Written by Shannon Vavra

The North Atlantic Treaty Organization’s cyber-operations command center in Belgium still has a ways to go before its offensive playbook is set in stone, a NATO cyber official involved in the matter told CyberScoop.

The Cyberspace Operations Centre was established almost exactly one year ago, in Mons, Belgium to help member nations’ obtain real-time intelligence on and respond to cyberthreats from criminal or nation-state backed hackers. The alliance is still working on pooling member nations’ offensive cyber capabilities for those responses, Deputy Director of the Cyberspace Operations Centre Group Captain Neale Dewar told CyberScoop in an interview.

The cyber operations center was created in part to fulfill the alliance’s 2016 decision that under NATO’s Article V, a cyberattack on one member nation may result in a group of members coming to its defense, just as if a physical attack had occurred. But because the alliance does not have its own cyberweapons, and because NATO members do not possess the same capabilities, it must pool together its resources, Dewar said.

“When it comes to the offensive side … NATO in and of itself has no offensive cyber capabilities. And so anything that’s done in terms of offensive cyber action would be by the NATO nations or by a NATO nation offering a capability to the alliance in an agreement as to what it would be — a desired outcome, what effect it wants,” Dewar said.

Nine NATO members have signed on to offer their capabilities: the U.S., the UK, The Netherlands, Estonia, Norway, Germany, France, Denmark, and Lithuania, according to Dewar.

How NATO will react

Although NATO agreed three years ago that cyberattacks can trigger Article V, the alliance is still unclear on what kind of cyberattack will prompt the cyber center to kick into full gear, Dewar said. For now, the North Atlantic Council, the primary political team that makes decisions related to security issues, is deciding what cyberattacks deserve a response on a case-by-case basis, Dewar said.

“It will depend on the severity of the scenario of any incident,” Dewar said.

In the event that an incident is detected, specialist teams that include staff from NATO countries would be called together to decide what should be done in response.

“Specialist teams would be brought together — with not just cyberspace backgrounds, but also intelligence, logistics, communications backgrounds — to look at the severity of the incident, how communications need to be put in place, how recovery actions will be taken,” Dewar said.

The center may also recruit contractors to contribute threat intelligence on specific groups, Dewar said.

Depending on how severe the team believes a cyberattack to be, the North Atlantic Council can then examine whether a cyber-operation should be launched or NATO should opt for a more traditional military response, Dewar said.

The effort to organize the process around the center comes as NATO is targeted with suspicious cyber activity every single day, according to NATO Secretary General Jens Stoltenberg.

“Cyberthreats to the security of our alliance are becoming more frequent, more complex and more destructive,” Stoltenberg writes in Prospect Magazine. “Even NATO is not immune to cyberattacks and we register suspicious activity against our systems every day.”

Stoltenberg said this week that NATO can already “draw from allies’ national cyber capabilities for NATO missions and operations,” and provided several examples of joint actions and individual countries’ own efforts to root out bad behavior in cyber space in recent years.

“We saw, for example, how some nations, not least the UK, successfully used [cyberweapons] within the Global Coalition to Defeat the Islamic State (IS). It was able to suppress IS propaganda, disrupt their recruitment of foreign fighters, and degrade their ability to co-ordinate attacks,” Stoltenberg recalled. “Last October … authorities in the Netherlands, with the help of British experts, foiled an attack by Russia on the Organisation for the Prohibition of Chemical Weapons in The Hague.”

Dewar said right now the center is experiencing a lot of turnover given that summer is drawing to a close, and expects the center to have full operational capability by 2023.