The November 16, 2018 on-line edition of Breaking Defense ran an article “NATO To ‘Integrate’ Offensive Cyber By Members (see: http://bit.ly/2rebnZo, which is also the photo source).
NATO established a Cyber Operations Center (CYOC) on August 31, 2019 to serve as a focal point for the Alliance’s cyber efforts and to insure that the Alliance had situational awareness concerning the cyber efforts of its members. According German MG Wolfgang Renner, head of the CYOC, “NATO is clear that we will not perform offensive cyberspace operations ….. However, we will integrate sovereign cyberspace effects from the allies who are willing to volunteer.”
To say that such a cyber policy is nascent would be kind. The policy is far from official even though NATO members engage in cyberspace operations everyday. It’s a military, legal and technical quagmire that appears to be in danger of violating many of the longstanding principles of warfare.
Serving on a NATO staff requires not only the skill and knowledge required of your rank and your specialty, but a certain kind of finesse that allows you to work well with international colleagues who will often out rank you. You also will need to know when your country’s national influence needs to be in play and when to work for the good of the alliance.
We know that cyberspace operations are fast moving and we also know that they don’t respect borders. If several of the 29 member states’ interests are attacked simultaneously it is only natural to assume that the military of that country will give the highest priority to their own self-defense.
This sort of ad hoc approach would seem to violate the principle of Unity Command right off the top.
Given that each member state will have different priorities, this would also seem to violate the principles of Objective and Mass. Each member state will pursue different objectives and the total mass of the cyber force (and its resources) will be diluted.
Which leads me to yet another principle that appears to be in jeopardy – Simplicity. The “Fog of War” is nothing compared to the fog of cyberspace operations. The variables at play and the speed of the interaction is unlike the traditional domains.
Knowing that even the best plan often doesn’t survive contact, it would seem that MG Renner and his staff have their work cut out for them. Of course, the focus on cyberspace operations here are things like Distributed Denial of Service, Malware, etc., I’m willing to be they haven’t considered or are woefully understaffed to address the impact of Cyberspace operations as a PSYACT or optimizing the diverse influence of the Alliance members while minimizing second and third order effects.