Advanced search
Publication Cover
Defence Studies Volume 22, 2022 - Issue 3
Submit an article Journal homepage
2,621
Views
0
CrossRef citations to date
0
Altmetric
Article

Five good reasons for NATO’s pragmatic approach to offensive cyberspace operations

Mikkel Storm JensenInstitute for Strategy and War Studies, Royal Danish Defence College, Copenhagen, DenmarkCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0003-3995-3020View further author information
ORCID Icon
Pages 464-488 | Received 09 Nov 2020, Accepted 18 May 2022, Published online: 30 May 2022

ABSTRACT

For decades, few NATO members, predominantly the US, had the capabilities to conduct offensive cyberspace operations (OCO). Today more than half of NATO’s members have, or are acquiring, offensive cyberspace operations capabilities (OCOC). Historically, NATO’s planning and coordination is based on shared knowledge of the members’ military capabilities, to a degree even their nuclear capabilities. In the cyber domain, the principle has evolved to include allies’ emerging defensive cyber capabilities. NATO’s approach to OCOC, however, deviates radically: NATO’s doctrine merely integrates OCO’s effects, that is, allow members to contribute with OCOs in operations without sharing information with allies on what OCOCs are available or how the OCOs deliver the effects. OCOC’s technical and tactical characteristics incentivize NATO’s members to keep OCOCs secret, also from allies. This results in a dilemma: Either the allies providing OCOC’s effects risk sharing sensitive information on the means, or the allies, who depend on the provided effects, act without sufficient knowledge of the deployed OCOCs to assess their efficacy, legality, or impact on own offensive or defensive cyber operations. NATO’s limited approach to OCOC is a pragmatic mitigation of the dilemma that allows NATO to train and develop doctrine in the field further.

Introduction

For decades, few NATO members, predominantly the US, could conduct offensive cyberspace operations (OCO). Hence, there was little requirement for coordination with allies. This has changed: the economical threshold to acquire offensive cyberspace operations capabilities (OCOC) has fallen to a level where more than half of NATO’s members now claim to have these means. These developments have made NATO adjust.

Historically, NATO’s planning and coordination has been based on shared knowledge of the members’ military capabilities, to a degree even their nuclear capabilities. In the cyber domain, the principle has evolved to include the allies’ emerging defensive cyber capabilities. NATO’s approach to OCOC, however, deviates radically: NATO’s doctrine merely integrate offensive cyber effects, that is, allow members to offer them in operations without sharing information with allies on what OCOC are available or how the effects are delivered. NATO is a well-established mechanism to coordinate the members’ military means. This core function is the bedrock of military strategy for some small members, for example, Denmark. Hence, NATO’s and the individual members’ notable divergence from historical practice when it comes to OCOCs presents a puzzle.

The technical and tactical characteristics particular to OCOCs differ significantly from conventional military means. Among the particular characteristics are the extraordinarily strong incentives to keep any aspect of OCOCs secret, even from other allies. This creates new and unique dilemmas for allies and inhibit OCOCs’ use in military alliances. Either the allies providing OCO’s effects risk sharing sensitive information on the OCOCs or the allies, who depend on the provided effects, must accept the proposed effects without sufficient knowledge of the deployed OCOCs to assess their efficacy, legality, or impact on own offensive or defensive cyberspace operations.

The constraints on NATO’s ability to coordinate OCOCs will likely remain insurmountable for years to come. This may explain why NATO developed the Sovereign Cyber Effects, Provided Voluntarily by Allies (SCEPVA) concept which allows the allies to circumvent some of the challenges associated with coordination (NATO Citation2020, 5,16). The SCEPVA-construct enable integration of OCOCs in operations while sharing little or no information on the deployed means. SCEPVA’s are in NATO’s own words not the most effective way to fully utilize the allies’ combined OCO potential (NATO Citation2020, 26). However, the construct provides a pragmatic doctrinal framework for NATO to train and develop procedures and eventually integrate the effects of OCO in operations.

This article fills a gap in the strategic literature by investigating some effects of OCOCs and OCO’s on alliances. NATO is a relevant empirical case study: it is by far the world’s largest collective defense arrangement and at least 16 members already claim to have or strive to get OCOCs. At least nine of these have pledged to make them available in support of NATO operations (Vavra Citation2019). Furthermore, NATO provide some empirical evidence to the analysis, having worked with the challenges of integrating member states’ emerging offensive cyber capabilities since at least 2016 when the alliance acknowledged cyberspace as an operational domain (Ablon et al. Citation2019, 1). This has produced both academic debate and concrete outcomes, that is, organizational adaptations and doctrine like the Cyberspace Operations Center (CyOC) and the AJP-3.20, Allied Joint Doctrine for Cyberspace Operations (Brent Citation2019; NATO Citation2020).

After this introduction follows a presentation of definitions, methodology and a short review of current strategic literature on this topic. Then, the article describes NATO’s current approach to the allies’ OCOCs and including OCO’s effects in operations and compares with NATO’s approaches to conventional weapons, nuclear weapons, and defensive cyber means to identify differences. The initial conclusion is that NATO’s approach to coordination of allies’ OCOCs is indeed different and much more restricted than to the other three categories.

The second part of the article present the main argument: five technical and tactical characteristics of OCOCs cause special dilemmas that make their coordinated use in alliances more difficult than conventional military means. Based on the identified challenges to coordination of OCOCs, the article concludes that NATO’s ambition will likely remain limited to their inclusion rather than coordination. The article suggests that this situation may change if the nations providing OCO effects differentiate more between “mundane” OCOCs based on standard tools that are sharable, and advanced, tailored OCOCs based on sensitive information that will likely remain outside the scope of full coordination between allies. Also, a sufficiently significant crisis and the need to respond will likely induce NATO members to overcome some of the concerns that inhibits coordination between allies, especially if information exchange can be limited to a minimum of member states.

Offensive cyberspace operations, capabilities, and strategy

NATO defines cyberspace as “The global domain consisting of all interconnected communication, information technology, and other electronic systems, networks and their data, including those which are separated or independent, which process, store or transmit data.” OCO are defined as “Actions in or through cyberspace that project power to create effects, which achieve military objectives” (NATO Citation2020, 4). To facilitate the present analysis, the non-doctrinal term “Offensive Cyberspace Operation Capabilities” (OCOC) is introduced to cover the capabilities, or example, technology, trained personnel, command and control, etc., necessary to enable states to conduct military OCO.

NATO’s definitions of OCO follow the definitions of current US doctrines – but it’s very broad. To focus the analysis, this article harks back to older US doctrines that distinguish between two different categories of OCO as shown in below: Computer Network Attacks (CNA) and Computer Network Exploitation (CNE). While no longer officially in use, CNE and CNA are analytically very helpful categories (NIST Citationn.d.).

Figure 1. Cyberspace operations and sub categories.

Figure 1. Cyberspace operations and sub categories.

CNA are OCOs to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves (Joint Chiefs of Staff Citation1998, GL-5). The older US doctrine’s definitions of CNA effects vary slightly from, but are all covered by, the effects listed in the NATO doctrine (NATO Citation2020, 18). CNA’s effects are not limited to data and the associated IT-hardware, but may be inflicted on any physical hardware connected to the cyber-affected systems directly or indirectly as second or higher order effect. In the Russian 2015 “Black Energy”-attack that resulted in power outages for nearly 225,000 people in Western Ukraine, CNAs directly targeted substations’ hardware on the Ukrainian electricity distribution grid (Colatin Citation2021). The dramatic impact of the 2021 CNA on Colonial Pipeline, where criminals hijacked a US fuel distribution company’s data, may have been second-order effects resulting from to the company’s attempts to limit the impact of the initial attack. Regardless, the CNA halted operations for days, caused a 45% drop in fuel distribution and made 17 states on the US east coast declare a state of emergency (Turton and Mehrota Citation2021; Panettieri Citation2021).

This analysis distinguishes between advanced and un-advanced OCOCs. In this regard, “advanced” does not refer to the technical complexity of the code employed, but to the degree that the offensive cyber capability is tailored to a specific target and/or dependent on comprehensive intelligence collection for its design. It is a distinction between “a small number of weapons or targeted actions and a very large number of more indiscriminate tools“ (Taillat Citation2019, 372). Advanced OCOCs are based on intelligence collected clandestinely which means sharing information on the OCOCs may jeopardize intelligence assets, means, and methods. Thus, un-advanced OCOCs are relatively common and mundane means for OCO, perhaps similar to, or copies of, means used by cyber criminals.

CNE is qualitatively distinctly different from CNA: CNE is cyber-enabled espionage, “enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks” (Department of the Army Citation2003, 2–11). that is, CNE is an OCO that conducts “seeing without touching” whereas CNA is an OCO intended to inflict some degree of damage.

This analysis does not include CNE or other cyber-enabled offensive operations, for example, misinformation distributed on social media and targeted by algorithms. Why? Because like CNA, CNE and cyber enabled or enhanced propaganda and misinformation can have significant strategic offensive effects (Lin Citation2019; Rogin Citation2012). However, neither CNE nor misinformation represent new qualitatively new means for states to wield coercive power. Thus, their effects on alliances, including NATO, are not new either. Admittedly, cyber brings new nuances, for example, by increasing the potential speed, scope, and scale of such operations by orders of magnitude compared to the analog past (Søilen Citation2016). Furthermore, CNE is arguably relevant to the present analysis due to the potential strategic side effects of alliance members’ individual tactical CNE: because CNE often is a necessary precursor to CNA, the line between CNE and CNA is blurred (Smeets Citation2018b, 9). Thus, it can be difficult from a victim’s perspective to assess whether CNE is “just” cyber espionage or preparations for CNA. In addition, attribution may be uncertain, and misinterpretations could lead an opponent to undertake unintended escalatory actions, perhaps against the entire alliance. Hence, from a theoretical perspective, ideally even CNE should be a coordinated effort in alliances. Even so, CNE is excluded from the analysis because intelligence collection always has been a prerogative of the individual NATO members and is highly likely to remain so.

Strategy is interpreted according to Yarger et al: “Strategy is all about how (way or concept) leadership will use the power (means or resources) available to the state to exercise control over sets of circumstances and geographic locations to achieve objectives (ends) that support state interests.” (Yarger and Boone Bartholomees Citation2012, 45). In this analysis, OCOCs are means that statesin this case, NATO-members, use for raisons d’état. The analysis is based on the assumption that NATO’s members are rational, self-interested states, an assumption that is admittedly over-simplifying. For example, different types of OCOCs should in principle present different levels of challenges to coordinate, as the difficulties arise from the states’ inclination to keep these means secret. This inclination should increase along with the risk they pose to, for example, sensitive intelligence assets – and fall if this risk was low. Hence, in theory, obstacles to CNA coordination should vary from trivial to insurmountable if NATO members were pragmatic about their use and classified OCOCs according to risk. However, the very limited empirical evidence suggests that most OCOCs are highly classified and “national eyes only,” leaving them in or around the insurmountable category. Still, the assumption of rational self-interested states will provide a baseline of insights in the alliance-related dilemmas emerging along with the NATO members’ increasing OCOCs.

On that note, and emphasized throughout the article, the entire topic of military OCOCs is shrouded in secrecy. This limits the analysis to available information from reputable public sources, combined with generally accepted characteristics of OCOCs as presented in the scholarly literature. To keep the analysis relevant and to stay away from hyperbolic conclusions, I am grateful to have had the opportunity to calibrate my findings through discussions with actual operators in the realm, not least former US Vice Chairman of the Joint Chiefs of Staff, General James S. Cartwright.

The limited literature on offensive cyber, alliances, and strategy

Most academic literature on offensive cyber strategy is written from a great power perspective and does not consider its use in alliances. Instead, the literature focuses on the first-order effects of a state’s actions against its opponents. For a small state, the second-order effect on its allies of its military actions may be far more important than the first-order effect on its opponent (Jakobsen et al. Citation2016, 10–12).

Smeets (Smeets Citation2018b) and Fasana (Fasana Citation2018) discuss the values and risks of integration of OCOs in military operations, but do not analyze their use in coalitions. Hughes and Colarik (Hughes and Colarik Citation2016) encompass both small states, alliances and OCOCs by identifying the theoretical advantages and risks, which they expect New Zealand would incur by developing OCOCs and investigating how these could be deployed within New Zealand’s military cooperation with, for example, Australia or the U.S. Hughes and Colarik assume that New Zealand can coordinate use of OCOs in a military coalition with the U.S. or the other Five-Eyes intelligence sharing community, Australia, Canada, and United Kingdom, on a par with conventional means (Hughes and Colarik Citation2016, 173; Tossini Citation2017). New Zealand is not currently in any military alliance but retains very close relations with the U.S. (State Department Citation2020).

In a theoretical coalition involving the U.S., New +Zealand, and other Five-Eyes-members, coordination of OCOs would likely be less challenging than between NATO’s 30 members due to fewer members and the well-established Five-Eyes framework for sharing classified information. Still, this article challenges Hughes and Colarik’s assumption of information sharing-based coordination of OCOs between close allies by demonstrating why this is likely to involve difficult dilemmas in any alliance regardless how small and close-knit it might be.

Cyber: a young domain for offensive NATO operations

While NATO has de facto been involved in defending its member states in the cyber domain for nearly two decades, it was not until 2016 that NATO acknowledged cyber as a domain for military operations. More than half of NATO’s members had publicly declared their intent to develop offensive cyber means before NATO agreed to develop a capability to integrate such effects and began to implement a Cyberspace Operations Center, the CyOC, in October 2018 (Brent Citation2019; Freedberg Citation2018; MacKenzie Citation2017; Smeets Citation2019).

NATO’s decision to establish the CyOC to integrate offensive cyber effects in NATO led operations, is a significant and less ambitious divergence from NATO’s normal approach, which would be to coordinate offensive cyber (Rizwan and Ricks Citation2017). Outside the realm of OCOCs, coordination of military means in NATO operations normally involves a prior common understanding between allies of the available capabilities for planning purposes. At the strategic level, NATO must know which means are available to plan the ways the alliance can achieve the desired ends. At the operational and tactical level, coordination requires some level of shared command and control as well as shared information about, e.g., which weapons are used, the intended targets and the timing of the attacks in order to de-conflict with other forces engaged in the operation.

For OCOCs, however, NATO’s ambition only amounts to allow their potential inclusion in an operation, should an ally volunteer CNA-effects. No prior knowledge or assessment of available assets is collected, and no command and control exercised, except for the permission from NATO to the effect-delivering member state to execute the CNA (NATO Citation2020, 21).

The practical outcome is, which prior to an operation, in principle NATO staffs at the strategic and operational level will have no knowledge of what OCOCs are available to base their planning on. Broadly speaking, NATO-members will volunteer CNA-effects as they identify opportunities to support operations during the operational planning process and as operations are ongoing at the tactical level. In principle, except for the nation that delivers the CNA-effect, alliance partners will remain ignorant of, for example, which software is used, which targets are struck and when the attacks occur. Even the efficacy of the CNAs may remain known only to the member that delivers the effect.

Unclassified information on the internal negotiations in NATO on OCOCs and the CyOC is not available, but it has probably been difficult to find common ground between the 29 members NATO had at the time. The elaborate wording used by the alliance to discuss the topic could indicate that OCOs were a controversial topic. While Denmark in 2018 pledged willing to provide “cyber weapons” and “offensive cyber effects” to NATO (Danish Ministry of Defence Citation2018), NATO has avoided these terms. Instead NATO have compromised on the rather ungainly term “sovereign cyber effects, provided voluntarily by Allies,” or SCEPVA (Goździewicz Citation2019).

Adding to the diplomatic delicateness of the matter to the alliance, difficulties are exacerbated at the legal level: All NATO-members agree that international law and the rules of armed conflict apply to offensive cyber capabilities and their effects (NATO Citation2020, 21). However, there is no well-established NATO, let alone international, consensus on interpretation of this in practice (Taillat Citation2019, 33; Smeets Citation2021).

NATO’s different approaches to coordination of military means

A brief comparison of NATO’s approach to integrate the effects of OCOs vis–a-vis conventional military means, nuclear weapons, and defensive cyber, gives an indication of how the four categories of military means pose different levels of challenges to their coordination by the alliance.

Conventional military means

Coordination of the use and deployment of conventional military means has long been an essential function for NATO, sometimes even influencing individual member states’ acquisitioning or discontinuation of specific military capabilities. Coordination within NATO allow nations to focus their military investments on capabilities relevant to the alliance’s plans for defense and deterrence. Hence, during the Cold War when the main threat was a Soviet invasion, European partners stood up the main part of NATO’s ground forces while the US delivered most of the strategic power projection capabilities (Shaver and Newland Citation1989, 12). Coordinated force development has only increased in importance with the diminishing emphasis on static territorial defense that followed the fall of the Soviet Union as members have discontinued entire capabilities (Ek Citation2006, 2). A prime example is how Denmark in 2004 gave up its mobilization based territorial defense, submarines and land-based air defense – key capacities for national defense – in order to focus on deployable out-of-area capabilities for missions such as the International Security Assistance Force (ISAF) in Afghanistan (Forligspartierne Citation2004, 9,11). On its own website, NATO elevates the role of “setting goals for national or collective development of capabilities; and facilitating national, multinational and collective capability development and innovation,” done through the NATO Defense Planning Process, to be a key element in the alliance’s two pillars: Interoperability and modern weapons. Coordination at this level requires that NATO has a relatively detailed understanding of its members’ military capabilities, especially the capabilities members pledge to NATO operations, readiness- or response forces. These are evaluated by NATO to assess whether they fulfil the set requirements (‘NATO – Topic: NATO’s Capabilities’ Citation2020; ‘NATO – Topic: Troop Contributions’ Citation2020).

NATO-coordination of acquisition, deployment of conventional means, etc., is of course an ideal that has never been fully realized, as demonstrated, for example, by the Turkish procurement of the Russian S-400 air defense system in 2019 or the sudden declaration by the United States in June 2020 that 9.500 troops would be withdrawn from Germany (Bennhold Citation2020; Marcus Citation2019). However, the strong reactions that followed these deviations from inter-allied coordination demonstrates that they are exactly that: deviations from an ingrained policy that NATO allies have learned to expect from each other over decades of close cooperation (Oltermann Citation2020; Pamuk Citation2019).

Defensive cyber capabilities

Regarding defensive cyber, most NATO members stood up such capabilities at the tail end of the 20th century in response to the threats that emerged along with the internet. NATO began considering coordination of defensive cyber capabilities almost two decades ago in 2002 and demonstrated its ability to do so during the cyber-attack campaign against Estonia in 2007 (Caton Citationn.d., xi; Tikk et al. Citation2010, 24). Acquisition of defensive cyber capabilities have been uncontroversial for individual members and NATO alike, both strategically and legally. Today, NATO has developed both doctrines and organizations to develop a defensive stance in the cyber domain, with an emphasis on resilience to attain deterrence by denial rather than punishment (Burton Citation2015, 309). Within NATO, vital elements of defensive cyber such as response teams and threat information are shared routinely between member states (NATO Citation2020). Standing multilateral organizations such as NATO’s Communications and Information Agency (NCIA) and NATO’s Computer Incident Response Capability (NCIRC) work every day in defense of NATO’s own systems (Ali Citation2014, 33). Thus, sharing of defensive cyber capabilities and information is demonstrably possible within the alliance.

Military nuclear capabilities

Due to their enormous destructiveness, nuclear weapons are on many levels a special category. As such, NATO treats them differently. Nuclear weapons and the decision process regarding their use are strictly national for the three nuclear wielding NATO-members, the US, UK, and France.

Nevertheless, general information on nuclear capabilities are relatively accessible even from unclassified sources (Kristensen and Korda Citation2019b, Citation2019a; Ministry of Defence Citationn.d.). The potential effects of the weapons and the way their means of delivery work are also relatively well known. This includes other allies’ relevant capabilities, for example, the German Tornado bombers’ capability to deliver nuclear weapons (Freedman Citation2013, 15). This allows NATO to integrate the weapons’ potential effects in the planning of the alliance’s military defense and deterrence. The Nuclear Planning Group, founded in 1966, is the main forum to discuss nuclear issues within NATO (NATO Citation2022b).

As shows, OCOCs is in a category to itself regarding NATO’s members’ will and ability (or rather lack of it) to coordinate these means through NATO.

Table 1. NATO’s general approach to different categories of military means.

While NATO in principle can handle defensive cyber on par with conventional means, OCOCs are even less coordinated than nuclear weapons. Contrary to the other capabilities, NATO as an organization likely has no knowledge of its members’ OCOCs, their effects and means of delivering it. Furthermore, NATO does not coordinate or standardize allies’ OCOC development or acquisition or to coordinate their use, except for the option of providing SCEPVAs through CyOC.

Five characteristics of offensive cyber that inhibit coordination

The remaining article will demonstrate why this, for good reasons, is a particular policy for OCOCs by going through inherent characteristics of this emerging military capability. The factors are arguably all subsets of characteristic #1: they arise from the individual NATO-members’ inclination to keep OCOCs secret at the “National Eyes Only” level. However, treating characteristic #2–5 individually provides better insights into how they affect NATO. The identified inhibiting factors are in this analysis taken to their theoretical extreme in order to illustrate the argument. Of course, contextual factors may mitigate the degree to which these characteristics inhibit coordination. It is likely that the less advanced and revealing of own capabilities the OCOC in question is, and the more existential the threat the OCOC is to be deployed against is, the more likely it is that decision makers will overcome the identified inhabitations on coordinated use. Also, the informal but very real hierarchical relationship between allies, particularly between the US and the other NATO members, will likely induce individual allies to share the necessary information in some cases (Walsh Citation2010, 134–37).

Characteristic #1: secrecy is a precondition for effect

A conventional weapon can, in principle, be forced through an opponent’s defenses by increasing the amount of attacking platforms and/or the caliber of the weapon systems deployed if the attacker is willing to incur the costs. In contrast, many advanced OCOCs depend on secrecy to achieve their effect: they can only penetrate an opponent’s defense if it has a flaw of which he is unaware (Libicki Citation2009, xiii, 18). To slip through an opponent’s defenses OCOCs need a technical, organizational, or procedural vulnerability that the opponent is unaware of, for example, zero-day vulnerabilities in his software or an item with internet access installed on the opponents’ system with a low security setting. It could also be physical access to his system that allows electronic or physical tampering or simply an employee in the opponent’s organization that has been identified as liable to click on phishing mails of a particular design (Taillat Citation2019, 370).

Regardless of the nature of the vulnerability, should the opponent become aware of it, he will be able to address it with relative ease and at a comparatively low cost. For example, by updating and patching software or hardware, limiting physical access to systems, changing passwords on electronic items on the network and training or eliminating the above-mentioned careless employee. Therefore, OCOCs require a very high degree of operational security to retain their potential effect, as the slightest hint of their modus of deployment or their specific targets can render them impotent (Shane et al. Citation2017; Smith Citation2013, 83). The fewer who knows – the better.

While strict operational security is undoubtedly beneficial to the deployment of conventional weapons, it is, unlike advanced OCOCs, not a precondition for their ability to deliver their effect. Hence, due to the lesser risks from operational security, there is a lower threshold for sharing knowledge of conventional capabilities between allies, than for OCOCs.

The limited available information suggests that sharing even non-cyber related classified information within NATO has been a longstanding challenge (Atkeson Citation1984; Binnendijk and Priebe Citation2019, 50; de Graaff Citation2017; Dempsey Citation2017; G. K. Gramer Citation1999, ii, 7; Seagle Citation2015, 565,570).

While the individual members and their national intelligence services have long histories of intelligence collection and its use, NATO does not have a lot of institutional experience (Seagle Citation2015, 565,571). NATO has had a special committee for sharing intelligence since 1952 but the organization depends on voluntary intelligence contributions from the members. There was no NATO organization for intelligence fusing until 2006, when the NATO Intelligence Fusion Center (NIFC) was stood up. Until then, members could only provide information by making national assessments releasable to NATO (Gordon Citation2017; Lefebvre Citation2003, 531). In 2017, NATO created a second institution, the Joint Intelligence and Security Division (JISD), for common intelligence analysis based on voluntary national contributions and open sources to improve the alliance’s common situational awareness (von Loringhoven Citation2017). Except for a few ground surveillance capabilities and airborne radars, NATO has no internal intelligence collection capabilities (von Loringhoven Citation2019). NATO is also unrelated to the Five-eyes, Nine-eyes or Fourteen-eyes communities that allegedly is the US National Security Agency’s unofficial designations for multilateral agreements of intelligence sharing with particularly trusted partners. With the Five-eyes (US, UK, Canada, Australia, and New Zealand) being the closest partners, the communities allegedly all include non-NATO members (MacAskill and Ball Citation2013; Reveron Citation2006, 460).

US concerns of allies’ ability to handle sensitive information, particularly in the cyber domain, was accentuated over NATO members’ potential inclusion of Chinese providers, for example, Huawei, in their emerging 5 G-networks. US representatives suggested that inclusion of Chinese information technology in critical infrastructure would inhibit future intelligence sharing, not only in NATO but even within the Five-Eyes community (Elmer Citation2019; R. Gramer and Seligman Citation2020; Satariano Citation2019).

It is important to realize that states must overcome even more constraints to share relevant information on advanced OCOCs with allies than inhibit the delicate business of sharing classified intelligence. When allies share intelligence, they can do so in a manner that does not disclose the sources and means by which the intelligence was developed. An ally can share the information that “the enemy ship will sail at midnight” without any indication of how this information was acquired and assessed as valid. Should the ally indicate the source, this may be a deceptive fabrication to deflect investigations in the true source. A famous example is how the British during WW II shared intelligence gathered by breaking the German Enigma codes, by leading allies to believe that the information had been collected through networks of spies in Germany (Cox Citation2014). Even with these limitations, sharing of intelligence is a delicate matter between states and allegedly rarely takes place at a significant level in multinational organizations such as NATO (Walsh Citation2010, 14).

As demonstrated above, and further exploited in the following characteristics below: In order to give allies a full understanding of the effects of the use of an OCOC – both to the enemy and to themselves – it is not enough to disclose the desired effect, the SCEPVA (roughly comparable to the information “The ship will sail at midnight”). Allies will need to know technical details regarding the SCEPVA in order to assess its efficacy, legality, and potential effects on own OCO.

Yet not all OCOCs need to be secret at the national eyes only-level. While STUXNET was a means that reportedly required sensitive national resources to develop and deploy, some OCOCs are likely relatively unsophisticated versions of commercially available malware or conversions from, for example, criminal sources on the dark web (Falco Citation2012, 20). In principle, such mundane OCOCs could be fully shared and coordinated between allies, as they pose little risk to sensitive resources and are based on standard tools rather than highly vulnerable identified flaws in the opponent’s systems. However, the limited available empirical unclassified evidence, for example, from U.S. OCOs during Operation Inherent Resolve against ISIS suggests that even coordination of “trivial” OCOCs poses very significant challenges in coalitions due to high- and perhaps over-classification (Martelle Citation2020).

A culture of secrecy, ingrained over centuries in national intelligence services, may be a contributing factor to over-classification of even mundane, un-advanced OCOCs (Cartwright Citation2018). Cyber-enabled intelligence collection and means for CNA emerged naturally as a task for intelligence organizations as they expanded their activities from the electromagnetic spectrum to the Internet. In Britain, the signals intelligence service, Government Communications Headquarters (GCHQ), is responsible for OCOCs and has taken credit for OCOs against ISIS (Flemming Citation2018). In Denmark, the task of developing OCOCs and conducting OCOs lies with the Danish Defense Intelligence Service (Forsvarets Efterretningstjeneste Citationn.d.).

There are excellent reasons for organizational co-location of CNE and CNA-capabilities. Besides target selection and identification of opponents’ vulnerabilities, it provides opportunities for synergy within recruitment, training, and sustainment of the human resources (Cartwright Citation2018). Even when separated, OCOCs often remain closely linked to the intelligence world: The US Cyber Command still shares its commanding officer with the National Security Agency (NSA) – often jokingly referred to as “No Such Agency” in reference to its reputation for secrecy (Pomerleau Citation2018). Also legal and constitutional concerns may keep the OCOs closely tied to the intelligence services, especially when using CNA below the threshold of armed conflict (Chesney Citation2019).

Regardless of causes, mundane OCOCs appear to be generally surrounded by the same secrecy as advanced or otherwise sensitive OCOCs. As the young cyber domain matures, unadvanced OCOCs may eventually be transferred from national intelligence organizations to regular military forces and become an everyday part of military operations on a par with other means (Breuer Citation2020). The potential restraining cultural impact of national intelligence organizations on NATO’s ability to share information is, however, a topic for another article.

Characteristic #2: uncertainty of effects

OCOCs have several characteristics that make their effects more uncertain than those of conventional weapons. This is true for both their immediate tactical effect and their strategic effect as a means for conflict management. The effects of conventional weapons on specific objectives depend on the laws of physics and the characteristics of the weapon and the target. They are thus well known, or can be tested in theory or practice by engineers on mathematical models or physical mock-ups. Also, physical targets change characteristics slowly over time, and there are often physical indicators that can be observed from afar – that is, if an opponent’s command and control bunker gets an additional layer of concrete or new anti-aircraft weapons are deployed around it.

This is not the case with advanced OCOCs’ effect on their intended objectives. The specific targets are unique combinations of software and hardware that are run by specific operational procedures. As described above, any change in software, hardware, or procedures (e.g. passwords) may render impotent an OCOC designed to overcome the prior combinations and their identified vulnerabilities. In addition, changes may not be obviously apparent to an external observer, who thus will have no warning about the change. An attacker can only design his OCOC based on the latest and best intelligence, until its actual use.

Therefore, there will always remain a level uncertainty about to which degree the OCOC will deliver its desired effect, if at all. Thus allies, whose conventional military operations may depend on the successful execution of an ally’s CNA (e.g. to temporarily render air defenses inoperable in order to allow friendly aircraft to operate in the opponent’s airspace) face a dilemma whether or not to accept a risk. To assess whether the level of uncertainty to their planes is acceptable, the allies need comprehensive knowledge on how the enabling CNA is to be conducted, as well as the available information on the enemy systems on which the CNA is based (Cartwright Citation2018). However, as discussed above, the ally providing the CNA has a strong incentive not to share this information. This leaves the CNA-dependant allies either to take the CNA-providing ally’s word for the CNA’s efficacy against the enemy’s air defenses – or to find alternative means to ensure the effect, e.g. a conventional attack. The likelihood of the latter outcome likely increases with the potential consequences of failure to the allies depending on the CNA’s effect (Cartwright Citation2018).

In addition to the uncertainty on whether contributed CNAs will have less than the desired effect, there will sometimes be uncertainty whether the CNA will have more than the desired effect, either directly or as collateral damage. The CNA may have undesirable effects, perhaps by effecting third parties, by being unintentionally escalatory or by delivering effects that are debatable according to international law. Again, allies to a state that conducts CNAs must have knowledge of the deployed OCOCs and the targets to assess its effects. Their alternative is to take their ally’s word that they will not be participating in operations involving legally questionable or plainly counterproductive OCO.

Legal issues is a more pronounced problem with CNAs than with conventional means, as there are no internationally agreed upon interpretation on what constitutes the legal use of CNAs in international conflict, not even within NATO. As stated above, SCEPVAs need to be legal according to the delivering ally’s interpretation of International Law (NATO Citation2020, 21) – but this may differ from other NATO-members’, opening up an assortment of legal problems in case NATO decides to use CNAs (Taillat Citation2019, 373; Jacobsen and Jeppe Citation2017, 7; Smeets Citation2021, 3). Even though disputable legal effects of a SCEPVA will formally be the responsibility of the executing member, other members of NATO may be held responsible at the political and strategic level. Having noted this very serious inhibition, legal aspects of coordinated use of OCOCs in NATO will not be developed further here.

The uncertainties regarding the potential technical and tactical efficacy of SCEPVAs are increased by the fact that collection of intelligence on potential targets has to be done in a discreet, preferably clandestine, manner. This is in order not to alert the opponent and cause him to take actions, for example, implement technical changes that may render the CNA under preparation impotent (Cavaiola et al. Citation2015, 87). The necessary collection of intelligence to prepare tailored CNA may involve highly classified national means, methods, and capabilities. These could be jeopardized by sharing information on the intended OCOCs or CNA-targets with allies. Along with the need for operational security and secrecy described above, this risk to intelligence capabilities further constrains an ally’s incentive to share information on OCOCs with alliance partners.

As a strategic means, OCOCs are in some regards more challenging as means of escalation control and crisis management for alliances than conventional means. One major difference is the ambiguous nature of CNA. Unlike conventional weapons, CNA will always leave the victim of the attack in some level of uncertainty regarding attribution, and whether it has realized all the ways in which it has been attacked (Libicki Citation2009, 92; Rid and Buchanan Citation2015, 11). The US initial reactions to the Solar Winds attack, attributed tentatively to Russian intelligence, provide ample evidence of the insecurity that follows the discovery of a deep penetration of critical systems (Fireye Citation2020; David E. Sanger and Perlroth Citation2020).

Added to the resulting insecurity and ambiguity comes the lack of human experience at the present point in history. The general strategic effect of offensive cyber capabilities on the international system in peace, crisis and war is presently only beginning to be understood. Hence, their use as a means for controlling escalation in crisis and war is to a large degree a question of assumptions and educated guesses on behalf of a potential attacker. This makes the use of OCOCs as signals to an opponent in a crisis even more uncertain than signaling with traditional military means and hence escalation harder to control (Cavaiola et al. Citation2015, 89; Nye and Joseph Citation2016, 49). Again, these factors are exacerbated by the incentive to keep OCOs secret from allies and the uncertainty of the actual effect of a CNA.

While the effects following from characteristic #2 – uncertainty of efficacy and unintended effects caused by the secrecy surrounding allies’ OCOCs – is not an argument against collaboration amongst allies, it is a strong incentive for NATO-allies to prefer conventional alternatives to SCEPVAs in NATO operations.

Characteristic #3: conflicting priorities between offensive cyber effects and cyber espionage

The vulnerabilities exploited when conducting CNA may well be the same vulnerabilities that are used to conduct CNE. Successful and continuous intelligence collection depends on discretion and the target of the collection being unaware of the vulnerability exploited. A CNA conducted via such a vulnerability will likely draw the opponents’ attention and eventually result in its discovery and elimination. This will render future intelligence collection from that venue impossible. Thus, there can be a conflict of interest between “cyber spies” and “cyber warriors” that has to be de-conflicted before a CNA is carried out.

This inherent need to decide which is more important, immediate CNA-effects or future intelligence collection opportunities, is probably one of the reasons why the US Command for Military Cyber Operations, and NSA, the intelligence service responsible for technical collection, still have a common commanding officer after years of contemplation of separating the two institutions (DoD Citationn.d.). By having the same person in charge of both CNA and CNE, the competing priorities can be decided within the same organizational framework with full knowledge of the technical and tactical details required to make a full assessment of the effects and risks involved. Even so, the limited available information on historical OCO suggests that inter-organizational de-confliction just within the US is problematic (Loleski Citation2019, 123; USCYBERCOM Citation2016).

It is reasonable to assume that the added layer of complexity of de-conflicting use of identified flaws in the opponent’s systems with allies is even more problematic than sharing other SCEPVA-related information. Such de-confliction may include detailed disclosures of highly sensitive means, methods and operations regarding both CNA and CNE capabilities. Hence, this will be very difficult to carry out on a bilateral basis, let alone in a multilateral alliance. To de-conflict SCEPVAs, allies may have to disclose highly sensitive information to other alliance members – which they will have a strong inclination against. NATO has, as mentioned earlier, reportedly had challenges sharing intelligence. This suggests that the more likely outcome is that de-confliction will be omitted, and NATO allies will have to accept the risk that a SCEPVA could shut down some of their intelligence collection sources. Intelligence collection means, technical and otherwise, are the crown jewels of intelligence services, and while the collected information or intelligence-based thereon occasionally is shared, means are kept secret from friends as well as foes. As is the case with the other inhibitions to coordination derived from over-classification of mundane OCOCs along with the actual tailored means, this hindrance could be lessened if NATO members distinguished between the two sorts and treated them differently (Cartwright Citation2018).

Characteristic #4: competing priorities for the use of an offensive cyber capability

Once developed, conventional weapons, e.g. bombs, of the same model can be used again and again until they become obsolete. In contrast, advanced OCOCs can only achieve effects until the vulnerability they exploit is eliminated, which, as described above, is likely to happen shortly after it is exposed (Smeets Citation2018a, 16). Hence, advanced OCOCs are in some sense not re-usable or at least highly ephemeral, once deployed.

Bearing this characteristic in mind, consider that allies, who possess OCOCs utilizing the same identified vulnerability, may have different priorities regarding which targets to use the capability against. As was the case with de-confliction of intelligence collection versus CNA, de-confliction in alliances of target priorities when “burning” OCOCs and disclosing the opponent’s vulnerabilities with CNAs will require sharing highly sensitive information. This will very likely inhibit the de-confliction process. Alternatively, allies must accept the use of OCOCs without this knowledge, accepting the risk of some of their own arsenal of OCOCs becoming obsolete, as the capabilities will likely become impotent shortly after their first use.

Characteristic #5: Risk of offensive cyber means being used against allies and third parties

However, OCOCs are re-useable in ways that conventional munitions are not. After a bomb dropped on an opponent detonates, the opponent can’t pick it up, perhaps re-engineer it, copy the bomb or its new versions endlessly and then use it against the original attacker, his allies or third parties – or sell it to criminals at the dark web. With some OCOCs, you can. In some cases, a victim of a CNA will be able to find, extract and re-engineer the malware and potentially use it against, for example, the original attacker, its allies, or third parties outside the current conflict (Taillat Citation2019, 375). To give a famous example, the US and Israel allegedly deployed STUXNET in 2009–10 as a CNA to sabotage of Iranian centrifuges. By September 2010 elements of the software had already been adapted by criminals and used to attack third parties (Falco Citation2012, 33–34). The same is the case when OCOCs are lost or stolen. Sometime in or before 2013, a number of OCOCs developed by the NSA’s hacking group, Tailored Access Operations, was lost (Shane et al. Citation2017). Regardless whether this was due to external state sponsored CNE or an insider attack along the lines of the 2013-Snowden-breach, the lost OCOCs have since been used against targets in the US, NATO allies, and third parties, for example, Ukraine in different guises. Russia conducted the 2017 NotPetya CNA on critical economical infrastructure in Ukraine based on flaws identified in the tools lost by NSA. It spread uncontrollably to other countries and caused damage to civilian companies in the west for more than 800 million USD (UK NCSC Citation2018). Prior to that, in 2016, North Korea used them for extortion attempts in the Wannacry CNA that infamously paralyzed several British hospitals for days and caused costly disruptions in many other countries (Shane et al. Citation2017). Iran has also been identified as a likely user of the lost OCOCs (Symantec Citation2018). Lately, criminals have used the tools to disrupt and degrade entire cities’ informational infrastructure and holding municipalities for ransom, for example, in Baltimore, which suffered the effects of such an attack for months in 2019 (Perlroth and Shane Citation2019).

Hence, by conducting a CNA, an alliance member will let loose an OCOC on the Internet for all to eventually find and examine. This may eventually add the means or redesigned versions of it to opponents’ cyber arsenals, as well as the arsenals of capable non-state actors, such as criminals (Robinson et al. Citation2015, 81). Thus, as part of the alliance’s coordination efforts the CNA-providing ally should consider warning allies and perhaps even third parties, for example, about which means have been used or which vulnerabilities have been exploited (Baram Citation2018). However, again the tactical value of keeping details about OCOCs and identified flaws in software classified will provide a strong incentive against such coordination. For example US authorities waited years to warn US entities in 2017 and 2019, respectively, of security flaws that were left vulnerable after the CIA lost control of a number of OCOCs in 2016 (Wyden Citation2020).

The OCOC-dilemma and its three outcomes

This article set out to demonstrate how five technical and tactical characteristics of OCOCs cause special dilemmas that make their coordinated use in alliances more difficult than conventional military means. The analysis has so far established that a NATO-member that offers to contribute SCEPVAs to a NATO operation has significant incentives not to share information on the intended OCOC, the CNA-targets or even the tactical effects. While relevant to the allies, sharing information may jeopardize both the SCEPVA and the intelligence assets that made it possible. Thus, a SCEPVA contributing NATO member and its allies face a dilemma with three possible outcomes as shown in :

Table 2. Choices and consequences for use of offensive cyber means by NATO members.

Outcome 1

The OCOC provider accepts risks and share relevant information on means and methods with all relevant NATO-allies, or at the very least, with the most influential allies. To most members, this would involve bilateral disclosure to the US. In this case, the ally exceeds the formal requirements for contributing a SCEPVA and accepts the risks from disclosure to both its involved intelligence capabilities and the efficacy of the attack. Also, the ally risks that NATO (or just the US, which in practice would give the same outcome) declines the suggested OCOC.

Outcome 2

The providing ally notifies NATO of the possibility of achieving requested effects through CNA, but do not share further information, offering a SCEPVA. In the SCEPVA-construction, the allies accept the risks from accepting the SCEPVA, that is, accept the providing ally’s delivery of a CNA-effect without the information necessary to assess the offered SCEPVA’s efficacy and legality according to their own interpretation of international law. Also, the SCEPVA-accepting NATO partners accept the risk that the SCEPVA may degrade some of their own current cyber means of intelligence collection and/or “burn” OCOCs allies have set aside for other operations they give higher priority. Furthermore, they accept the risk to themselves and third parties from being attacked later with the deployed OCOC or re-engineered versions of the SCEPVA by the struck opponent or criminal third parties. Finally, the NATO-allies accepts the risk from the SCEPVA’s potential escalatory effect on the conflict. The providing ally still risks that NATO declines the use of the suggested SCEPVA but avoids the risks from disclosure to involved intelligence assets and the efficacy of the OCOC.

Outcome 3

The NATO member conduct CNA without notifying its allies and without sharing any information. A variant of this outcome is, if an ally deliver a SCEPVA despite NATO’s refusal. In principle, allies’ mere possession of OCOCs presents a potential threat of rogue actions to NATO. Obviously, this last option does not represent a coordinated military effort by NATO, but as the alliance may face consequences because of a rogue member’s CNA, OCOCs, in principle represent a new technological venue for entrapment (See Author, forthcoming).

The OCOC-dilemma’s outcome likely depend on the size of the involved NATO-members

The findings raise the question of how useful OCOCs are to NATO members – primarily the smaller members – if OCOC’s use within the framework of the alliance potentially requires them to share more sensitive information with allies than they are comfortable with. The discussion has so far avoided the obvious fact that NATO’s individual members have different characteristics – particularly strategic wherewithal – that influences the level to which they can expect other members to accept their volunteering of SCEPVAs. Likewise, to which degree NATO-members will have to disclose sensitive information in order to be allowed to provide SCEPVAs, or can expect forgiveness from other members should they “go rouge” and conduct CNA without NATO’s knowledge or consent.

The US has a dominant status within the alliance (Jakobsen Citation2014, 61; Lake Citation1999, 171). This likely raises US expectations of not having to ask before using SCEPVAs on behalf of NATO or be forgiven if they do. At the opposite end of the power scale, a small member such as Denmark would likely hesitate to use OCOCs unilaterally, historically preferring only to wield military power in coalitions. If asked formally or informally by the US whether in NATO or indeed in any coalition of the willing with the US, Denmark would likely also find it problematic to refuse to disclose sensitive information regarding a suggested SCEPVA. Not least because the primary effect of the SCEPVA for Denmark would rarely be the first-order effect on an enemy, but rather the second-order effect to gain prestige with the US to strengthen the transatlantic relationship and military guarantee for Denmark’s security (Jakobsen et al. Citation2016). Such disclosure would be painful though, and small NATO-members would probably attempt to limit them to the bilateral level – likely with the US as the second party.

However, while NATO’s individual members may be expected to generally try to accommodate US’ preferences, there is no automatic causality. Choices will vary from case to case based on the individual member’s understanding of risks and benefits. In the cyber domain, for example Germany’s, UK’s and Denmark’s initial reluctance to deny Huawei access to their telecommunication infrastructure are examples of NATO-allies that weigh other issues higher than US requests (Barnes and Satariano Citationn.d.; R. Gramer and Seligman Citation2020; Mouritzen Citation2020; D.E. Sanger et al. Citation2020).

Conclusion: the SCEPVA-doctrine is a pragmatic mitigation of OCOCs’ dilemmas

This article has explored the question of the degree to which the outlined characteristics of OCOCs inhibit NATO’s ability to coordinate them.

Today, most NATO members consider integration of OCOCs in their military operations. As demonstrated, NATO’s members have legitimate national interests in shrouding these capabilities in secrecy. Apparently, this currently makes sharing and coordination of OCOCs an insurmountable challenge for NATO.

However, this analysis has taken the outlined difficulties of coordinating OCOCs to their theoretical extremes. To invoke Clausewitz, war – including CNA – is never an isolated act and extremes are moderated by external factors (Clausewitz Citation1918, 27). Hence, real-world inhibitions to share information will likely be moderated by several factors.

The threshold for willingness to share information on CNA or accept risks from allies’ offered SCEPVAs may remain constant, but the incentive to overcome it likely varies with the external threats to the alliance. All other things being equal, NATO members’ willingness to share information will likely rise with the severity of a crisis at hand, facilitating the use of SCEPVAs and perhaps paving the way for more ambitious coordination. Prior to 2022, the external pressure on NATO was relatively low. The Russian attack on Ukraine in February 2022 demonstrably infused NATO’s members with a renewed sense of urgency and set in motion alliance-strengthening initiatives, such as increased military spending and forward deployments of troops and materiel (Shapiro Citation2020; Detsch and Gramer Citation2022). Possibly, the same sense of urgency has increased the willingness to share information or accept risks if NATO should request the members to provide effects through CNA.

Also, as the cyber domain matures, the willingness to share could become more dependent on the level of intelligence assets and cyber capabilities at risk – that is, dependant on how advanced and specifically tailored the OCOCs in question are. As stated above some means are very sensitive, some are more mundane. However, currently most OCOCs appear to be highly classified regardless of their actual sensitivity, meaning that the NATO-members’ willingness to share is lower than the actual means themselves justify. As military use of OCOCs matures over time in the sense that it becomes more ingrained in everyday operations and moves partly out of its current realm of top secret, national eyes only-classification, may NATO become able to coordinate some of its member’s OCOCs.

Regardless, due to the inherent characteristics of cyber weaponry, the member states’ advanced OCOCs means will likely remain outside NATO coordination. At some point, some NATO members will likely conduct CNAs without coordination with allies or perhaps limit the coordination to bilateral consultations between the CNA-conducting ally and NATO’s dominant member, the US.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Mikkel Storm Jensen

Mikkel Storm Jensen (MSc) is a major in the Danish army with an operational background in intelligence analysis. Since 2016, he has done research on national cyber strategies, initially on the state’s role in societal resilience. He is currently writing a PhD on the influences of offensive cyber capabilities on military alliances, particularly NATO.

References

Download PDF

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.