The Devil is in the Kilobyte
By Wiesław Goździewicz, Expert, Kościuszko Institute
NATO has gone a long way in the development of its policy on cyber operations. The three most recent Summits in Wales (2014) Warsaw (2016) and Brussels represent true milestones in this regard. In Wales,. Allies confirmed (a year ahead of the 2015 UN GGE Consensus report) full applicability of International Law to cyberspace. This would also include International Humanitarian Law (IHL) or the Law of Armed Conflict (LOAC). Inclusion of IHL/LOAC in this declaration is particularly important, as during the Wales Summit NATO has also declared that cyber incidents of certain gravity may be considered as an armed attack and trigger an Article 5 (collective defense) response by the Alliance. Thus, NATO confirmed that cyber defense is part of NATO’s core task of collective defense.
Another breakthrough happened during Warsaw Summit two years later. Cyberspace has been considered as an operational domain, equivalent to air, land, and sea. Member Nations have been called upon to build their cyber defense capabilities as efficient as those for the “physical” domains. This was reflected in the Cyber Defence Pledge adopted during Warsaw Summit. The Pledge reaffirmed that obligations under Article 3 of the Washington treaty (building defense capabilities both individually and in cooperation with other Allies) also apply to cyber defense capabilities. The Allies also pledged to strengthen and enhance the cyber defenses of national networks and infrastructures as a matter of priority, as well as to improve its resilience and ability to respond quickly and effectively to cyber-attacks.
As a follow-up from the decisions made in Warsaw, the North Atlantic Council adopted a 10-point “Cyber as a Domain Implementation Roadmap”, which addresses the requirements to adopt e.g. doctrine and policy, training and exercises, operations planning and strategic communications (also as part of cyber deterrence). It also called for the revision of NATO Rules of Engagement for these to address the specificities of cyberspace operations. Delivery of the Roadmap is very advanced, with certain requirements already met. However, from an operational perspective, the most important aspects of the Roadmap are the integration of cyber effects and the cyber doctrine development as they are closely related to each other.
November 2017 Defence Ministerial brought the decision to integrate Allies’ national cyber capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities, just as Allies own the tanks, the ships and aircraft in NATO missions, cyber capabilities offered by them in support of Allied Operations and missions are to remain under strict political oversight and within the remits of compliance with International Law.
Most recent Brussels Summit brought significant momentum into the process of NATO’s adaptation to contemporary security challenges, including cyber. Adopted and reinforced NATO Command Structure now includes the Cyberspace Operations Centre (CyOC). Being ‘eyes and ears’ of the respective commanders in cyberspace, the CyOC is supposed to enhance situational awareness in cyberspace and help integrate cyber into NATO’s planning and operations at all levels. It will not be a cyber command center as there will not be any supranational command. While the CyOC is to operate within the existing NATO frameworks, its main aim is to equip the Supreme Allied Commander Europe (SACEUR) with all the necessary tools to operate in cyberspace. As will be discussed below, CyOC is responsible for coordinating Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA). The second main task of the CyOC is to provide situational awareness and coordination of NATO operational activity within cyberspace.
The SCEPVA mechanism can be considered as cutting the Gordian knot of dilemmas related to the use of offensive cyber capabilities by NATO. Dilemmas, NATO has struggled with since the adoption of the first cyber defense policy in 2008: how to address cyber threats, including those of military character, without the resolve to offensive cyber means and capabilities, which for many years have been considered as a kind of taboo. The Alliance, in its efforts to keep the moral high grounds, has been condemning state and non-state actors for the use of broad range cyber capabilities against NATO and its member states, from purely criminal, through terrorism and in support of hybrid activities, to offensive use of military cyber capabilities such as the ones Russia exercised against Georgia in 2008.
At the same time, officially the Alliance has interpreted its defensive mandate and purpose in an overly restrictive manner by claiming that in cyberspace, NATO shall only exercise defensive operations, thus even preventing active cyber defense under NATO “umbrella”. This seemed to be a significant shortfall and disadvantage compared to both the “physical” domains and potentially adversarial actors. At the same time, certain NATO Member States have openly declared that they would develop offensive cyber capabilities (of note: the U.S. declared cyberspace as an operational domain already in 2008).
Such an approach to cyber capabilities had no logical rationale behind it. NATO has never funded a common armament program meant at the development of offensive capabilities. All such programs have been of a non-offensive nature: Intelligence, Surveillance, and Reconnaissance (ISR), strategic airlift, Airborne Early Warning and Control (AWACs), etc. Yet again, nobody had doubts that defensive mandate does not preclude, should not preclude, the development of offensive capabilities by individual Member Nations or collectively by them. Defense capabilities must include offensive means: howitzers, tanks, attack aircraft, cruise missiles, etc. And NATO on numerous occasions has reached to its members for such capabilities to be provided (the best example is the 1999 operation “Allied Force”, which was not defensive, but purely a peace enforcement operation).
Thus, the decisions to prevent active cyber defense or the possibility to use offensive cyber capabilities, have been a significant limiting factor for those, who had been tasked to plan certain Allied operations and missions. Moreover, given the fact that after Wales Summit in 2014 NATO made it clear that a grave cyber incident might be considered as an armed attack and trigger an Article 5 response, theoretically, NATO would only be able to respond “conventionally”, “kinetically”. While a response-in-kind is not required under International Law in case of an armed attack, one has to remember that national self-defense has to be imminent, proportionate and necessary.
There is no doubt that cyber means or methods of warfare, or more broadly – cyber capabilities – are not by nature illegal. Moreover, they can be used in a manner that fully complies with the requirements of International Law. One could argue, that in terms of LOAC compliance if used properly, cyber means can be the most discriminate, the most humane and the most proportionate means and methods of warfare. Response with cyber means to a cyber attack might also (in certain circumstances) be considered as those who best fulfill the requirements of proportionality and necessity of acts in self-defense.
Since NATO des not develop offensive cyber capabilities (but neither does it for “conventional” domains) and for any offensive capabilities the Alliance has to reach out to its Member States, given the long-standing practice of “NATO does not go offensive in cyberspace”, the SCEPVA mechanism seems to be the only solution to the theoretically unsolvable problem: how to efficiently defend the Allies in all domains (incl. cyberspace) without “going offensive in cyberspace”. Cyber-capable Nations may be requested to deliver offensive cyber effects on a target designated by an operational-level commander. And it will be the CyOC who is going to be responsible for matching the expectations of the commanders with the willingness and capabilities of the nations potentially able to deliver such effects.
Officially, NATO will not be “going offensive in cyberspace”, while being able to apply all instruments of military power, all spectrum of effects. Such a solution does not come without a price, though.
Firstly, the operational-level commanders who normally “own” the targeting process and decide which effects to deliver on a given target and how to deliver the effect, will not be able to task any nation to provide such effect. As opposed to “conventional” means and capabilities, cyber effects will not be handed over to the operational-level commander, as opposed to other means and capabilities, which upon appropriate transfer of authority will fall under the NATO commander’s command and control. And even if the effect is delivered upon operational-level commander’s request, nation delivering it will do it on an “I will tell you what I can do, but not how”. That’s the meaning of the word “Sovereign” in the SCEPVA construct.
Secondly, there might be no nation willing to fulfill the request, even if there were Allied Nations able to or capable of fulfilling it. For several reasons, including the desire to retain certain capabilities for own use, strategic purposes, etc. That’s the meaning of the word “voluntarily” in the SCEPVA construct.
Last, but not least, it still has to be determined, where responsibility would lie for potential internationally wrongful use of such cyber effects. For example, if as a result of the use of SCEPVA, excessive incidental losses occur, thus constituting the breach of the LOAC principle of proportionality, which nation would bear the responsibility? Is the nation voluntarily delivering the cyber effect? Or the Sending Nation of the operational-level commander requesting such an effect to be delivered? Or perhaps the Sending Nation of the Staff Officer proposing the employment of SCEPVA on this particular target in the course of the target nomination/approval process?
Indeed, the devil is in the detail. When it comes to SCEPVA, the details can be broken down into kilobytes. How many devils would fit into a kilobyte?
About the Author
Wiesław Goździewicz is a retired Polish Navy officer, a lawyer specialized in Public International Law, in particular, legal aspects of the military operation. Expert of the Kościuszko Institute in the field of cybersecurity, dealing mainly with legal aspects thereof. Former Legal Advisor of the NATO Joint Force Training Centre in Bydgoszcz, Poland. Speaker among others at the European Cybersecurity Forum and Warsaw Security Forum, guest lecturer of the Polish Naval Academy, War Studies Academy in Warsaw, Nicolaus Copernicus University in Torun and NATO School Oberammergau.