The November 16, 2018 on-line edition of Breaking Defense
ran an article “NATO To ‘Integrate’ Offensive Cyber By Members (see: http://bit.ly/2rebnZo, which is also the photo
source).
NATO established a Cyber Operations Center (CYOC) on August
31, 2019 to serve as a focal point for the Alliance’s cyber efforts and to
insure that the Alliance had situational awareness concerning the cyber efforts
of its members. According German MG Wolfgang Renner, head of the CYOC, “NATO is
clear that we will not perform offensive cyberspace operations ….. However, we
will integrate sovereign cyberspace effects from the allies who are willing to
volunteer.”
To say that such a cyber policy is nascent would be kind.
The policy is far from official even though NATO members engage in cyberspace
operations everyday. It’s a military, legal and technical quagmire that appears
to be in danger of violating many of the longstanding principles of warfare.
Serving on a NATO staff requires not only the skill and
knowledge required of your rank and your specialty, but a certain kind of
finesse that allows you to work well with international colleagues who will
often out rank you. You also will need to know when your country’s national
influence needs to be in play and when to work for the good of the alliance.
We know that cyberspace operations are fast moving and we
also know that they don’t respect borders. If several of the 29 member states’
interests are attacked simultaneously it is only natural to assume that the
military of that country will give the highest priority to their own
self-defense.
This sort of ad hoc approach would seem to violate the
principle of Unity Command
right off the top.
Given that each member state will have different priorities,
this would also seem to violate the principles of Objective and Mass.
Each member state will pursue different objectives and the total mass of the
cyber force (and its resources) will be diluted.
Which leads me to yet another principle that appears to be
in jeopardy – Simplicity. The
“Fog of War” is nothing compared to the fog of cyberspace operations. The
variables at play and the speed of the interaction is unlike the traditional
domains.
Knowing that even the best plan often doesn’t survive
contact, it would seem that MG Renner and his staff have their work cut out for
them. Of course, the focus on cyberspace operations here are things like
Distributed Denial of Service, Malware, etc., I’m willing to be they haven’t
considered or are woefully understaffed to address the impact of Cyberspace
operations as a PSYACT or optimizing the diverse influence of the Alliance
members while minimizing second and third order effects.