The majority of NATO’s focus is on strategic and conventional capability development and deployment, including planning for joint military scenarios, procuring weapons and armaments, and establishing an “enterprise” view of closing conventional kill chains. This focus is generally well-founded. These strategic and conventional needs are deemed critical to the defense of the alliance, particularly in Europe, and define the capabilities required to maintain an ever-evolving threshold of deterrence.
Adversary, near-peer competitors, however, are aware of this, and increasingly conduct actions in the gray zone or below the threshold for open conflict. These gray zone actions are growing more dangerous as adversaries push the boundaries and discover new ways to advance their objectives. Actions run the gamut from Russian “little green men” in Ukraine, to cyber intrusions, to strings-attached economic aid. To counter this growing challenge, NATO must identify opportunities to counter priority gray zone threats by sharpening its focus and investing in these areas.
Perhaps the most critical areas for transatlantic concern are adversary penetration of defense supply chains and funding/investment. Cybersecurity receives the greatest attention from the alliance and many think tanks, but the threat to the physical supply chain is equally robust. Near-peer adversaries combine efforts to penetrate defense and dual-use technology companies’ cybersecurity architectures and to insert counterfeit or compromised parts into defense supply chains. Additionally, they pursue investments and acquisitions of emerging technology companies (or those with access to these technologies), obscuring the true source of the funding. These targets are often the most vulnerable: either small businesses incapable of vetting components or a firm that is vital to the supply chain.
The threat comes not only from Russia but also more seriously from China. Eastern European NATO members continue to operate vast quantities of Soviet equipment and are thus vulnerable to Russian compromise attempts. But the Chinese threat is tied to Beijing’s broader effort to create commercial links to Europe. Chinese penetration of critical defense supply chains takes place under cover of supposedly positive-sum trade deals.
Recent trends only magnified the risk. The push to reinvigorate or develop native defense manufacturing capability throughout Europe will diversify the defense base. However, it also introduces risk as more and new suppliers enter complex coalition development programs. Additionally, the COVID-19 pandemic has created numerous challenges; lower-tier suppliers are less prepared to defend against intrusion, while upper-tier suppliers, OEMs, and primes are distracted by securing existing and new suppliers to ensure resilience. Further, adversaries have used this opportunity in which companies are desperate for new financing to accelerate penetration into suppliers and high tech startups through funds and individuals backed by state sponsors. This threat to NATO members is exacerbated by the rapid evolution of defense and dual-use technologies, coupled with a growing number of major cross-border defense programs. NATO is uniquely suited to and must play a central role, in addressing this challenge.
Principally, NATO should serve as the clearinghouse and executive organization for its members for the tracking and vetting of suppliers and funding sources (banks, private equity, venture capital, etc.) across the alliance and its partners. This can be accomplished with a shared customer relationship management tool leveraging the alliance’s IT infrastructure, as well as commercial-off-the-shelf (COTS) and near-COTS applications to illuminate supply chains, relationships, and track funding. NATO must adapt its solutions to the various circumstances its members find themselves in, from those directly impacted to Russian meddling, to those who are beginning to understand the depth of Chinese tactics.
As it prepares its response, NATO should utilize internal organizations such as the NATO Standardization Office to distill and implement best practices from larger members and commercial partners. It should disseminate these through regular training courses in each member country, NATO HQs, and other components to ensure all nations are able to access, use, and contribute to the effort.
NATO must also support its defense community with the challenges that stem from such an effort. An oversight regime of this magnitude will create business disruption. The certification process – as the United States learned with its recent cyber certification process – will be cumbersome and expensive. It can be exceedingly problematic for small businesses that do not have the tools or resources to carry out vetting as required. NATO should take practical steps to mitigate disruption where possible, provide funding where needed, and adjust rules and requirements to balance security objectives with capability delivery.
Without these measures, NATO will be ill-prepared and compromised by the increasing encroachment of near-peer adversaries.
Nicholas Nelson is a Senior Fellow at the Center for European Policy Analysis, and is a Principal and Senior Technology Advisor for a University Affiliated Research Center.
Tony Morash is a strategic planning principal for a major U.S. defense prime contractor, where he focuses on enterprise strategy, emerging technologies, and all-domain operations.