Nearly two months have passed since the YATA Denmark delegation visited Mons, Belgium, to attend NIAS 2017 Cyber Security Summit. This came as the second NIAS to be held after NATO recognized cyber as an operational domain of war in July 2016, which remained a key topic during industry and government keynote speeches. With this adaptation, cyber is commonly referred to as the fifth interdependent domain, with the remaining four being land, sea, air and space. Cyber, as of right now, is the only non-physical domain acknowledged by NATO and other member state militaries.
This raises the question of why something which is so ubiquitous should simultaneously be understood as something which stands on its own. Seemingly, it would be counterintuitive to accept cyberspace as an independent domain when operations are carried out with it in regularly in every physical domain. So what really are the merits of identifying Cyber as a domain? And how will this recognition shape how we operate in other domains? Both from a unilateral and from a NATO standpoint these questions are likely to shape the way cyber capabilities and doctrine evolve in the future.
Cyberspace as domain
Cyberspace as a domain is defined by the manner in which we conduct operations in, of and through it, according to keynote speaker Earl D Matthews. Our operations in cyberspace are what we commonly think of when addressing the topic of cyber in warfare, these includes the offensive and defensive cyber operations that we conduct, both to weaken the enemy, but also to secure our own networks and our conventional operations. Operations of cyberspace are those in which we construct the domain in a more literal sense, the construction of the NATO information networks. Finally, but absolutely vitally, a way in which we operate using cyberspace, often overlooked in the public discourse, is the way we conduct our operations through cyberspace. What this refers to are the operations we conduct in the spaces other than cyber, which rely on our cyber capabilities. In other words, operations through cyberspace are those such as, but not limited to, unmanned systems and command and control functions. Fortunately, operations in and through cyberspace remain to be active discussions in the industry, and are discussed extensively in the US Joint Chiefs of Staff’s Joint Publication 3-12 on cyberspace operations, albeit no such distinction is made between the two.
Why a fifth domain?
It has become abundantly clear that the future of cyber capabilities, Defensive Cyber Operations (DCO) in particular, lies in inter-service operability and a joint force-esque organizational structure. This is not only in the interest of information sharing, but also to delegate cyber capabilities to the lower levels of the organizational latter. Thus, defensive cyber capabilities are extended to every corner of the organizational structure of the alliance. This realization has generated calls for a NATO cyber command similar to the United States Cyber Command (USCYBERCOM), an inter-service command under the US Department of Defense (DoD). Currently, NATO’s cyber capabilities are currently pooled into the NATO Communications and Information Agency (NCIA), the agency in charge of hosting NIAS. Although NCIA has been highly successful in securing NATO in cyberspace, it is ill equipped to act analogous to the USCYBERCOM in the alliance as it is not under the NATO Command Structure (NCS). This is why NATO Secretary General recently announced the creation of a Cyber Operations Center within the NCS. This command will enable NATO to integrate cyber capabilities into its operations and planning at all levels, something which was not possible through the NCIA.
Some may argue that there is little inherent conceptual merit to the domain classification that cyberspace has received, the cyber landscape would probably evolve just about the same either way, and NATO would be faced with the same threats. The merit, for the individual member states when recognizing Cyber as a domain of Operations, lies in how doctrine is shaped around this classification, and how agencies arise from it. One recurring trend throughout all of NIAS were the calls for increased cooperation on a multitude of levels, both between and within entities engaged with the cyber domain in different capacities. Still, the question remains whether this effective cross-service and interagency cooperation and delegation can be realistically achieved, even through a centralized NATO cyber command. Those who follow strategic discussions in the US will likely be aware of one of the latest doctrinal byproducts of identifying cyberspace as a domain. This is a concept which goes by the name of Multi Domain Battle (MDB) which is being adopted by the US Army and Marine Corps. This concept takes the same notion of delegating cyber (along with those of any other domain) capabilities to every corner of the organizational structure, in order to empower lower-level commanders with capabilities across multiple domains which would hypothetically be used in a simultaneous ‘fire’ for maximum effect.
Challenges to the current structure of collective defense
A recurring notion at the symposium was that the first battles of the next conventional wars will be fought in the non-physical domains. This lends to the ongoing discussion and underlying paradigm shift of how a cyber attack would relate to Article 5. In the recognition of cyberspace as a domain of warfighting, NATO added to the capability-related merits of the domain classification with enabling member states to trigger Article 5 in case another nation state should be carrying out an armed attack in the cyber domain. Naturally, this is not without it perils, as the immediate issue lies in the lack of a clear distinction in where the threshold lies in distinguishing what constitutes an armed attack in the cyber domain. This is a topic which is very much up for debate, especially because of the non-physical nature of the cyber domain, and the lack of decisive reflection on what degree of disruption or cyber-enabled violence will be considered an act of war which merits a response from the NATO alliance. Ultimately, this indistinction does not just hurt NATO’s ability to respond to a cyber attack, but it is also harmful to the integrity of Article 5, and opens it up to further flexibility.
Recognizing cyber as a domain of warfighting has been important both for collective defense and unilaterally. Cyber has been named a domain, not in spite of its ubiquity, but because of it, and the need to delegate cyber capabilities widely enough to match that ubiquity. The way that this materializes is through the establishment of cyber commands, through which cyber capabilities can be effectively delegated to every service, at any level and in any domain. Still, this classification is not without its caveats, and confronts the alliance with a host of problems to tackle as pertains to article 5.
Photo: Cyber as domain (Breaking Defense)