NATO Cyber Defense:  Moving Past the Summit


Earlier this month, the Alliance’s defense ministers adopted a new Cyber Defense Policy and Action Plan, fulfilling and moving beyond the policy basics of the Strategic Concept from the 2010 Lisbon Summit. Though the details are still classified, this blog will discuss the basics of the new policy which seems to root NATO in the things they must do, rather than overextending the Alliance to create new missions or reasons to exist.

Especially since the 2007 cyber attacks on Alliance member Estonia, NATO has been working to develop appropriate policy responses to potentially similar incidents. As such, the new focuses have been on improving a coordinated NATO approach, enhancing cyber defense capabilities to stop threats and improve responses, and cooperating with the larger international community.

According to an unclassified presentation by NATO’s cyber defense section, the key elements of the new policy include:

  1. Realization that cyber defense is required to perform NATO’s core tasks of collective defense and crises management
  2. Prevention, resilience, and defense of cyber assets critical to NATO and its constituent Allies
  3. Implementation of robust cyber defense capabilities and centralized protection of NATO’s own networks
  4. Definition of minimum requirements for cyber defense of national networks critical to NATO’s core tasks
  5. Assistance to the Allies to achieve a minimum level of cyber defense to reduce vulnerabilities of national critical infrastructure
  6. Engagement with partners, other international organizations, private sector and academia

The policy seems to give particular attention to how the Alliance would respond to cyber incidents. When NATO itself suffers a cyber incident, the Computer Incident Response Capability would lead the technical defense and response, in coordination with the Cyber Defense Management Board.   To assist this process, there will be memorandums of understanding (MOUs) between each nation’s cyber defense organizations and this Board.

More importantly, the policy makes clear that if an Ally were subjected to some kind of cyber incident any decision on collective defense (per under Article 5 of the NATO Charter that an attack on one is an attack on all) will be a political, not a technical or even military, decision. That is, the matter will be decided by the senior policy makers of the Alliance and of each Ally and not by the incident response teams or individual commanders.  And even though the technologists or the media may call a cyber incident an “attack” does not make it a military-style attack envisioned under Article 5.

Clarifying the role of the political leadership is therefore particularly important since such low-level “attacks” are happening in cyberspace all the time. In these incidents, the “attackers” steal money or political secrets, commit fraud, and plunder the intellectual property of companies. But these everyday attacks, though serious, do not escalate to the level of a “threat or use of force” or “armed attack.” the thresholds codified in the UN Charter. Thus, such attacks would not trigger collective defense under the purview of the NATO alliance.

If there are political implications as a result of an incident against an Ally or NATO itself, these will be escalated to the Defense Policy and Planning Committee which will include, as necessary, the North Atlantic Council, the Alliance’s key political decision-making body. Any nation in the Alliance can also call a formal consultation with the other Allies, under Article 4 of the NATO Charter, if they feel their security is threatened by cyber incidents.

This escalation could happen quickly: the day after the 9/11 attacks on the United States, the North Atlantic Council quickly determined that the incident was clearly an armed attack, was externally directed (not domestic), and decided aircraft could be considered as weapons. Accordingly, NATO invoked Article 5 – for the very first time – within 24 hours after the collapse of the towers.

Though the defense ministers confirmed that NATO would “maintain ambiguity” about responding to cyber attacks, it is very unlikely the North Atlantic Council would invoke collective defense unless cyber attacks caused significant damage and deaths, equivalent to kinetic military force. (If the cyber attack is part of a larger crisis, NATO will rely on its existing crisis management procedures.)

What Next?

From what we know, this new strategy seems to competently cover many of the basics needed in an initial strategy. However, it is difficult, given the unclassified sketches released so far, to figure out what may have been missed. 

Certainly, NATO will want an updated strategy in a few years based on the lessons learned from the evolving nature of cyber conflict and changing conditions and technology. After all, it was eight years between the first and second White House strategies for cyberspace – and while the earliest was good, the latest showed significant progress, clarity, and maturity.

Also, it seems that the new strategy focuses solely on activities that NATO must carry out in order to live up to existing missions and commitments, bringing the Allies to a common floor. Such activities include: improving security, enhancing incident response as well as political response, and building cyber capacity. It does not overreach by trying to invent new missions for NATO in the cyber domain. This is proper, for now, but in the future NATO might further wish to explore policy areas that it is not collectively obligated to pursue but may choose to undertake because the Alliance is the best platform to address them. Examples of areas where NATO could act, but does not have to, include coordination of export control policies or common defenses and lessons learned for each nation’s defense industrial base.

Hopefully more of the details of new strategy will become public, but based on public information so far, it seems NATO has made an important step in moving beyond the basics in their collective cyber defense. 

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey.

To learn more about the program, please visit the Cyber Statecraft Initiative page for more information.

Image: NATO%203%2010%2011.jpg