Erica D. Lonergan
NATO members are in the midst of a crisis. With Russia massing troops along its border with Ukraine and moving additional forces to Belarus ostensibly to conduct joint military exercises, policymakers fear that Russia is on the precipice of invading Ukraine and taking additional territory by force—similar to Russia’s annexation of Crimea in 2014. But, even if Russian President Vladimir Putin ultimately chooses not to launch a direct, conventional invasion of Ukraine, it is highly likely that he will continue to pursue Russian strategic objectives in the gray zone short of war. The crisis over Ukraine underscores the challenges NATO faces in competing with Russia in the gray zone—especially in cyberspace.
Russia has no such limitations in the gray zone. In addition to traditional forms of irregular warfare, such as the use of plausibly deniable proxy forces (Putin’s “little green men”), Russia has long relied on cyber operations to subvert and undermine rival governments while avoiding actions that would cross a threshold prompting an overwhelming retaliation. Indeed, in tandem with Russia’s conventional military buildup, Ukrainian government agencies were struck with a spate of website defacements. Microsoft also revealed that it had discovered destructive malware in some Ukrainian government systems, which Ukrainian officials have linked to the Belarusian group GhostWriter. Belarus has close ties to Russia, and observers have speculated that Belarus may have been operating in cyberspace on Russia’s behalf.
While Ukraine is not a NATO member, the current situation underscores the enduring strategic challenge the alliance faces in addressing the cyber threat posed by Russia and other actors. In particular, because cost imposition is an integral part of any deterrence strategy (and has been part of NATO’s conventional deterrence strategy), the alliance has begun to explore how it could incorporate offensive cyber operations as a component of its cyber deterrence posture. But, while NATO took important steps to address cyber defense, it took nearly a decade after Russia’s 2007 cyberattack against Estonia to begin to seriously address the issue of offensive cyber operations. Moreover, NATO cyber policy has traditionally focused on cyber operations in a warfighting context—a focus that comes at the expense of considering cyber operations below the level of warfare. As the recent cyberattacks against Ukraine illustrate, the gray zone just beneath the threshold of armed conflict is where NATO faces its most significant cyber threats. With NATO in the middle of conducting a comprehensive initiative, NATO 2030, to strengthen the alliance, it should incorporate an assessment of the role of cyber operations in routine competition.
Offensive Cyber Operations in NATO Strategy Above and Below the Level of Warfare
Historically, NATO’s cyber posture has largely focused on defense and resilience—and this continues to form the bulk of NATO’s approach. The alliance maintains that its “main focus in cyber defence is to protect its own networks (including operations and missions) and enhance resilience.” At the 2014 Wales summit, NATO endorsed the Enhanced Cyber Defence Policy, which affirmed that cyber defense is part of collective defense and that the alliance would incorporate cyber defense into its planning and operations. In 2016, NATO members pledged to improve their cyber defenses through training, education, exercises, and information sharing.
But the seeds were also planted in 2016 for NATO to consider a potential role for offensive cyber operations. That year, the alliance recognized cyberspace as a domain of military operations, comparable to land, sea, and air. At the 2018 Brussels summit, NATO began to more seriously consider offensive cyber operations. Specifically, NATO created the Cyberspace Operations Centre to coordinate requests for member states to provide offensive cyber effects through the Sovereign Cyber Effects Provided Voluntarily by Allies process. Following the 2018 summit, then-Secretary of Defense James Mattis stated in a press conference that five states—the United States, the United Kingdom, Denmark, the Netherlands, and Estonia—were contributing cyber forces to “help NATO fight in this important domain.” More recently, in June 2021, NATO convened in Brussels and committed to a Comprehensive Cyber Defence Policy. A key feature of the new policy is the prominent role of offensive cyber operations. In Brussels, member states committed to “employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats.”
NATO’s shift to incorporating offensive cyber operations into existing strategy and policy has focused on integrating offensive effects into conventional military plans and operations in the context of a conflict. While NATO’s updated strategy is a positive development, its limited focus on conflict scenarios for employing cyber power fails to accurately account for the cyber threat environment NATO faces—particularly the mismatch between the alliance’s clear distinction between wartime and peacetime and the approach of adversaries like Russia, who adopt a competition-conflict continuum. Additionally, the focus on employing offensive cyber during a high-end conventional fight is also not consistent with how several NATO members are already engaged in gray zone offensive cyber operations.
The primary threat to NATO allies in the cyber domain is not from high-end, decisive cyberattacks. Instead, cyber threats more frequently and effectively manifest as gray zone tactics designed to have a corrosive effect without rising to the level of warfare. There are numerous examples of this type of threat. For instance, in July 2021, NATO publicly condemned a range of malicious cyber behavior, including the Microsoft Exchange hack (which NATO attributed to China) and ransomware attacks targeting critical infrastructure. Russia has leveraged cyber and disinformation operations to interfere in democratic elections in the United States in 2016, 2018, and 2020; France in 2017; and Germany in 2017 and 2021—to name just a few examples. Russia also conducted distributed denial-of-service cyberattacks against government websites in Montenegro during the lead-up to, and following, Montenegro’s ascension to NATO in 2017. And when NATO forces were positioned in the Baltics beginning in 2017 as part of NATO’s enhanced forward presence, two threat actors, GhostWriter and Secondary Infektion, conducted a range of disinformation campaigns.
Additionally, the reality is that several NATO members are already speaking publicly about offensive cyber operations below the level of warfare and their statements and actions have an effect on the entire alliance. In particular, NATO member nations have not reached a political consensus about the role of offensive cyber operations. In 2018, the US Department of Defense and US Cyber Command issued new strategy and policy documents that articulated a role for the military in conducting offensive cyber operations below the level of armed conflict outside of US-controlled cyberspace (part of the “defend forward” strategy), and there has been some reporting about US offensive cyber operations. For instance, in 2018 the United States disrupted the Russian-linked Internet Research Agency from interfering in the midterm elections. And, more recently, in December 2021 General Paul Nakasone, commander of US Cyber Command, publicly acknowledged that the military played a role in disrupting ransomware groups targeting critical infrastructure. The United States has also worked with other NATO allies, such as Estonia and Montenegro, to conduct “hunt forward” cyber operations on allied and partner networks to uncover and disrupt malicious cyber activity.
Other NATO allies have also been more transparent about offensive cyber operations. In 2020, the United Kingdom announced a significant investment in its National Cyber Force, its organizational arm for offensive cyber operations, and its 2022 National Cyber Strategy emphasized the role of offensive cyber operations. In November 2021, General Nakasone and the director of Government Communications Headquarters—the UK government’s principal signals intelligence agency—stated jointly that the two governments were collaborating to “impose consequences” in cyberspace to disrupt adversary operations. The Netherlands has also publicly alluded to conducting offensive cyber operations.
Next Steps: Addressing Challenges and Mitigating Risks
Given the threat environment facing NATO, as well as the activities of several NATO members, the alliance should deliberately—but purposefully—consider incorporating offensive cyber operations below the level of armed conflict into its deterrence strategy. Any effort to explore a role for offensive cyber operations should also consider the challenges and risks that may come with doing so. A central challenge is that, at the political level, NATO allies lack consensus on the appropriate application of offensive cyber power—especially below the level of armed conflict. Addressing these disagreements among member states is essential because conducting offensive cyber operations often requires maneuvering through or operating on networks controlled by an ally or allies. Right now, NATO members do not collectively agree on the protocols and processes for partner actions in allied networks—and they also disagree on how to define sovereignty in cyberspace, or when an offensive cyber operation would rise to the level of an armed attack.
Offensive cyber operations for NATO also present real interoperability challenges. The role of intelligence in cyber operations is likely to complicate NATO planning processes. Even close allies are likely to be wary about sharing sensitive intelligence for a number of reasons. For instance, they may be averse to sharing information gleaned from signals intelligence collection or because a member state may be using the same exploits for both offensive action and their own espionage—including intelligence collection against allies. Or, allies may simply be worried that sensitive information may become exposed. On top of this, it’s challenging to adjudicate intelligence requirements among allies and to deconflict intelligence and military priorities. It is also not clear whether the alliance has established consensus thresholds that specify the conditions and timeline under which a state would have to notify others of its activities on their networks—if at all.
The alliance should account for, and address, these issues as NATO explores the prospect of incorporating offensive cyber operations below the level of armed conflict into existing NATO simulations and exercises that span the strategic, operational, and tactical levels. A number of important questions about how to coordinate offensive cyber operations and define roles and responsibilities remain unanswered. For instance, how could allies improve intelligence sharing to conduct more rapid attribution, enabling one state or the alliance to respond to adversary cyber activity? What are the conditions under which allies should consider dividing responsibilities for cyber campaign planning and developing accesses and capabilities against strategic targets in, for example, Russia? If some allies are responsible for offensive cyber operations against certain targets, what are the information-sharing and notification requirements?
Finally, there is an obvious risk that moving toward a more offensive posture in cyberspace will increase the likelihood of escalation. While these concerns should not be ignored, academic research has found little support for the argument that cyber operations cause escalation. That said, the alliance should consider how to strengthen existing confidence-building measures, particularly with Russia, to enable more effective communication and transparency about cyber operations. The expert consultations between Russia and the United States that both governments agreed to in June 2021, for example, or recent diplomatic dialogue between Russia and NATO members over the Ukraine crisis, are important to strengthen processes for crisis management and reduce the risk of instability—including that which may stem from cyber operations.
NATO has slowly begun to address the use of offensive cyber operations, and has generally limited itself to the use of these tools in traditional military campaigns. The ongoing crisis with Russia on Ukraine’s border is exposing the risk in this approach. NATO needs to figure out a way forward fast.
Dr. Erica Lonergan (née Borghard) is an assistant professor in the Army Cyber Institute at West Point. She is also a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University. Erica previously served as a senior director on the Cyberspace Solarium Commission. Retired Rear Admiral Mark Montgomery, US Navy, is the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Mark previously served as the executive director of the Cyberspace Solarium Commission. Follow Mark on Twitter @MarkCMontgomery. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.
The views expressed are those of the authors and do not reflect the official position of the Army Cyber Institute, United States Military Academy, Department of the Army, or Department of Defense.