Twenty-five years after the collapse of the Soviet Union, the specter of a nuclear holocaust has faded. The threat of weapons of mass destruction still looms, to be sure. But the more imminent and broad-scaled threat is from weapons of mass effect, or attacks to critical national infrastructure such as the electrical grid. A new Cold War is emerging, and it isn’t clear that the United States and its allies have the upper hand.
While attention has been (rightly) focused on Russia’s military actions in Syria and Eastern Europe, the lesser-told story is Russia’s increased integration of cyberattacks into its military playbook.
Russia has already targeted NATO and its allied countries with such attacks. As far back as 2007, Russian hackers launched a sophisticated campaign of denial-of-service attacks against a number of Estonian websites after a diplomatic dispute. Russia also integrated a cyberattack with a mainstream military operation, having brought down Georgian telecommunications networks before invading the country in 2008. Russia’s most recent use of such a hybrid attack was in late 2015, when it brought down parts of an electrical grid through a cyber attack against a Ukrainian utility,.
Unfortunately, these types of threats are not the worst-case scenario for NATO. The alliance’s strength lies in its economic power, its technological edge, and its strategic deterrent. Each of those capabilities is highly vulnerable to a cyberattack. Russia could strike the New York Stock Exchange, sending markets into free-fall. Or, they could take a page from China’s playbook and concentrate cyber efforts on stealing critical emerging technology, potentially closing the technological gap between Russia and the West in jet engines, for instance. Most troubling, a sophisticated cyberattack could temporarily disable NATO early-warning or launch systems, effectively neutering its strategic deterrent.
While Russia has updated its military doctrine to heavily incorporate cyber tactics suitable to the hybrid attacks like those cited above, NATO is still focused deterring Russian forces from storming through the Suwalki Gap. By treating cybersecurity as little more than an important component of Operational Security, NATO is missing the long game. To be equipped to fight this new Cold War, NATO needs to increase its cyber defense capabilities drastically.
This ought to be done in two ways.
The first is to place a greater emphasis on education. NATO countries train their officers, technicians, and troops in the strategies, tactics, and skills necessary for success on the battlefield. The alliance ought to create more schools and training programs to educate a new cohort of cyber warriors that can ensure our conventional forces maintain their technological edge if a conflict turns violent. At present, NATO runs schools and centers where industry and member states can share and innovate cyber expertise and capabilities. These efforts should be put into overdrive, and NATO countries need to invest more in education to maintain the West’s technological edge.
The second is to shift the definition of “defense.” NATO has taken admirable steps to develop cyber policies and conduct exercises simulating electronics blackouts. However, the alliance’s defensive mindset is still tactical in nature. By focusing solely on preparing for cyber attack contingencies and implementing defensive measures, NATO does nothing to deter Russian aggression. Therefore, a shift in mindset is needed to elevate NATO’s cyber capability to levels similar to its strategic and conventional capabilities. This means that the thrust of the Pentagon’s new deployments to Europe cannot simply be just another armored brigade or equipment pre-positioning, but perhaps the standing-up of large and sophisticated cyber operations centers organic to the European theater, where US and partner countries can centralize their defensive efforts.
A well-organized and superior fighting force can deter an adversary comprised of tanks, planes and troops, but is completely ineffective against the invisible, dispersed, and anonymous cyber threat. Only when NATO treats cyber defense as a pillar of its deterrent capacity and not just as a routine security measure will the alliance be ready to handle the cyber threat from Russia.