Cyber threats and attacks are becoming more common, sophisticated and damaging. The Alliance is faced with an evolving complex threat environment. State and non-state actors can use cyber attacks in the context of military operations. In recent events, cyber attacks have been part of hybrid warfare. NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s core tasks of collective defence, crisis management and cooperative security. NATO needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats and attacks it faces.
- Cyber defence is part of NATO’s core task of collective defence.
- NATO has affirmed that international law applies in cyberspace.
- NATO is responsible for the protection of its own networks.
- In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea.
- Allies are and remain responsible for the protection of their national networks, which need to be compatible with NATO’s and with each other’s.
- NATO enhances its capabilities for cyber education, training and exercises.
- Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.
- NATO signed a Technical Arrangement on cyber defence cooperation with the European Union in February 2016.
- NATO is intensifying its cooperation with industry, via the NATO Industry Cyber Partnership.
More background information
NATO Policy on Cyber Defence
To keep pace with the rapidly changing threat landscape and maintain a robust cyber defence, NATO adopted an enhanced policy and action plan, which was endorsed by Allies at the Wales Summit in September 2014. The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry. The top priority is the protection of the communications systems owned and operated by the Alliance.
The policy also reflects Allied decisions on issues such as streamlined cyber defence governance, procedures for assistance to Allied countries, and the integration of cyber defence into operational planning (including civil emergency planning). Further, the policy defines ways to take awareness, education, training and exercise activities forward, and encourages further progress in various cooperation initiatives, including those with partner countries and international organisations. It also foresees boosting NATO’s cooperation with industry, including on information-sharing and the exchange of best practices.
The Allies have also committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks. NATO’s cyber defence policy is complemented by an action plan with concrete objectives and implementation timelines on a range of topics from capability development, education, training and exercises, and partnerships.
Allies pledged at the Warsaw Summit in 2016 to strengthen and enhance the cyber defences of national networks and infrastructures, as a matter of priority. Together with the continuous adaptation of NATO’s cyber defence capabilities, as part of NATO’s long-term adaptation, this will reinforce the cyber defence and overall resilience of the Alliance.
At Warsaw, Allies also reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. This will improve NATO’s ability to protect and conduct operations across these domains and maintain Alliance freedom of action and decision, in all circumstances.
Developing the NATO cyber defence capability
The NATO Computer Incident Response Capability (NCIRC) protects NATO’s own networks by providing centralised and round-the-clock cyber defence support to the various NATO sites. This capability is expected to evolve on a continual basis, to maintain pace with the rapidly changing threat and technology environment.
To facilitate an Alliance-wide and common approach to cyber defence capability development, NATO also defines targets for Allied countries’ implementation of national cyber defence capabilities via the NATO Defence Planning Process. In 2017, further cyber defence capability targets will be agreed.
Cyber defence has also been integrated into NATO’s Smart Defence initiatives. Smart Defence enables countries to work together to develop and maintain capabilities they could not afford to develop or procure alone, and to free resources for developing other capabilities. The Smart Defence projects in cyber defence, so far, include the Malware Information Sharing Platform (MISP), the Smart Defence Multinational Cyber Defence Capability Development (MN CD2) project, and the Multinational Cyber Defence Education and Training (MN CD E&T) project.
NATO is also helping member countries by sharing information and best practices, and by conducting cyber defence exercises to help develop national expertise. Similarly, individual Allied countries may, on a voluntary basis and facilitated by NATO, assist other Allies to develop their national cyber defence capabilities.
Increasing NATO cyber defence capacity
Recognising that cyber defence is as much about people as it is about technology, NATO continues to improve the state of its cyber defence education, training, exercises and evaluation.
NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyber defence elements and considerations into the entire range of Alliance exercises, including the annual Crisis Management Exercise (CMX). NATO is also enhancing its capabilities for cyber education, training and exercises, including the NATO Cyber Range, which is based on a facility provided by Estonia.
To enhance situational awareness, a Memorandum of Understanding on Cyber Defence was developed in 2015. The MOU will be signed between NATO and the national cyber defence authorities of each of the 28 Allies. It sets out arrangements for the exchange of a variety of cyber defence-related information and assistance to improve cyber incident prevention, resilience and response capabilities.
The NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia is the foremost NATO-accredited research and training facility dealing with cyber defence education, consultation, lessons learned, research and development. Although it is not part of the NATO Command Structure, the CCD CoE offers recognised expertise and experience.
The NATO Communications and Information Systems School (NCISS) in Latina, Italy provides training to personnel from Allied (as well as non-NATO) nations relating to the operation and maintenance of NATO communication and information systems. NCISS will soon relocate to Portugal, where it will provide greater emphasis on cyber defence training and education.
The NATO School in Oberammergau, Germany conducts cyber defence-related education and training to support Alliance operations, strategy, policy, doctrine and procedures. The NATO Defense College in Rome, Italy fosters strategic thinking on political-military matters, including on cyber defence issues.
Cooperating with partners
Because cyber threats defy state borders and organisational boundaries, NATO engages with relevant countries and organisations to enhance international security.
Engagement with partner countries is based on shared values and common approaches to cyber defence. Requests for cooperation with the Alliance are handled on a case-by-case basis founded on mutual interest.
NATO also works with, among others, the European Union (EU), the United Nations (UN) and the Organization for Security and Co-operation in Europe (OSCE). The Alliance’s cooperation with other international organisations is complementary and avoids unnecessary duplication of effort.
Cooperating with industry
The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allied countries to mount an effective cyber defence.
Through the NATO Industry Cyber Partnership (NICP), NATO and its Allies are working to reinforce their relationships with industry. This partnership relies on existing structures and includes NATO entities, national Computer Emergency Response Teams (CERTs) and NATO member countries’ industry representatives. Information-sharing activities, exercises, training and education, and multinational Smart Defence projects are just a few examples of areas in which NATO and industry have been working together.
The NATO Policy on Cyber Defence is implemented by NATO’s political, military and technical authorities, as well as by individual Allies. The North Atlantic Council (NAC) provides high-level political oversight on all aspects of implementation. The NAC is apprised of major cyber incidents and attacks, and it exercises principal authority in cyber defence-related crisis management.
The Cyber Defence Committee, subordinate to the NAC, is the lead committee for political governance and cyber defence policy in general, providing oversight and advice to Allied countries on NATO’s cyber defence efforts at the expert level. At the working level, the NATO Cyber Defence Management Board (CDMB) is responsible for coordinating cyber defence throughout NATO civilian and military bodies. The CDMB comprises the leaders of the policy, military, operational and technical bodies in NATO with responsibilities for cyber defence.
The NATO Consultation, Control and Command (NC3) Board constitutes the main committee for consultation on technical and implementation aspects of cyber defence.
The NATO Military Authorities (NMA) and NCIA bear the specific responsibilities for identifying the statement of operational requirements, acquisition, implementation and operating of NATO’s cyber defence capabilities. Allied Command Transformation (ACT) is responsible for the planning and conduct of the annual Cyber Coalition Exercise.
Lastly, NCIA, through its NCIRC Technical Centre in Mons, Belgium, is responsible for the provision of technical cyber security services throughout NATO. The NCIRC Technical Centre has a key role in responding to any cyber aggression against the Alliance. It handles and reports incidents, and disseminates important incident-related information to system/security management and users.
The NCIRC Coordination Centre is a staff element responsible for the coordination of cyber defence activities within NATO and with member countries, and for staff support to the CDMB.
Although NATO has always protected its communication and information systems, the 2002 Prague Summit first placed cyber defence on the Alliance’s political agenda. Allied leaders reiterated the need to provide additional protection to these information systems at the Riga Summit in 2006.
Following the cyber attacks against Estonia’s public and private institutions in April and May of 2007, Allied defence ministers agreed in June 2007 that urgent work was needed in this area. As a result, NATO approved its first Policy on Cyber Defence in January 2008.
In the summer of 2008, the conflict between Russia and Georgia demonstrated that cyber attacks have the potential to become a major component of conventional warfare.
NATO adopted a new Strategic Concept at the Lisbon Summit in 2010, during which the NAC was tasked to develop an in-depth NATO cyber defence policy and to prepare an action plan for its implementation.
In June 2011, NATO defence ministers approved the second NATO Policy on Cyber Defence, which set out a vision for coordinated efforts in cyber defence throughout the Alliance within the context of the rapidly evolving threat and technology environment, and an associated action plan for its implementation.
In April 2012, the integration of cyber defence into the NATO Defence Planning Process began. Relevant cyber defence requirements are identified and prioritised through the defence planning process.
At the Chicago Summit in May 2012, Allied leaders reaffirmed their commitment to improve the Alliance’s cyber defences by bringing all of NATO’s networks under centralised protection and implementing a series of upgrades to the NCIRC.
In July 2012, as part of the reform of NATO’s agencies, NCIA was established.
In February 2014, Allied defence ministers tasked NATO to develop a new, enhanced cyber defence policy regarding collective defence, assistance to Allies, streamlined governance, legal considerations and relations with industry.
In April 2014, the NAC agreed to rename the Defence Policy and Planning Committee/ Cyber Defence as the Cyber Defence Committee.
In May 2014, the full operational capability of the NCIRC (NCIRC FOC) was achieved, providing enhanced protection to NATO networks and users.
At the Wales Summit in September 2014, Allies endorsed the new cyber defence policy and approved a new action plan which, along with the policy, contributes to the fulfilment of the Alliance’s core tasks. The policy and its implementation is under close review at both the political and technical levels within the Alliance and will be refined and updated in line with the evolving cyber threat.
On 17 September 2014, NATO launched an initiative to boost cooperation with the private sector on cyber threats and challenges. Endorsed by Allied leaders at the Wales Summit, the NATO Industry Cyber Partnership (NICP) was presented at a two-day cyber conference held in Mons, Belgium, where 1,500 industry leaders and policy makers gathered to discuss cyber collaboration. The NICP recognises the importance of working with industry partners to enable the Alliance to achieve its cyber defence policy’s objectives.
On 10 February 2016, NATO and the EU concluded a Technical Arrangement on Cyber Defence to help both organisations better prevent and respond to cyber attacks. This Technical Arrangement between NCIRC and the Computer Emergency Response Team of the EU (CERT-EU) provides a framework for exchanging information and sharing best practices between emergency response teams.
On 14 June 2016, defence ministers agreed to recognise cyberspace as a domain at the Warsaw Summit. This is an addition to the existing operational domains of air, sea and land. This recognition does not change NATO’s mission or mandate, which is defensive. As in all areas of action, NATO will exercise restraint and act in accordance with international law. The Alliance also welcomed efforts undertaken in other international fora to develop norms of responsible state behaviour and confidence-building measures to foster a more transparent and stable cyberspace for the international community. As most crises and conflicts today have a cyber dimension, treating cyberspace as a domain will enable NATO to better protect its missions and operations.
At the Warsaw Summit, in July 2016, Allied Heads of State and Government reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. This will improve NATO’s ability to protect and conduct operations across these domains and maintain Alliance freedom of action and decision, in all circumstances.
Allies also pledged to enhance the cyber defences of their national networks and infrastructures, as a matter of priority. Each Ally will honour its responsibility to improve its resilience and ability to respond quickly and effectively to cyber attacks, including in hybrid contexts.