NATO and Cyber: Outrunning the Bear
This series—featuring scholars from the Futures Lab, the International Security Program, and across CSIS—explores emerging challenges and opportunities that NATO is likely to confront after its 75th anniversary.
In the future, NATO will need an institutional platform for operational collaboration in cyber among member states and the private sector. A new cyber center scheduled to be announced at the July summit will fall short of this aspiration, but it should prioritize the situational awareness and information sharing necessary to support a rapid transition to operational collaboration.
At its first annual Cyber Defence Conference in Berlin last November, NATO agreed to establish a NATO cyber center. Nailing down the details of such a center, whose working title is the NATO Integrated Cyber Centre (NICC), has proven challenging, and NATO is scrambling to finalize an agreement that can be announced at the summit. All indications are that it will be relatively narrow in scope, with a focus on shared situational awareness, particularly for the Supreme Allied Commander Europe (SACEUR). It will not, according to public reporting, include tactical operational coordination. This is not surprising at the outset.
On the theory of learning to walk before you can run, a less ambitious start is prudent. But given the risk environment, the center’s maturation should proceed more like a newborn pronghorn, which can outrun a bear within a few days of its birth, than a human baby, whose safe environment offers far more time for development.
NATO ultimately needs a mechanism for planning and implementing cyber operational collaboration among the alliance members and with the private sector. Supporting the transition to this operational collaboration should be the priority for the NICC, and the center should immediately begin planning for this next phase, leveraging lessons learned in member countries.
James Appthurai, NATO’s former deputy assistant secretary-general for innovation, recently emphasized that the logic behind the center is to provide SACEUR “visibility over what cyberspace looks like” at all times. New innovations can help to provide visibility into both operational and information technology, using artificial intelligence to quickly learn what normal activity looks like and detecting anomalous behavior. That said, achieving full situational awareness of the entire cyber landscape that might be relevant to NATO seems overly broad and ambitious. Appthurai also cited an example of a cyberattack on a port that could impact the delivery of materiel to Europe—precisely the kind of operational scenario that should drive the information priorities of the NICC.
Focusing on information that is needed for operational collaboration can also make sharing more likely. It helps avoid the trap of pursuing information sharing for its own sake. Holders of information are generally more willing to share it when the need for such sharing is clear and it is likely to lead to action. Addressing real, present challenges is compelling and can help overcome the risks inherent in any information sharing.
The Cyberspace Solarium Commission intentionally moved from public-private information sharing to operational collaboration with the private sector. This strategic shift was driven by several factors. To begin with, the increasing frequency and sophistication of cyber threats has far outpaced traditional defensive measures, necessitating a more proactive and integrated approach between government entities and the private sector. Additionally, the interconnected nature of critical infrastructure means that the private sector often finds itself as the “first line of defense” against cyberattacks. This makes their active participation in cyber defense operations critical.
In response, the Solarium Commission put forth several recommendations aimed at fostering closer collaboration between the public and private sectors. One notable proposal was the establishment of sector-specific coordinating councils, comprised of government entities and industry stakeholders, to jointly develop and implement cybersecurity strategies. These serve as platforms for sharing threat intelligence, coordinating incident response efforts in real time, and conducting joint exercises. Additionally, to promote cybersecurity best practices and standards across industries, the commission also advocated for the creation of a national cybersecurity certification and labeling authority. Likewise, the commission advocated for identifying and engaging the highest-priority infrastructure assets to ensure that they are sufficiently investing in resilience and have the highest level of government support in order to protect national security and economic productivity
To enhance the effectiveness of this operational collaboration, NATO could also consider prioritizing the implementation of Secure Information Exchange (SIE) and Secure Information and Communication Infrastructure (SICI). These concepts can enable a dynamic, real-time exchange of operational information and threat intelligence, thus ensuring that all parties have the most current and relevant data to respond effectively to cyber incidents.
Applying these and similar recommendations to a NATO cyber defense context involves adapting them to the alliance’s multinational framework and diverse member states. NATO could establish similar sector-specific councils or working groups that include representatives from member states, industry partners, and relevant NATO bodies. These groups could facilitate the exchange of threat intelligence and best practices, enhance collective defense capabilities, and streamline coordinated responses to cyber incidents affecting multiple NATO countries.
The NICC should prioritize involving private sector entities that have a key operational role, including unique insights that could support operational activity as well as direct operational capabilities.
NATO should coordinate with and leverage its existing frameworks, such as the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the Industry Cyber Partnership, and its Science for Peace and Security (SPS) Programme, to support these efforts. This holistic approach would strengthen NATO’s overall cyber resilience and ensure a unified response to cyber threats that respects both national sovereignty and collective defense principles.
The NICC also should link closely with law enforcement in member countries. Joint law enforcement activities are where much of today’s operational activity is taking place. The center should capitalize on the insights gained in these operations, including how to work with the private sector. Establishing a presence in such joint efforts can lead to the organic sharing of insights and information, rather than making sharing a burdensome afterthought.
Having visibility into the kinetic side of NATO planning and activities will also be essential, as cyber operations will rarely stand alone.
The NICC should make every effort to avoid classifying information. Not only does it hamper collaboration, but classification also provides a false sense of confidence. Plans whose success depends on keeping information secret for any significant length of time are brittle. The reality is that the shelf life of secrets is vanishingly short. NATO should assume that its adversaries have access to the same information that it does and plan accordingly. It should focus less on keeping information secret than and more on the integrity of and access to that information.
Suzanne Spaulding is the senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies in Washington, D.C.