Speech by NATO Secretary General Jens Stoltenberg at the Cyber Defence Pledge Conference (Ecole militaire, Paris)
Ladies and gentlemen.
May I start by thanking France for hosting us today.
France is a strong NATO Ally, contributing to our shared security and our collective defence in many different ways.
You have high end capabilities.
You have professional, dedicated forces.
You have the resolve and the will to deploy them when needed.
And also in cyber space we see France leading the way.
And just the fact that France is organising this conference.
The first annual conference on the Cyber Defence Pledge.
Shows France’s strong commitment to our collective defence and also to the efforts to strengthening our cyber defences.
And to implement the Cyber Defence Pledge.
So therefore it is really a great honour and pleasure to be part of the opening of this conference.
Moving NATO forward when it comes to adapting to the many threats and challenges we see in cyberspace.
From the moment a rock was first used as a hammer, society has been driven by technology.
Today’s great leap forward is not physical, but it is digital.
In just a few decades, the digital revolution has given more people access to communication, education and news than ever before.
But there is a dark side to this technology.
In recent years, we have seen many large scale cyber-attacks.
Here in France, TV-Cinq Monde was taken off air by hackers.
‘Fancy Bear’, a group associated with the Kremlin, hacked the main political parties in the United States.
In a brazen attempt to influence the 2016 election.
Last years’ WannaCry attack forced Renault to halt production at several of its factories.
And brought hospitals in the United Kingdom to a standstill.
The very nature of these attacks is a challenge.
It is often difficult to know who has attacked you.
Or even if you have been attacked at all.
There are many different actors.
Governments, but also criminal gangs, terrorist groups and lone individuals.
Nowhere is the ‘Fog of War’ thicker than it is in cyberspace.
Low cost and high impact, cyber-attacks are now a part of our lives.
Some seek to damage or destroy.
If these were hard attacks, using bombs or missiles instead of computer code, they could be considered an act of war.
But instead, some are using software to wage a soft-war.
A soft-war with very real, and potentially deadly consequences.
For almost 70 years, NATO has been the bedrock of transatlantic security.
Whether on land, at sea, or in the air.
The same is now true in cyberspace.
Today, NATO has three key roles to play in cyberspace.
To drive progress across the Alliance.
To act as a hub for information sharing, training and expertise.
And to protect our networks.
First, driving progress across the Alliance.
In 2014, NATO leaders agreed that a cyber-attack could trigger Article 5 of our founding treaty.
Where an attack on one Ally is treated as an attack on all Allies.
Traditionally, an Article 5 attack would be with tanks, aircraft and soldiers.
Now it can come in the form of a cyber-attack.
Placing cyber at the very heart of what we do.
In 2016, NATO leaders designated cyberspace as a ‘domain’, alongside land, sea and air.
This meant re-examining everything we do, from top to bottom.
Whether we are in Afghanistan or the Baltic countries, cyber is now a core part of our operations.
Also in 2016, leaders agreed to the Cyber Defence Pledge.
The focus of this conference.
As a result, in less than two years, almost every Ally has upgraded their cyber defences.
France is leading the way, investing 1.6 billion euros and employing thousands more cyber experts.
But Allies are not working alone.
Throughout NATO, they are working together, pooling their knowledge and experience, and helping each other.
The Cyber Pledge has a multiplier effect across the Alliance.
With the results being far greater than the sum of their parts.
The Pledge is also helping nations to look at their cyber-defences in a far broader, more holistic way.
Involving government departments, public sector organisations, private companies and individual citizens.
Each of them has an important role to play.
NATO’s second role is as a hub of operational information and expertise.
We share information about cyber threats in real-time.
As we did with the European Union, nations and private companies during last year’s WannaCry and NotPetya attacks.
As part of our new Command Structure, we are setting up a Cyber Operations Centre.
To integrate cyber into our planning and operations.
And I welcome the contribution by some Allies of their national cyber capabilities to NATO, as Minister Parly just mentioned.
I hope that more Allies will make similar offers at our next Summit in July.
NATO Cyber Rapid Reaction teams are on standby to assist Allies, 24 hours a day.
And the NATO Centre of Excellence for Cyber Defence in Estonia leads on research, education and training.
The Centre of Excellence also organises large-scale cyber exercises, such as last month’s Locked Shields, the world’s largest, live-fire cyber exercise.
It gave participants the chance to test their systems and critical infrastructure against world-class opponents.
The exercise consisted of 30 teams and more than a thousand cyber-experts.
And I am delighted – and a little relieved! – to say that the NATO team won!
And since I’m in Paris, I’m also glad to say the French team came a very close second!
Finally, NATO’s final role is to defend its own networks.
NATO has hundreds of experts protecting our networks and systems around the clock.
And we need them.
NATO is attacked every single day.
And the threat is evolving all the time.
Being strong in cyberspace is as important for our deterrence as our conventional forces have always been.
The idea of deterrence is simple.
To make the potential costs of an attack too high.
And make the potential gains of an attack too low.
By making cyber a domain…
By encouraging Allies to develop their own cyber capabilities…
And by agreeing that a cyber-attack can trigger an Article 5 response…
We can make the potential cost of action by an aggressor high.
And, in that way, strengthen our deterrence, defence and resilience in cyberspace.
I am often asked, ‘under what circumstances would NATO trigger Article 5 in the case of a cyber-attack?’
My answer is: we will see.
The level of cyber-attack that would provoke a response must remain purposefully vague.
As will the nature of our response.
But it could include diplomatic and economic sanctions, cyber-responses, or even conventional forces, depending on the nature and consequences of the attack.
We need a full spectrum response.
So we can respond to serious cyber-attacks even if they don’t cross the Article 5 threshold.
But whatever the response, NATO will continue to follow the principle of restraint.
And act in accordance with international law.
Knowing who has carried out an attack can often be difficult – initially at least.
But attribution can also play an important role in helping to deter future attacks.
We must also lower the potential gains of any attack.
The Cyber Pledge increases investment in new, secure systems.
But even the best system is only as secure as its users.
Some of the biggest cyber-attacks have only been possible because of human error.
Such as picking up an infected USB Drive placed in a car park, and plugging it into a computer.
Or clicking on a bad link in a ‘phishing’ email.
It is time we all woke up to the potential dangers of cyber threats.
In the Second World War there was a popular saying.
“Loose lips sink ships.”
Today it is weak passwords, failing to add software updates, or opening unfamiliar emails.
But if we get them right, we go a long way to protecting ourselves.
So, ladies and gentlemen, the digital revolution has improved our lives in many ways.
But like the physical world, there are dangers that we must guard against.
We are making real progress.
Nations are investing resources where it counts.
And people the world over are increasingly aware of the importance of being secure online.
Today’s conference focusses on NATO’s Cyber Pledge.
A pledge that is driving progress across the Alliance.
And making us all safer as a result.
I hope you have a productive conference and help drive that progress even further.
Thank you so much and all the best with the conference.