Cyber threats to the security of the Alliance are complex, destructive and coercive, and are becoming ever more frequent. NATO will continue to adapt to the evolving cyber threat landscape. NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s core tasks of collective defence, crisis management and cooperative security. The Alliance needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats it faces.
- Cyber defence is part of NATO’s core task of collective defence.
- NATO Allies have affirmed that international law applies in cyberspace.
- NATO's main focus in cyber defence is to protect its own networks, operate in cyberspace (including through the Alliance’s operations and missions), help Allies to enhance their national resilience and provide a platform for political consultation and collective action.
- In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea.
- Allies also made a Cyber Defence Pledge in July 2016 to enhance their cyber defences, and have continued to bolster their national resilience as a matter of priority.
- NATO reinforces its cyber capabilities, including through education, training and exercises.
- Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.
- NATO Cyber Rapid Reaction teams are on standby 24 hours a day to assist Allies, if requested and approved.
- At the 2018 NATO Summit in Brussels, Allies agreed to set up a Cyberspace Operations Centre as part of NATO’s strengthened Command Structure. They also agreed that NATO can draw on national cyber capabilities for operations and missions.
- In February 2019, Allies endorsed a NATO guide that sets out a number of tools to further strengthen NATO’s ability to respond to significant malicious cumulative cyber activities.
- NATO and the European Union (EU) are cooperating through a Technical Arrangement on Cyber Defence, which was signed in February 2016. In light of common challenges, NATO and the EU are strengthening their cooperation on cyber defence, notably in the areas of information exchange, training, research and exercises.
- NATO is intensifying its cooperation with industry through the NATO Industry Cyber Partnership.
- At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy, which supports NATO’s core tasks and overall deterrence and defence posture to enhance further the Alliance’s resilience.
- Allies are using NATO as a platform for political consultation, sharing concerns about malicious cyber activities and exchanging national approaches and responses, as well as considering possible collective responses.
- Allies are promoting a free, open, peaceful and secure cyberspace, and pursuing efforts to enhance stability and reduce the risk of conflict by supporting international law and voluntary norms of responsible state behaviour in cyberspace.
NATO’s approach to cyber defence
NATO policy on cyber defence
To keep pace with the rapidly changing threat landscape and maintain robust cyber defences, NATO adopted an enhanced policy and action plan, which were endorsed by Allies at the 2014 NATO Summit in Wales. The 2014 policy established that cyber defence is part of the Alliance’s core task of collective defence, confirmed that international law applies in cyberspace, set out the further development of NATO’s and Allies’ capabilities, and intensified NATO’s cooperation with industry.
At the 2016 NATO Summit in Warsaw, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. As most crises and conflicts today have a cyber dimension, treating cyberspace as a domain enables NATO to better protect and conduct its operations and missions.
At the Warsaw Summit, Allies also pledged to strengthen and enhance the cyber defences of national networks and infrastructures, as a matter of priority. Together with the continuous adaptation of NATO’s cyber defence capabilities, this will reinforce the cyber defence and overall resilience of the Alliance.
At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy, which supports NATO’s three core tasks of collective defence, crisis management and cooperative security, as well as its overall deterrence and defence posture. NATO’s defensive mandate was reaffirmed, and Allies committed to employing the full range of capabilities to actively deter, defend against and counter the full spectrum of cyber threats at all times. Responses need to be continuous and draw on elements of the entire NATO toolbox that include political, diplomatic and military tools. Allies also recognised that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack. The nature of cyberspace requires a comprehensive approach through unity of effort at the political, military and technical levels. The 2021 policy and its corresponding action plan will drive forward activities across these three levels.
Developing the NATO cyber defence capability
The NATO Computer Incident Response Capability (NCIRC), based at SHAPE in Mons, Belgium, protects NATO’s own networks by providing centralised and round-the-clock cyber defence support. This capability evolves on a continual basis and maintains pace with the rapidly changing threat and technology environment.
NATO has also established a Cyberspace Operations Centre in Mons, Belgium. The Centre supports military commanders with situational awareness to inform the Alliance’s operations and missions. It also coordinates NATO’s operational activity in cyberspace, ensuring freedom to act in this domain and making operations more resilient to cyber threats.
To facilitate an Alliance-wide common approach to cyber defence capability development, NATO also defines targets for Allied countries’ implementation of national cyber defence capabilities via the NATO Defence Planning Process.
NATO helps Allies to enhance their national cyber defences by facilitating information-sharing, exchange of best practices and by conducting cyber defence exercises to develop national expertise. Similarly, individual Allied countries may, on a voluntary basis and facilitated by NATO, assist other Allies to develop their national cyber defence capabilities.
Increasing NATO cyber defence capacity
Cyber defence is as much about people as it is about technology. NATO continues to improve the state of its cyber defence through education, training and exercises.
NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyber defence elements and considerations into the entire range of Alliance exercises, including the Crisis Management Exercise (CMX). NATO is also enhancing its capabilities for education and training, including the NATO Cyber Range, which is based at a facility provided by Estonia.
NATO has a number of practical tools to enhance situational awareness and facilitate information exchange, including points of contact with the national cyber defence authorities in each of the 30 Allied capitals. A dedicated Memorandum of Understanding (MOU) sets out arrangements for the exchange of a variety of cyber defence-related information and assistance to improve cyber incident prevention, resilience and response capabilities.
Technical information is also exchanged through NATO’s Malware Information Sharing Platform, which allows indicators of compromise to be shared among Allied cyber defenders.
The NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia is a NATO-accredited research and training facility focused on cyber defence education, consultation, lessons learned, research and development. Although it is not part of the NATO Command Structure, the CCD CoE offers recognised expertise and experience.
The NATO Communications and Information (NCI) Academy in Oeiras, Portugal provides training to personnel from Allied (as well as non-NATO) countries relating to the operation and maintenance of NATO communications and information systems. The NCI Academy also offers cyber defence training and education.
The NATO School in Oberammergau, Germany conducts cyber defence-related education and training to support Alliance operations, strategy, policy, doctrine and procedures.
The NATO Defense College in Rome, Italy fosters strategic thinking on political-military matters, including on cyber defence issues.
Cooperating with partners
Cyber threats defy state borders and organisational boundaries, and so NATO engages with a number of partner countries and other international organisations to enhance shared security.
Engagement with partner countries is based on shared values and common approaches to cyber defence. Requests for cooperation with the Alliance are handled on a case-by-case basis.
NATO also works with, among others, the European Union (EU), the United Nations (UN) and the Organization for Security and Co-operation in Europe (OSCE).
Cyber defence is one of the areas of strengthened cooperation between NATO and the EU, as part of the two organisations’ increasingly coordinated efforts to counter hybrid threats. NATO and the EU share information between cyber response teams and exchange best practices. Cooperation is also being enhanced on training, research and exercises with tangible results in countering cyber threats.
At the 2021 NATO Summit in Brussels, Allies reaffirmed their commitment to acting in accordance with international law, including the UN Charter, international humanitarian law and international human rights law in order to promote a free, open, peaceful and secure cyberspace. They also committed to further pursuing efforts to enhance stability and reduce the risk of conflict.
Cooperating with industry
The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allied countries to respond effectively to cyber threats.
Through the NATO Industry Cyber Partnership (NICP), NATO and its Allies are working to reinforce their relationships with industry and academia. This partnership includes NATO entities, national Computer Emergency Response Teams (CERTs) and Allies’ industry representatives. Information-sharing, exercises, and training and education are just a few examples of areas in which NATO and industry are working together.
NATO’s Comprehensive Cyber Defence Policy is implemented by NATO’s political, military and technical authorities, as well as by individual Allies. The North Atlantic Council, NATO’s principal political decision-making body, provides high-level political oversight on all aspects of implementation.
The Cyber Defence Committee, subordinate to the North Atlantic Council, is the lead committee for political governance and cyber defence policy. The NATO Consultation, Command and Control Board constitutes the main committee for consultation on technical and implementation aspects of cyber defence. The NATO Military Authorities and the NATO Communications and Information Agency bear specific responsibilities for identifying the statement of operational requirements, acquisition, implementation and operating of NATO’s cyber defence capabilities. Allied Command Transformation is responsible for the planning and conduct of the annual Cyber Coalition Exercise.
The NATO Chief Information Officer (CIO) facilitates the integration, alignment and cohesion of Information and Communications Technology (ICT) systems NATO-wide, and oversees the development and operation of ICT capabilities. The CIO is also the single point of authority for all cyber security issues throughout NATO. This includes leading incident management, orienting specific investments, improving NATO’s cyber security posture, as well as increasing cyber security awareness NATO-wide.
The NATO Communications and Information Agency, through its NCIRC Technical Centre in Mons, Belgium, is responsible for the provision of technical cyber security services throughout NATO. The NCIRC Technical Centre has a key role in responding to any cyber incidents affecting NATO. It handles and reports incidents, and disseminates important incident-related information to system/security management and users.
Although NATO has always protected its communications and information systems, the 2002 NATO Summit in Prague first placed cyber defence on the Alliance’s political agenda. Allied leaders reiterated the need to provide additional protection to these information systems at the 2006 NATO Summit in Riga.
Following the cyber attacks against Estonia’s public and private institutions in 2007, Allied defence ministers agreed that urgent work was needed in this area. As a result, NATO approved its first Policy on Cyber Defence in January 2008.
In the summer of 2008, the conflict between Russia and Georgia demonstrated that cyber attacks have the potential to become a major component of conventional warfare.
NATO adopted a new Strategic Concept at the 2010 NATO Summit in Lisbon, which recognised for the first time that cyber attacks could reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability.
In June 2011, NATO defence ministers approved the second NATO Policy on Cyber Defence, which set out a vision for coordinated efforts in cyber defence throughout the Alliance within the context of the rapidly evolving threat and technology environment.
In April 2012, cyber defence was introduced into the NATO Defence Planning Process. Relevant cyber defence requirements are identified and prioritised through the defence planning process.
At the 2012 NATO Summit in Chicago, Allied leaders reaffirmed their commitment to improving the Alliance’s cyber defences by bringing all of NATO’s networks under centralised protection and implementing a series of upgrades to NATO’s cyber defence capability.
In July 2012, as part of the reform of NATO’s agencies, the NATO Communications and Information Agency was established.
In February 2014, Allied defence ministers tasked NATO to develop a new, enhanced cyber defence policy that addressed collective defence, assistance to Allies, streamlined governance, legal considerations and relations with industry.
In April 2014, the NAC agreed to rename the Defence Policy and Planning Committee/Cyber Defence as the Cyber Defence Committee.
At the 2014 NATO Summit in Wales, Allies endorsed a new cyber defence policy. In this policy, cyber defence was recognised as part of NATO’s core task of collective defence, which means that a cyber attack could be grounds to invoke Article 5 of NATO’s founding treaty. Allies also recognised that international law applies in cyberspace.
In September 2014, NATO launched an initiative to boost cooperation with the private sector on cyber threats and challenges. Endorsed by Allied leaders at the Wales Summit, the NATO Industry Cyber Partnership (NICP) was presented at a two-day cyber conference held in Mons, Belgium, where 1,500 industry leaders and policy makers gathered to discuss cyber collaboration. The NICP recognises the importance of working with industry partners to enable the Alliance to achieve its cyber defence objectives.
In February 2016, NATO and the EU concluded a Technical Arrangement on Cyber Defence to help both organisations better prevent and respond to cyber attacks. This Technical Arrangement between NCIRC and the Computer Emergency Response Team of the EU (CERT-EU) provides a framework for exchanging information and sharing best practices between emergency response teams.
At the 2016 NATO Summit in Warsaw, Allied Heads of State and Government reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. This improved NATO’s ability to protect and conduct its missions and operations. The Alliance also welcomed efforts undertaken in other international fora to develop norms of responsible state behaviour and confidence-building measures to foster a more transparent and stable cyberspace.
Also at the Warsaw Summit, Allies committed through a Cyber Defence Pledge to enhancing the cyber defences of their national networks and infrastructures, as a matter of priority. Each Ally pledged to improve its resilience and ability to respond quickly and effectively to cyber threats, including as part of hybrid campaigns.
In December 2016, NATO and the EU agreed on a series of more than 40 measures to advance how the two organisations work together – including on countering hybrid threats, cyber defence, and making their common neighbourhood more stable and secure. On cyber defence, NATO and the EU agreed to strengthen their mutual participation in exercises, and foster research, training and information-sharing.
In February 2017, Allied defence ministers approved an updated Cyber Defence Action Plan, as well as a roadmap to implement cyberspace as a domain of operations. This increased Allies’ ability to work together, develop capabilities and share information.
Also in February 2017, NATO and Finland stepped up their engagement with the signing of a Political Framework Arrangement on cyber defence cooperation. The arrangement allows NATO and Finland to better protect and improve the resilience of their networks.
In December 2017, NATO and EU ministers agreed to step up cooperation between the two organisations in a number of areas, including cyber security and defence. Areas of cooperation include the analysis of cyber threats and collaboration between incident response teams, as well as the exchange of good practices concerning the cyber aspects and implications of crisis management.
At the 2018 NATO Summit in Brussels, Allied leaders agreed to set up a new Cyberspace Operations Centre as part of NATO’s strengthened Command Structure. The Centre provides situational awareness and coordinates NATO’s operational activity in and through cyberspace. Allies also agreed that NATO can draw on national cyber capabilities for its operations and missions. Allies maintain full ownership of those contributions, just as Allies own the tanks, ships and aircraft in NATO operations and missions.
In February 2019, NATO defence ministers endorsed a NATO guide that sets out a number of tools to further strengthen NATO’s ability to respond to significant malicious cyber activities. NATO needs to use all the tools at its disposal, including political, diplomatic and military, to tackle the cyber threats that it faces. The response options outlined in the NATO guide help NATO and its Allies to enhance their situational awareness about what is happening in cyberspace, boost their resilience, and work together with partners to deter, defend against and counter the full spectrum of cyber threats.
On 3 June 2020, the North Atlantic Council issued a statement condemning the destabilising and malicious cyber activities taking place in the context of the coronavirus pandemic. The statement expressed Allied solidarity and mutual support for those dealing with the consequences of these malicious cyber activities, including healthcare services, hospitals and research institutes. The statement also called for respect for international law and norms of responsible state behaviour in cyberspace.
At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy to support NATO’s three core tasks of collective defence, crisis management and cooperative security, as well as its overall deterrence and defence posture. NATO must actively deter, defend against and counter the full spectrum of cyber threats at all times – during peacetime, crisis and conflict – and at the political, military and technical level. Allies recognised that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack. Allies also agreed to make greater use of NATO as a platform for political consultation among Allies, sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses.
On 19 July 2021, the North Atlantic Council issued a statement of solidarity with those affected by malicious cyber activities including the Microsoft Exchange Server compromise. The statement highlighted recent ransomware incidents and other malicious cyber activity, targeting critical infrastructure and democratic institutions, as well as exploiting weaknesses in supply chains. The statement condemned such malicious cyber activities and underlined the important role all States have to play in promoting and upholding voluntary norms of responsible state behaviour.
In September 2021, the North Atlantic Council appointed NATO’s first Chief Information Officer (CIO) to facilitate the integration, alignment and cohesion of ICT systems NATO-wide.