NATO Policy on Cyber Defence
In order to keep abreast with the rapidly changing threat landscape and maintain a robust cyber defence, NATO has adopted a new enhanced policy, which was endorsed by Allied Defence Ministers in June 2014. The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry. The top priority is the protection of the communications systems owned and operated by the Alliance.
The new policy also reflects Allied decisions on issues such as streamlined cyber defence governance, procedures for assistance to Allied countries, and the integration of cyber defence into operational planning (including civil emergency planning). Further, the policy defines ways to take awareness, education, training and exercise activities forward, and encourages further progress in various cooperation initiatives, including those with partner countries and international organisations. It also foresees boosting NATO’s cooperation with industry based on information sharing and cooperative supply chain management.
The Allies have also committed to enhancing information sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks. The new policy is complemented by an action plan with concrete objectives and implementation timelines.
Assisting individual Allies
While NATO’s top priority for cyber defence is the protection of communications and information systems (CIS) which are owned and operated by NATO, the Alliance requires a reliable and secure supporting national infrastructure, in particular those national networks which may be considered critical for NATO missions. To this end, NATO works with national authorities to develop principles, criteria and mechanisms to ensure an appropriate level of cyber defence for national CIS. The Alliance will continue to identify NATO dependencies on the Allies’ national CIS for critical Alliance tasks and will work with NATO countries to develop common standards.
NATO is also helping member countries in their efforts to protect their own critical infrastructures by sharing information and best practices, and by conducting cyber defence exercises to help develop national expertise. Similarly, individual Allied countries may, on a voluntary basis and facilitated by NATO, assist other Allies to develop their national cyber defence capabilities.
Developing the NATO cyber defence capability
The NATO Computer Incident Response Capability (NCIRC) protects NATO’s own networks by providing centralised and round-the-clock cyber defence support to the various NATO sites. This capability is expected to evolve on a continual basis, to maintain pace with the rapidly changing threat and technology environment.
To facilitate an Alliance-wide and common approach to cyber defence capability development, NATO also defines targets for Allied countries’ implementation of national cyber defence capabilities via the NATO Defence Planning Process (NDPP).
Cyber defence has also been integrated into NATO’s Smart Defence initiative. Smart Defence enables countries to work together to develop and maintain capabilities they could not afford to develop or procure alone, and to free resources for developing other capabilities. The Smart Defence projects in cyber defence, so far, include the Malware Information Sharing Platform (MISP), the Smart Defence Multinational Cyber Defence Capability Development (MN CD2) project, and the Multinational Cyber Defence Education and Training (MN CD E&T) project.
Increasing NATO cyber defence capacity
Recognising that cyber defence is as much about people as it is about technology, NATO continues to improve the state of its cyber defence education, training, exercises and evaluation.
NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyber defence elements and considerations into the entire range of Alliance exercises. NATO is also enhancing its capabilities for cyber education, training and exercises, including the NATO Cyber Range, which is based on a facility provided by Estonia.
The NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia is the foremost NATO-accredited research and training facility dealing with cyber defence education, consultation, lessons learned, research and development. Although it is not part of the NATO command structure, the CCD CoE offers recognised expertise and experience.
The NATO Communications and Information Systems School (NCISS) in Latina, Italy provides training to personnel from Allied (as well as non-NATO) nations relating to the operation and maintenance of some NATO communication and information systems. NCISS will soon relocate to Portugal, where it will provide greater emphasis on cyber defence training and education.
The NATO School in Oberammergau, Germany conducts cyber defence-related education and training to support Alliance operations, strategy, policy, doctrine and procedures. The NATO Defense College in Rome fosters strategic thinking on political-military matters, including on cyber defence issues.
Cooperating with partners
Because cyber threats defy state borders and organisational boundaries, NATO engages with relevant countries and organisations to enhance international security.
Engagement with partner countries is based on shared values and common approaches to cyber defence. Requests for cooperation with the Alliance are handled on a case-by-case basis.
NATO also works with, among others, the European Union (EU), the United Nations (UN), the Council of Europe and the Organization for Security and Cooperation in Europe (OSCE). The Alliance’s cooperation with other international organisations is intended to ensure that actions are complementary and avoid unnecessary duplication of work.
Cooperating with industry
The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allied countries to mount an effective cyber defence.
Via the NATO Industry Cyber Partnership (NICP), NATO and Allies will work to reinforce their relationships with industry. The principal aim of the NICP will be to facilitate voluntary engagement between NATO and industry. This partnership will rely on existing structures and will include NATO entities, national Computer Emergency Response Teams (CERTs) and NATO member countries’ industry representatives.