Protecting the Global Commons: NATO and Cyberspace

Protecting the Global Commons: NATO and Cyberspace

Cyberspace, the “wild west of the global commons”, is a 
domain characterised by speed, automation, anonymity 
and a rapid pace of technological advancement, rendering 
it a very difficult environment for security actors. Vital 
international financial transactions and confidential alliance 
military data traverse the cyberspace domain. Yet 
the relatively low cost of a sophisticated attack makes it 
an asymmetric field. A major cyberattack has the potential 
to destroy fundamental infrastructures on a massive 
scale. 

There is thus “dire need for urgency” in improving NATO 
cyberdefence, as cyberspace has already proven to be 
an area of immense vulnerability. The compromise of US 
military databases in 2008 and the cyberattack on Estonia 
in 2007 were cited as major breaches of alliance security. 
These attacks, largely untraceable, demonstrated 
the “advanced persistent threat” faced by NATO member 
states in cyberspace. 

The basis of an effective cyberdefence strategy is a proactive 
stance. Passive defences such as healthy computer 
maintenance can only go so far. To truly protect 
assets in cyberspace, NATO will need to look beyond its 
own systems. This will require technical expertise largely 
beyond the military competency of the alliance, making 
industry and commercial actors key partners of a comprehensive 
approach to security. 

Potential tools for identifying and neutralising weaknesses 
include an increased intelligence awareness of 
the cyberspace environment. In spite of the work of the 
Cooperative Cyber Defence Centre of Excellence, the 
historical difficulty of identifying perpetrators after an attack 
illustrates the need for increased alliance tracking 
capabilities. This is an area where the US is leading 
within the alliance, raising the question of burdensharing. 
Several key conceptual questions remain when outlining 
exactly what kind of responses NATO could prepare for 
cyberdefence. A lack of “red lines” in cyberspace means 
that the alliance’s existing collective defence guarantees 
are vague. NATO may even need to redefine the parameters 
of an “attack” to include cyber threats. 

Yet the question of retaliation raises concerns with some, 
who do not feel comfortable advocating offensive capabilities 
that may form some sort of “cyber-deterrence” 
regime. The likelihood that future cyber-attacks will originate 
from far outside the north Atlantic area provides 
challenging questions about NATO’s “out of area” defence 
remit. Therefore a counter-attack across cyberspace 
as an Article 5 response, though not theoretically 
inconceivable, is currently unlikely. 

However, the sheer size of cyberspace diminishes 
NATO’s role in this global common. The combined internet 
users of China and India alone far outnumber the 
alliance states. There is currently no “natural leader” in 
cyberspace. 

NATO has to accept that much of cyberspace’s infrastructure, 
and many of the actors within it, are beyond 
the reach of the alliance. Yet this lack of leadership also 
gives NATO the opportunity to step forward and set the 
international agenda on securing cyberspace, ensuring 
its interests are represented in this rapidly evolving field. 
Intercepting cyber-threats will require NATO to rely upon 
the assistance of non-military security services, as well 
as the technical co-operation of industry experts. 

Source : 

Atlantic Council: Protecting the Global Commons 
 http://www.securitydefenceagenda.org/Portals/7/2010/Events/Global_Commons/Global_Commons_Report.pdf