Abstract
For decades, few NATO members, predominantly the US, had the
capabilities to conduct offensive cyberspace operations (OCO).
Today more than half of NATO’s members have, or are acquiring,
offensive cyberspace operations capabilities (OCOC). Historically,
NATO’s planning and coordination is based on shared knowledge
of the members’ military capabilities, to a degree even their nuclear
capabilities. In the cyber domain, the principle has evolved to
include allies’ emerging defensive cyber capabilities. NATO’s
approach to OCOC, however, deviates radically: NATO’s doctrine
merely integrates OCO’s effects, that is, allow members to contribute
with OCOs in operations without sharing information with
allies on what OCOCs are available or how the OCOs deliver the
effects. OCOC’s technical and tactical characteristics incentivize
NATO’s members to keep OCOCs secret, also from allies. This results
in a dilemma: Either the allies providing OCOC’s effects risk sharing
sensitive information on the means, or the allies, who depend on
the provided effects, act without sufficient knowledge of the
deployed OCOCs to assess their efficacy, legality, or impact on
own offensive or defensive cyber operations. NATO’s limited
approach to OCOC is a pragmatic mitigation of the dilemma that
allows NATO to train and develop doctrine in the field further.