TALLINN, Estonia — Even cyberattacks below the threshold of starting an armed conflict are having “strategically consequential effects on the power of the United States, its allies, and partners,” a senior strategist at U.S. Cyber Command warned on Friday.
While NATO members agreed in 2014 that a significant cyberattack could be grounds to invoke Article 5 of the alliance’s founding treaty — treating an attack against one ally as an attack against all — the alliance’s adversaries are continuing to conduct offensive cyber operations below this threshold.
Speaking at the International Conference on Cyber Conflict (CyCon) in Estonia, Cyber Command’s Emily Goldman stressed that while this position might deter the kinds of catastrophic cyberattacks that could merit a kinetic response, it is “not dealing with the majority of this malicious activity below armed conflict, which is becoming routine.”
The “routinization” of these attacks is an issue, said Goldman, with offensive cyber operations now becoming a standard tool in diplomacy and competition.
“We have adversaries that recognize that they can impose losses upon us without going to war, without risking war,” explained Goldman. Due to a perceived lack of risk “we should anticipate that this behavior is going to continue,” she added.
Goldman, who directed the Cyber Command and National Security Agency’s combined action group that produced the 2018 roadmap calling for persistent operations, said that expecting these activities to continue did not mean allies had to passively accept them.
“We can preclude, and we can disrupt, and we can contest this behavior without escalating to armed conflict,” she told the audience.
The United States has since the 2018 roadmap advocated for allies to understand its policy of defending forward, “actively disrupting malicious cyber activity before it can affect the U.S. Homeland,” although some of the ideas underpinning this approach are not yet universally accepted by NATO allies.
“We have to recognize that we have adversaries whose doctrine says that they want to win without fighting. So we cannot be in a situation where we’re only preparing for a kinetic conflict. We have to think about what is happening [today].”
Goldman warned that NATO’s adversaries are “going to continue to experiment with new ways to leverage cyberspace, whether or not we as an alliance, or as partners, respond.
“I’m not suggesting that we should not respond to significant cyber incidents, but it has to be pursued in tandem with efforts to thwart that aggressor, below armed conflict, before it harms our nations.
“What we have to do is create a situation where adversaries cannot sustain that behavior. We don’t think we can eliminate all of it, what we want to try to do is disrupt that which is strategically consequential,” she said.
Being proactive does not necessarily mean being destructive or offensive, explained Goldman, citing the release of intelligence about Russia’s preparations to invade Ukraine back in 2022.
For the United States, it also includes hunt forward operations where a team of defensive operators travel to foreign countries on invitation to help the host country identify malicious activities on the host country’s priority networks. Last month, the head of Cyber Command told congressional lawmakers the command carried out 22 such operations in 2023 alone, including to Zambia for the first time.
Goldman’s comments come as NATO is engaging in a range of initiatives to secure itself from cyberattacks, including ideas about developing its own proactive cyber operational element. Negotiations regarding a new cyber center at its military headquarters in Mons, Belgium, are still ongoing just weeks away from the Washington summit where allies are expected to announce it being established.
Read More: Negotiations over new NATO cyber center still ongoing weeks from planned launch
Recorded Future
Intelligence Cloud.
