, NATO had just recognized a new domain of operations — cyberspace. I also realized I had been presented a rare opportunity to play an influential role in designing an operational capability from the ground up, and the demand signal to produce it was intense. Then the scope of the challenge dawned on me: Defending the cyberspace interests of a nation is one thing, but defending the same for an alliance of 29 is another. Fortunately, I found myself surrounded by an enthusiastic, multinational team of professionals, up and down the chain of command, who were up to the task. Suffice it to say, we’ve been busy, and part of the challenge has been accurately describing what we’re trying to accomplish.

So I’d like to share some facts behind NATO’s decision to operationalize cyberspace, and what’s happened since, by using the 5 W’s and an H: who, what, when, where, why, and how — though not necessarily in that order. Let’s begin with a look at what has transpired.

What’s the Deal with NATO in Cyberspace?

NATO, though a communique signed by the alliance’s heads of state, officially recognized cyberspace as a domain of operations at the Warsaw Summit in 2016. This was historic in that it was the first time in NATO’s existence that it added an operational domain to the air, land, and maritime domains. This is a similar approach to how states have organized themselves for military operations: recognizing the places in which they must operate as “theaters,” which consist of geographical boundaries placed under the command and control of a senior commander. Cyberspace, though not geographic in nature, will now be recognized and planned for in a similar manner to the physical domains. Space remains, for the time being, connected to the air domain from NATO’s perspective.

In February 2017, the alliance’s defense ministers approved the “Roadmap to Implement Cyberspace as a Domain of Operations,” commonly referred to as the “Cyberspace Roadmap.” This three-year plan (which is an internal operational document and therefore not releasable to the public) is designed to enable NATO’s ability to achieve mission assurance and conduct cyberspace operations. The two military entities of the NATO Command Structure — Allied Command Operations and Allied Command Transformation — both have responsibilities and must report on their progress to implement the “Cyberspace Roadmap.” The latter’s role is largely conceptual, tending to policy and doctrinal matters of cyberspace operations, while the former is charged with realizing NATO’s operational capabilities in cyberspace.

Though elements of cyber security have existed throughout the alliance for years, execution of cyberspace operations in NATO is unprecedented. NATO has clearly stated it will not execute offensive cyberspace operations by NATO personnel under the NATO flag. There’s a caveat however — it will, when deemed necessary, integrate sovereign cyberspace effects from allies who are capable and willing to provide them. Several nations have publicly declared their willingness and capability to do so, including the United Kingdom, the United States, the Netherlands, Estonia, and Denmark.

Why Is Cyberspace a Domain of Operations?

Simultaneous to the efforts described above, NATO is also in the midst of an effort called ‘NATO Command Structure Adaptation,’ which is a restructuring of the military staff organizational design in response to developing security threats to the Alliance. This is resulting in, for the first time since the end of the Cold War, significant growth in the numbers of personnel the nations will contribute to the NATO command structure. Some of those personnel will contribute to cyberspace operations, because cyberspace actors have demonstrated the will, capability, and intent to use cyberspace as a means to conduct aggressive tactics against the alliance. Among them are state-sponsored and non-state-sponsored actors, some of whom are active in the cyberspace domain, and have acted against NATO directly, as well as against NATO allied nations and partners.

Who Are NATO’s Cyberspace Defenders?

The North Atlantic Council is the principal political decision-making body in NATO, representing the heads of state of all 29 nations in the alliance. As explained earlier, NATO heads of state and government made the declaration recognizing cyberspace as a domain of operations. They also, at the July 2018 Brussels Summit, declared that NATO would establish the Cyberspace Operations Centre in Belgium. The center launched in August 2018 and, still in its early stages of development, is the central hub of cyberspace operations in the alliance, but its primary role is to orchestrate the efforts of numerous, existing, and well-established elements, inside and beyond the command structure, to execute cyberspace operations.

NATO headquarters in Brussels conducts several committees and boards that provide governance, doctrine, and policy for numerous efforts, including cyberspace operations. Among them is the Military Committee, the Cyber Defense Committee, and the Cyber Defense Management Board. These entities set the parameters and identify roles and responsibilities for cyberspace activities.

Responsibility to defend NATO in cyberspace “as effectively as in Air, Land, and Maritime” environments belongs to the head of Allied Command Operations, the Supreme Allied Commander Europe, who has domain advisors for each operational domain: the commanders of Air Command, Land Command, and Maritime Command. In a prudent measure, the center stood up within Allied Command Operations headquarters in Mons, Belgium — the Supreme Headquarters Allied Powers Europe. In this manner, the Cyberspace Operations Centre can leverage the strategic staff capabilities of the existing headquarters without having to provide them for itself, which also serves to hasten its development. The center functions as the theater component for cyberspace, just as the geographic commands do for their respective operational domains. The deputy chief of staff for cyberspace is supreme allied commander Europe’s domain advisor for cyberspace. The director of the Cyberspace Operations Centre reports to deputy chief of staff for cyberspace.

How Will the Cyberspace Operations Centre Defend NATO in Cyberspace?

The Cyberspace Operations Centre cannot defend NATO in cyberspace all by itself. That will require a NATO-wide approach — and beyond.

The center’s mission is three-fold: providing situational awareness of the domain, planning for the cyberspace aspects of allied operations, and managing the execution of operational direction to ensure freedom of maneuver in in all domains affected by cyberspace activities.

The center executes its mission at both the strategic and operational levels. It supports commanders with strategic domain advice, planning support, and integration of effects via Cyberspace Operations Centre liaison elements who are tasked to directly support the regional joint force commands and, when necessary, joint task force commanders.

The Cyberspace Operations Centre provides the central role of cyberspace defense, and it collaborates with several entities to do so. In order to achieve situational awareness, it needs intelligence from NATO’s member nations. There are intelligence analysts embedded within the center to request intelligence from the nations and assess it, and there are other intelligence organizational elements which support that function, including the NATO Intelligence Fusion Centre and Allied Command Counter-Intelligence. The Cyber Threat Assessment Cell at NATO headquarters provides additional information from a political assessment perspective.

Another key player is the NATO Communications and Information Agency. The agency is the primary communications and information service provider for NATO and, like every service provider, one of its main service lines is cyber security. Cyber security, a subset of cyber defense operations, is a set of practices and procedures necessary to protect networks and the information that resides in them. As such, the agency needs to persistently report the status of NATO networks to the Cyberspace Operations Centre, manage routine cyber security incidents from a technical perspective, and respond to operational direction from the Cyberspace Operations Centre when incidents have operational impact. The agency needs to continue its cyber security operations, and continuously enhance them, as NATO seeks to strengthen its cyberspace defense stance.

While the agency is largely responsible for the provision of static networks, the NATO Communications and Information Support Group extends them where they are needed operationally for deployed forces. Likewise, the group needs to respond to operational direction from the Cyberspace Operations Centre through its deployed coordination cell.

The Cyberspace Operations Centre will also need liaison with its counterparts in allied nations to share information contributing to situational awareness. Those mutually beneficial relationships are in development.

Where in Cyberspace Will NATO Operate?

Cyberspace itself is ubiquitous and amorphous. It does not exist without networks and systems and the information that transits and resides in it. While NATO can, does, and will directly defend its owned and operated information technology assets, it cannot directly defend sovereign systems brought to bear by nations as part of the NATO force structure. Those systems should be defended by the nations who own them. Likewise, the status of critical national infrastructure belonging to the allies can have an operational impact on the alliance. The nations, through the Cyber Pledge, have indicated their intent to continually improve the cyber defenses of their national infrastructures and networks as a matter of priority, and their success in doing so is important to the security of the alliance.

Finally, cyberspace, including commercial capabilities and the internet, is, by nature, interconnected. The Cyberspace Operations Centre needs to attain and maintain situational awareness of global events in cyberspace, primarily through media and commercially available means, and be able to track and assess them for potential and eventual impacts on NATO missions. The ultimate goal is to be able to successfully operate in a cyber-contested environment, and cyberspace is the only domain that is always contested.

When Will NATO Begin Operationalizing Cyberspace?

The process is already well underway. Though the Cyberspace Operations Centre itself has only been in existence for a few months, planning for the capability has been underway for over a year, and many resources already present within Allied Command Operations headquarters have been reallocated to help with the rapid development of the Cyberspace Operations Centre.

That’s not to suggest all the work is done. As part of the command structure adaptation, new posts identified to help man the Cyberspace Operations Centre must go through a bidding process with the allied nations to decide which nations will support specific posts. Those posts must then be filled, which typically happens during summer rotations. Some nations have declared their desire to support NATO’s cyberspace development by pledging to rapidly fill vacancies; that will be important for the Cyberspace Operations Centre to increase its operational capability as soon as possible. There are also capability packages, some already in the process of being fielded and some yet to be documented, which will be important to support decision-making in the cyberspace domain.

In the meantime, the personnel already assigned to the center are busy refining situational awareness, developing standard operating procedures, updating all existing operational plans, and planning for the training and development of cyberspace forces.

One Last Question: What Happens Next?

If you’ve ever heard the phrase “we’re building this plane in the air,” it’s an appropriate analogy for NATO’s venture into cyberspace. The world is not waiting for us to tell them we’re ready to fight. The fight is already here, and the men and women charged with the operationalization of cyberspace on NATO’s behalf are engaged. Cyberspace aggressors would do well to recognize the resolve of the alliance in cyberspace is as strong as everywhere else NATO has interests.

Every NATO exercise from this point forward will contain a cyberspace aspect. This holds true for every real-world engagement too — nothing happens in military operations without a cyberspace element to it. Modern warfare is enabled by, and sometimes is conducted in, cyberspace, often combined with one or more of the other domains. A nation, or single actor, can even achieve a desired effect exclusively in or through cyberspace. The 29 heads of state of the alliance know it, and that’s why cyber space is now NATO’s fourth operational domain.

NATO’s resolve to deter aggression against its member states hasn’t changed. It simply now extends from the physical world to the virtual one.


Don Lewis is a colonel in the U.S. Air Force, presently assigned as deputy director of the Cyberspace Operations Centre, Supreme Headquarters Allied Powers Europe, Mons, Belgium. The views in this article do not represent those of the U.S. Air Force, NATO, or any part of the U.S. government.

Image: NATO