Cyberspace as a security domain
Since 2016 NATO allies have widened the scope of Article V collective defence clause – "an attack on one is an attack on all" – to cover cyber-attacks. Cyberspace is now an operational domain, along with air, sea, land, and space. Therefore, NATO has rapid reaction cyberdefence teams on call 24/7, complete with a Cyberspace Operations Centre in Mons, Belgium, and is working towards a Cyber Command by 2023.
Still, it is unclear whether the Alliance is ready for the cyberwars of the future.
The cybersphere is changing much faster than our capacity to assimilate the security threats that are emerging. The Internet of Things (IoT) creates a different interface between land, air, sea, space, and the internet. Online activity sees threats converge rather than creating a distinct "domain." That is why the Alliance is treating aggressive assaults in cyberspace as casus belli.
The weaponisation of the internet lies at the heart of asymmetrical warfare strategies in the 21st century. In this scheme, hackers and coding experts are the new Kalashnikov-holding guerillas. In this new fluid strategic environment, developing structured and institutionalised countermeasures is not a challenge for the faint at heart for a number of reasons.
Can't fight a war you do not see
First of all, contemporary approaches to cybersecurity build on conventional collective defence planning. This process relies on the assumption that the lines between peace and war are strict and, therefore, the allocation of responsibilities between military and civilian personnel is a straightforward proposition. That distinction is more problematic in cyberspace. Besides, conflict escalation in cyberspace can go from zero to maximum within a matter of minutes, which obliterates traditional processes for the allocation of decision-making authority. War becomes an illusionist's game: "now you see it, now you don't."
Can't have collective defence without collective threats
Secondly, not all member states have a perception of what cyber-defence entails.
In this respect, there is an issue of basic definitions. When NATO says that "some" cyberattacks will be regarded as equivalent to an armed attack, the logical question is "which kind?" and when do we mobilise. There is no normative definition of what these "common threats" are and what kind of countermeasures they warrant. And how can you measure deterrence if the answer to the question "what are you going to do about it?" is simply "it depends."
One of the things that such a definition determines is how a state develops a "military response," which means redefining a cyberattack from a home security to a national security challenge. This is significant. For instance, the US and the UK have been willing to use "preemptive measures" in the context of cyberdefence, which entails tactics some member states may regard as illegal.
Because of "the War on Terror" that has now lasted for almost two decades, it is clear that the line between national and home security is increasingly blurred, and the political culture has a greater bearing on how we define and counter specific threats.
Finally, there is also an issue of institutional compatibility between Member States. For the past decade, the US has militarised its response to cyber-attacks through its Cyber Command (USCYBERCOM, 2010). It took nearly a decade for NATO "frame nations" (Germany, UK, France, Poland and The Netherlands) to match this approach and publicly admit their capabilities.
Less than the sum of our parts
Assuming we are ready to accept a singular definition of a cyber-threat and reach a consensus over how to address it, we would still be unable to avoid the fact that NATO member states do not have similar capabilities.
Unlike the US, UK, France, Germany, Estonia, Italy and The Netherlands, there are a number of member states whose cyber defence postures remains at an infant stage of development. However, in sharing intelligence and operational responsibilities, Member States are often only as strong as their weakest link.
Therefore, NATO has little choice but to mitigate potential loopholes in its cyber defence by developing a comprehensive cyber defence concept in an age of digital transformation, ensuring that Member States meet a minimum benchmark of cybersecurity resilience. This needs to be defined and included in Membership Action Plans, becoming the kind of capability that is transmitted through "member-state-building." For the moment, the Alliance struggles to define common cybersecurity threats, develop common cybersecurity infrastructure, forster inter-operability and project credible deterrence.