The inaugural meetings of CYBERSEC DC yesterday focused on the linkage between economic development and cybersecurity, particularly as that linkage is evolving along NATO's eastern flank. Sponsored by the Center for European Policy Analysis (CEPA) and the Kościuszko Institute and held at CEPA's headquarters in Washington, DC, the conference's announced goal was discussion of the "transatlantic quest for cyber trust."
The conference also sought to develop some high-level, yet actionable, recommendations for furthering such transatlantic cooperation. The conference took it as given that cyberspace had become a field of great power competition, and that the Western allies faced an immediate threat from Russia ("our friends to the East," as they were frequently called) in the form of hybrid war and its attendant information operations, and a more patient threat from China in the form of long-term economic entanglement.
The perspective was clearly informed by the experiences of the Three Seas countries, the Central and Eastern European nations that stretch from the Baltic to the Black and Adriatic Seas. It was also informed by the way in which cyber conflict has evolved: while it does now fall under NATO's Article 5 collective defense provisions, cyber warfare remains for the most part confined to actions that fall below the threshold of armed conflict, and thus not susceptible to the sort of responses and deterrence that have long been in place for conventional war.
Among the recommendations the conference developed with respect to "advancing secure digital transformation" were, first, auditing the assets in place that could serve both resilience and deterrence in the Three Seas region, second, arriving at a consensus among governments of the form 5G implementation will take; third, development of a "stronger narrative" concerning the value proposition of investment in digital transformation; fourth, auditing talent in the Three Seas region; and fifth, cooperating to develop truly international as opposed to merely regional standards. With respect to building cyber deterrence along NATO's eastern flank, the recommendations divided into achieving clarity about costs and advancing cooperation within the Atlantic Alliance.
The cost piece was particularly interesting, with an emphasis on identifying what the adversary (and in this context the adversary was principally the "friends to the East," Russia) valued, and determining how those values could be held at risk. The consensus of the panelists was that Moscow was likely to remain largely indifferent to naming-and-shaming, and so that other means of imposing costs would have to be pursued. The participants recommended full use of the NATO toolbox, including diplomatic and economic tools, and they argued that imposition of costs need not, and probably should not, be symmetric. That is, threatened retaliation for cyber attacks need not confine itself to cyber counterattacks.
We'll have further reflections on the conference available later.