Damjan Štrucl: Cyber Security and Cyber Defence comparison of various NATO member states

Cyber Security and Cyber Defence remain one of the most pressing challenges of the today’s contemporary and complex security environment. In this regard, there are many ongoing academic, professional and political discussions taking place, as well as various analyses and comparisons of National Cyber Security legal and institutional frameworks. These analyses are mainly based on publicly available data that depict a Nation's digital development, adopted strategies, legal frameworks of Cyber Security and Cyber Defence, the expected ability to respond to Cyber indicators, and the expected capabilities of conducting Cyber Operations, etc. These kind of comparisons give us some kind of general information about the current legal and institutional framework of the National Cyber Security and Defence. The presented results do not necessarily mean that these data represents the effective implementation of a National Cyber Security and Cyber Defence policy as these comparisons do not provide information on the effectiveness and compliance of a Nation's Cyber Security and Cyber Defence concept with respect to International or Multinational legal commitments.

If we just focus on NATO member states, then we could logically conclude that NATO member states have the comparable understanding of all Cyber-related terminology and have a similar organisational structure, as they have committed to realising and respecting the Alliance's strategic goals. Concurrently, it is also worth noting that the majority of NATO members are also EU members, so these two organizations should not differ significantly in their common understanding of the aforementioned concept, especially since the two organisations concluded a Joint Declaration on EU-NATO Cooperation that includes Cyber Defence.

The deductive and logical reasoning above gives the impression that it should be simple to directly compare the National Cyber Security and Cyber Defence frameworks among various NATO member states. However, this is a false impression, as each Nation has its own unique approach to National, International and Multinational Cyber Security and Cyber Defence concept due to the disparity in the common understanding of Cyber-related terminology and cultural-historical diversity. Additionally, not all other information with regard to National Cyber Defence capabilities are publicly available (except for strategies that depict organisational structure in general). This disparity has created new pitfalls in terms of widely differing understandings and perceptions of the contemporary Cyber Security and Cyber Defence environment, and consequently, lack of a common approach and response of Nations to Cyber Security or Cyber Defence activities.

In 2021, CCDCOE made the Comparative study on the cyber defence of NATO member states, focusing on Cyber-related terminology, and legal and institutional framework of individual NATO member states. The study shows two key findings: 1. a universally accepted Cyber terminology does not exist nor is the generally accepted EU or NATO definitions the same, which is echoed in differing National concepts of Cyber Security and Cyber Defence. 2. States are also reluctant to share detailed information about their own National Cyber Security and Defence concepts and policies, especially regarding the internal organisational structure of their National Cyber Defence and subordinate individual unit missions and tasking.

The comprehensive approach of the aforementioned analysis showed that most Nations do not approach the implementation of Cyber Security and Cyber defence holistically, but focus only on Cyber Security, Cyber Defence and Cyber resilience separately. As an example, some Nations replaced Information assurance with Information security, or Information security with Cyber security, which subsequently is mirrored in their updated organisational structure. Moreover, the EU considers Information security as a subset of Cyber Security, while NATO advocates the opposite. There are also terminological discrepancies in the definition of what constitutes a Cyber attack vice Cyber Operations (offensive and defensive). Which is especially important in context of modern interpretations of Multidomain Operations, when most Cyber incidents and attacks occur in the so-called "grey zone", which are events that do not reach the threshold of the legally understood application of the use of force or a clear violation of legally understood norms or international law.

Such terminological disparity is highly undesirable in the Multinational world and the Alliance as it prevents a unified and global response to modern security threats as well as to the creation of easily recognised International law or Cyber norms (e.g. Rules of Customary international law: state practice and opinion juris sive necessitates). Additionally, it should be noted that NATO and the EU define Cyber-related terminology differently. Many other nations, such as the Russia Federation, also do not take into account or agree to the current Rules of International laws or commonly accepted Cyber norms or practices.  Additionally, the Russian Federation uses the Information Environment and Cyberspace to implement the so-called “New Warfare Generation” operations (Hybrid operations), while NATO uses are more clearly defined Cyber Operations policy and frameworks to achieve military strategic objectives.

This entire topic is further recognised in individual National organisational structures in the widely differing implementation of National Cyber concepts. All NATO member states have four levels of security management (political, strategic, operational, technical/tactical), but very different organisational structures. In some Nations, a single entity may be responsible for all Cyber-related concept tasks, and in other Nations, a single entity maybe be responsible to provide Information security and at the same time Cyber security. The levels of operational Cyber security between Nations are also highly different, as Nations have assigned operational tasks to different entities, such as the National Cyber Security Centre, CERT, Department of Defence, National Intelligence Service, Military Intelligence, Digital Security Oversight Board, Council for cyber security, the Cyber Security Committee at the Ministry of Communications, etc.

Similar findings are seen at the operational level of a many National Cyber Defence frameworks. Some Nations have executed Cyber Defence at the governmental level while others do so at the Ministerial level or equivalent governmental bodies, but most Nations have implemented a shared responsibility for Cyber Security and Cyber Defence concept. From publicly available data, we cannot claim that any Nation has a better or worse organisational structure than another, but we can certainly assert that Nations that do not have intelligence structures included in their framework cannot effectively implement and execute Cyber Defence.

In conclusion, a generally accepted Cyber-related terminology is the cornerstone for the International and effective implementation of Cyber Security and Cyber Defence, which would enable Nations to more uniformly design an effective security architecture for times of peace, conflict and war. The whole-of-government approach is no longer sufficient, but a "whole-Nation approach" is needed, which would enable the effective integration of the public and private sectors, the distribution of capabilities (especially human resources), interoperability within the Alliance and at the same time allow effective respond to hybrid threats.