Why NATO Countries Don’t Share Cyber Weapons
As states start to operationalize their cyber commands, they will have to stand on their own feet and not expect much help from their friends.
Over the past decade, we have witnessed the global proliferation of military cyber commands. As militaries try to build up an operational cyber capacity, they are looking for opportunities to share the burden and cooperate in this new domain of warfare.
But certain kinds of cooperation are more difficult in the cyber realm. It turns out that transferring cyber arms, while technically easy, is actually a lot more complicated than delivering conventional weapons.
Selling fighter jets to an ally doesn’t make the planes in your own fleet dramatically less effective. But when an exploit or tool is shared with a country and then used, its usefulness is reduced for everyone. This means that governments are more likely to help other states develop their own offensive capabilities by providing the expertise to find exploits, develop tools, and innovate themselves. This can include providing technical training and selling cyber training facilities. But an advanced cyber power would only consider this type of transfer with countries it is particularly close to.
This explains NATO’s operationalization of the cyber domain: the alliance actively promotes exercises and training. But it calls on its member states to volunteer “sovereign cyber effects” instead of sharing “capabilities.”
Rivalrous Goods
When it comes to conventional capabilities, arms-producing countries generally transfer either finished systems or the basic engineering know-how used to reproduce existing weapon technology. These relatively straightforward transfers are well suited for bolstering the supplier’s defense industry, strengthening political ties, and consolidating alliances. The seller is less likely to engage in transfers that help to adapt weapon technology or provide the capacity to innovate at the technological frontier. Innovation involves greater financial barriers and potential socio-cultural obstacles. Plus, there is little financial logic. Helping buyers build their own weapons risks reducing sales and, potentially, the security of the arms supplier.
But this logic works differently in cyberspace. To understand why, consider two key elements of a military’s offensive cyber capability: exploits and tools. Exploits involve code that takes advantage of software or hardware vulnerabilities to gain and maintain or increase access to target networks. Tools are sets of code used to create, debug, maintain, or otherwise support programs or applications. Like most digital goods, the opportunity to transfer tools and exploits is readily available, as they can be effortlessly replicated and shared just as easily as any other file on your computer. This is what economists call jointness of supply, which results in “a situation in which the cost of supplying a good to the first user is the same, or nearly the same, as supplying it to many users.”
Yet, states are less willing to share these assets because exploits and tools are also transitory in nature—they have a short shelf life. An asset’s transitoriness is not static; it is influenced by a number of factors. For example, all things being equal, an exploit used in an operation that causes a high level of visible damage is more likely to be discovered than one used in an espionage operation. Similarly, a tool is more likely to be detected and reported when used against a more technologically sophisticated country.
The number of targets matters as well. Even if an exploit is potentially effective against a wide set of systems or networks, an attacker can decide to use it against only a few high-value targets to reduce the chances of discovery and increase its longevity. The transitory nature of exploits and tools turns them into what economists call rivalrous goods. A good is said to be rivalrous if consumption by one user prevents or weakens consumption by another user. If I share my exploit with you, and you use it, there is an increased likelihood that I am no longer able to use it afterward.
Attribution dynamics may further complicate the incentives at play. If a state decides to share malicious code or its techniques for using it, this may increase the likelihood of misattribution following use by another state. Most of the time, this creates another cause for concern when sharing customized tools. In certain circumstances, however, it could also be an advantage, creating ambiguity and making it harder for the target to retaliate.
Writers have frequently pointed out the operational similarities between cyber espionage operations and cyber effect operations. Yet the incentives for sharing espionage and surveillance tools are significantly higher. Cyber effect operations—those that seek to disrupt, deny, degrade, and/or destroy—are more likely to lead to the detection and disclosure of exploits and tools. What’s more, intelligence cooperation comes with a stronger deconfliction imperative: to prolong covert collection, allies want to avoid having two or more different malware platforms running on the same target system. Finally, in the case of espionage capabilities, the supplying state can more easily piggyback on the purchasing state’s intelligence-collection activities, thereby benefitting directly from the cooperation.
Stronger incentives also exist for states to help their allies and partners develop their own military cyber capabilities. This can be done in a number of different ways, including setting up testing facilities and training personnel. For example, finding unknown vulnerabilities is often done through a dynamic process called fuzzing, which involves automatically inputting massive amounts of data, called fuzz, to uncover potential vulnerabilities. A state actor with a more mature capability can offer a training course for foreign analysts to help them better use this technique to search for software vulnerabilities. However, an advanced cyber power would only consider this type of transfer with governments it trusts. In 2016, for example, the French-based company Thales Group built the cyber range of the Dutch Defence Cyber Command, which can be used to simulate cyber incidents and test cyber tactics and techniques.
NATO Sovereign Cyber Effects
These dynamics play out even in an alliance as close as NATO. There are several NATO-affiliated programs that focus on training and infrastructure development. For example, the NATO Cyber Defense Center of Excellence (CCDCOE) has, since 2012, organized the annual Locked Shields exercise, which is aimed at enabling “cyber security experts to enhance their skills in defending national IT systems and critical infrastructure under real-time attacks.” In 2019, Locked Shields had over 1000 participants and over twenty-three blue teams. The center also organizes Crossed Swords—an “annual technical red teaming cyber exercise training penetration testers, digital forensics experts and situational awareness expert”—while supporting other training programs, such as the Coalition Warrior Interoperability eXercise, Trident Juncture, Trident Jaguar, and Cyber Coalition.
Yet when it comes to operational deployment, NATO focuses on coordinating “sovereign cyber effects.” According to David Bailey, senior national security law advisor for Army Cyber Command, “the idea of sovereign cyber effects provided voluntarily by allies is good. But … that will not fall under the command and control of the actual NATO commander. … It will still fall under the command and control of the country that contributes. In my mind, it’s going to be difficult to achieve that level of coordination that we’re used to in military operations, even in a NATO context.”
To facilitate the coordination of these sovereign cyber effects, NATO has established the new Cyber Operations Center (CyOC). This center is located at NATO’s Supreme Headquarters Allied Powers Europe in Mons, Belgium, and aims to be fully operational with a seventy-person team by 2023.
This approach means that NATO members do not share their modus operandi with each other. Instead, a member state notifies the alliance that it has the (potential) ability to achieve a desired effect without sharing how it achieved it. Because states do not actually have to disclose their capabilities, this overcomes the main barrier to cyber arms transfer while still facilitating cyber operations within the alliance structure. To date, at least nine states are known to have signed up to offer their sovereign cyber effects, when available and needed, to the alliance.
However, this does not mean that the U.S. military cannot seek partnerships in the cyber domain through other mutually beneficial avenues. Specialists from U.S. Cyber Command have been deployed abroad to sixteen other nations—with their consent—for “hunt forward” operations to seek intelligence from allies’ computer networks. Gen. Paul M. Nakasone, head of U.S. Cyber Command and the NSA, confirmed that in one such hunt forward deployment, U.S. military specialists were based in Ukraine from December 2021 to February 2022, leaving just before the invasion. As Kim Zetter notes, these deployments can help Ukrainians uncover threats inside their networks without the United States directly hacking into Russian systems.
Outside of these hunt forward missions, however, Nakasone confirmed that the U.S. Cyber Command has conducted a “series of operations across the full spectrum; offensive, defensive, [and] information operations” in response to the Russian invasion. While we don’t know what these operations involved, they were not coordinated or requested by the NATO Cyber Operations Center. For America and its partners, this mix of unilateral action and piecemeal cooperation will likely remain the default in the cyber realm.
As states start to operationalize their cyber commands, they will have to stand on their own feet and not expect much help from their friends.
This essay is based on No Shortcuts: Why States Struggle to Develop a Military Cyber-Force, published with Oxford University Press and Hurst Publishers.
Max Smeets is a senior researcher at the Center for Security Studies at ETH Zurich and director of the European Cyber Conflict Research Initiative.
Image: U.S. Department of Defense / Flickr