Cyber defence

  • Last updated: 16 Jul. 2024 13:37

Cyber threats to the security of the Alliance are complex, destructive and coercive, and are becoming ever more frequent. Cyberspace is contested at all times and malicious cyber events occur every day, from low-level to technologically sophisticated attacks. NATO and Allies are responding by strengthening the Alliance’s ability to detect, prevent and respond to malicious cyber activities. NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s three core tasks of deterrence and defence, crisis prevention and management, and cooperative security. The Alliance needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats it faces.

 

  • Cyber defence is part of NATO's core task of deterrence and defence.
  • NATO's focus in cyber defence is to protect its own networks, operate in cyberspace (including through the Alliance's operations and missions), help Allies to enhance their national resilience and provide a platform for political consultation and collective action.
  • In July 2016, Allies reaffirmed NATO's defensive mandate and recognised cyberspace as a domain of operations.
  • NATO serves as a platform for Allies to consult politically, share concerns about malicious cyber activities, exchange national approaches and responses, and consider possible collective responses. Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating, recovering from and responding to cyber attacks.
  • Allies are promoting a free, open, peaceful and secure cyberspace, and pursuing efforts to enhance stability and reduce the risk of conflict by supporting international law and voluntary norms of responsible state behaviour in cyberspace. In 2016, Allies agreed to implement a Cyber Defence Pledge. In 2023, Allies enhanced this Pledge and committed to ambitious new goals to strengthen national cyber defences as a matter of priority, including critical infrastructures.
  • NATO reinforces its cyber capabilities, including through education, training and exercises.
  • The 2021 Comprehensive Cyber Defence Policy supports NATO's core tasks and overall deterrence and defence posture to enhance further the Alliance's resilience.
  • At the 2023 NATO Summit in Vilnius, Allies endorsed a new concept to enhance the contribution of cyber defence to NATO's overall deterrence and defence posture, and launched NATO's Virtual Cyber Incident Support Capability (VCISC) to support national mitigation efforts in response to significant malicious cyber activities.
  • At the 2024 NATO Summit in Washington, D.C., Allies agreed to establish the NATO Integrated Cyber Defence Centre to enhance network protection, situational awareness and the implementation of cyberspace as an operational domain. 
  • NATO works with, among others, the European Union (EU), the United Nations (UN) and the Organization for Security and Co-operation in Europe (OSCE) on cyber defence.

 

 

NATO's approach to cyber defence

Cyberspace is contested at all times as malign actors increasingly seek to destabilise the Alliance by employing malicious cyber activities and campaigns. Potential adversaries seek to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities. Russia's war of aggression against Ukraine has highlighted the extent to which cyber activities are a feature of modern conflict. Russia has also intensified its hybrid actions against NATO Allies and partners, including through malicious cyber activities. China's stated ambitions and coercive policies challenge NATO's interests, security and values. China's malign hybrid and cyber operations, and confrontational rhetoric and disinformation, target Allies and harm NATO's security. Allies are actively countering the growing number of substantial and persistent cyber threats – including to their democratic systems and critical infrastructures – including where this activity forms part of hybrid campaigns.

NATO's policy on cyber defence

At the 2021 NATO Summit in Brussels, Allies endorsed a Comprehensive Cyber Defence Policy, which supports NATO's three core tasks, as well as its overall deterrence and defence posture. Allies reaffirmed NATO's defensive mandate and committed to employing the full range of capabilities to actively deter, defend against and counter the full spectrum of cyber threats at all times, including by considering collective responses. Responses need to be continuous and draw on elements of the entire NATO toolbox that includes political, diplomatic and military tools. Allies also recognised that the impact of significant malicious cumulative cyber activities might in certain circumstances be considered an armed attack that could lead the North Atlantic Council to invoke Article 5 of the North Atlantic Treaty, on a case-by-case basis. The nature of cyberspace requires a comprehensive approach through unity of effort at the political, military and technical levels. The 2021 policy and its corresponding action plan drive activities across these three levels.

NATO remains committed to acting in accordance with international law, including the UN Charter, international humanitarian law and international human rights law as applicable. NATO continues to promote a free, open, peaceful and secure cyberspace, and further pursue efforts to enhance stability and reduce the risk of conflict, by ensuring that international law is respected and by supporting voluntary norms of responsible state behaviour in cyberspace.

At the 2023 NATO Summit in Vilnius, Allies endorsed a new concept to enhance the contribution of cyber defence to NATO's overall deterrence and defence posture. The concept will further integrate NATO's three cyber defence levels – political, military and technical – ensuring civil-military cooperation at all times through peacetime, crisis and conflict, as well as engagement with the private sector, as appropriate. Doing so enhances the Alliance's shared situational awareness. Strengthening cyber resilience is key to making the Alliance more secure and better able to mitigate the potential for significant harm from cyber threats. 

Additionally, at the Vilnius Summit, Allies restated and enhanced NATO's Cyber Defence Pledge, and committed to ambitious new national goals to further strengthen national cyber defences as a matter of priority, including critical infrastructures. Allies also launched NATO's Virtual Cyber Incident Support Capability (VCISC) to support national mitigation efforts in response to significant malicious cyber activities. Allies further agreed to seek to develop mutually beneficial and effective partnerships as appropriate, including with partner countries, international organisations, industry and academia, furthering NATO's efforts to enhance international stability in cyberspace. 

Developing the NATO cyber defence capability

The NATO Cyber Security Centre (NCSC), based at Supreme Headquarters Allied Powers Europe (SHAPE) in Mons, Belgium, protects NATO's own networks by providing centralised and round-the-clock cyber defence support. This capability evolves on a continual basis and maintains pace with the rapidly changing threat and technology environment.

NATO has also established a Cyberspace Operations Centre in Mons, Belgium. The Centre supports military commanders with situational awareness to inform the Alliance's operations and missions. It also coordinates NATO's operational activity in cyberspace, ensuring freedom to act in this domain and making operations more resilient to cyber threats.

At the 2024 NATO Summit in Washington, D.C., Heads of State and Government agreed to establish the new NATO Integrated Cyber Defence Centre – located at SHAPE – to enhance network protection, situational awareness and the implementation of cyberspace as an operational domain throughout peacetime, crisis and conflict. They also pledged to develop a policy to augment the security of NATO’s networks. 

To facilitate an Alliance-wide common approach to cyber defence capability development, NATO also defines targets for Allied countries' implementation of national cyber defence capabilities via the NATO Defence Planning Process.

NATO helps Allies to enhance their national cyber defences by facilitating information-sharing and the exchange of best practices, and by conducting cyber defence exercises to develop national expertise. Similarly, individual Allies may, on a voluntary basis and facilitated by NATO, assist other Allies to develop their national cyber defence capabilities.

NATO Cyber Rapid Reaction Teams are on standby 24 hours a day to assist Allies, if and when requested and approved by the North Atlantic Council.

Increasing NATO's cyber defence capacity

Cyber defence is as much about people as it is about technology. NATO continues to improve the state of its cyber defence through education, training and exercises.

NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyber defence elements and considerations into the entire range of Alliance exercises, including the Crisis Management Exercise (CMX). NATO is also enhancing its capabilities for education and training, including the NATO Cyber Range, which is based at a facility provided by Estonia. In November 2023, NATO will hold the first comprehensive NATO Cyber Defence Conference in Berlin, bringing together decision-makers across the political, military and technical levels.

NATO has a number of practical tools to enhance situational awareness and facilitate information exchange, including points of contact with the national cyber defence authorities in all Allied capitals. A dedicated Memorandum of Understanding (MOU) sets out arrangements for the exchange of a variety of cyber defence-related information and assistance to improve cyber incident prevention, resilience and response capabilities.

Technical information is also exchanged through NATO's Malware Information Sharing Platform, which allows indicators of compromise to be shared rapidly among Allied cyber defenders, reinforcing the Alliance's overall defence posture.

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a NATO-accredited multinational and interdisciplinary cyber defence hub for recognised expertise, and focuses on cyber defence education, consultation, lessons learned, and research and development. It is not part of the NATO Command Structure.

The NATO Communications and Information (NCI) Academy in Oeiras, Portugal provides training to personnel from Allied (as well as non-NATO) countries relating to the operation and maintenance of NATO communications and information systems. The NCI Academy also offers cyber defence training and education.

The NATO School in Oberammergau, Germany conducts cyber defence-related education and training to support Alliance operations, strategy, policy, doctrine and procedures.

The NATO Defense College in Rome, Italy fosters strategic thinking on political-military matters, including on cyber defence issues.

Cooperating with partners

Cyber threats defy state borders and organisational boundaries, so NATO engages with a number of partner countries and other international organisations to enhance shared security.

Engagement with partner countries is based on shared values and common approaches to cyber defence. Requests for cooperation with the Alliance are handled on a case-by-case basis.

NATO also works with, among others, the European Union (EU), the United Nations (UN) and the Organization for Security and Co-operation in Europe (OSCE).

Cyber defence is one of the areas of strengthened cooperation between NATO and the EU as part of the two organisations' increasingly coordinated efforts to counter hybrid threats. NATO and the EU share information between cyber response teams and exchange best practices. Cooperation is also being enhanced in areas including training, research and exercises, with tangible results in countering cyber threats. The Technical Arrangement on Cyber Defence between the NATO Computer Incident Response Capability (now known as the NATO Cyber Security Centre) and the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) provides a framework for exchanging information and sharing best practices between emergency response teams.

At the 2023 NATO Summit in Vilnius, Allies committed to further seeking to develop mutually beneficial and effective partnerships, including with partner countries, international organisations, industry and academia.

Cooperating with industry

The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allies to respond effectively to cyber threats.

In line with the 2023 concept to enhance the contribution of cyber defence to NATO's overall deterrence and defence posture, as endorsed by Allies at the 2023 Vilnius Summit, NATO and its Allies are working to strengthen their engagement with industry and academia through information-sharing, exercises, and training and education.

 

Governance

NATO's Comprehensive Cyber Defence Policy is implemented by NATO's political, military and technical authorities, as well as by individual Allies. The North Atlantic Council, NATO's principal political decision-making body, provides high-level political oversight on all aspects of implementation. 

The Cyber Defence Committee, subordinate to the North Atlantic Council, is the lead committee for political governance and cyber defence policy. The NATO Consultation, Command and Control Board constitutes the main committee for consultation on technical and implementation aspects of cyber defence. The NATO Military Authorities and the NATO Communications and Information Agency bear specific responsibilities for identifying the statement of operational requirements, acquisition, implementation and operating of NATO's cyber defence capabilities. Allied Command Transformation is responsible for the planning and conduct of the annual Cyber Coalition Exercise.

The NATO Chief Information Officer (CIO) facilitates the integration, alignment and cohesion of Information and Communications Technology (ICT) systems NATO-wide, and oversees the development and operation of ICT capabilities. The CIO is also the single point of authority for all cyber security issues throughout NATO. This includes leading incident management, orienting specific investments, improving NATO's cyber security posture, as well as increasing cyber security awareness NATO-wide. 

The NATO Communications and Information Agency, through the NATO Cyber Security Centre (NCSC) in Mons, Belgium, is responsible for the provision of technical cyber security services throughout NATO. The NCSC has a key role in responding to any cyber incidents affecting NATO. It handles and reports incidents, and disseminates important incident-related information to system/security management and users.

 

Evolution

Although NATO has always protected its communications and information systems, the 2002 NATO Summit in Prague first placed cyber defence on the Alliance's political agenda. Allied leaders reiterated the need to provide additional protection to these information systems at the 2006 NATO Summit in Riga.

Following the cyber attacks against Estonia's public and private institutions in 2007, Allied Defence Ministers agreed that urgent work was needed in this area. As a result, NATO approved its first Policy on Cyber Defence in January 2008.

In the summer of 2008, the conflict between Russia and Georgia demonstrated that cyber attacks have the potential to become a major component of conventional warfare.

NATO adopted a Strategic Concept at the 2010 NATO Summit in Lisbon, which recognised for the first time that cyber attacks could reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability.

In June 2011, NATO Defence Ministers approved the second NATO Policy on Cyber Defence, which set out a vision for coordinated efforts in cyber defence throughout the Alliance within the context of the rapidly evolving threat and technology environment. 

In April 2012, cyber defence was introduced into the NATO Defence Planning Process. Relevant cyber defence requirements are identified and prioritised through the defence planning process.

At the 2012 NATO Summit in Chicago, Allied leaders reaffirmed their commitment to improving the Alliance's cyber defences by bringing all of NATO's networks under centralised protection and implementing a series of upgrades to NATO's cyber defence capability.

In July 2012, as part of the reform of NATO's agencies, the NATO Communications and Information Agency was established.

In February 2014, Allied Defence Ministers tasked NATO to develop a new, enhanced cyber defence policy that addressed collective defence, assistance to Allies, streamlined governance, legal considerations and relations with industry. 

In April 2014, the North Atlantic Council agreed to rename the Defence Policy and Planning Committee/Cyber Defence as the Cyber Defence Committee.

At the 2014 NATO Summit in Wales, Allies endorsed a new cyber defence policy. In this policy, cyber defence was recognised as part of NATO's core task of collective defence, which means that a cyber attack could be grounds to invoke Article 5 of NATO's founding treaty. Allies also recognised that international law applies in cyberspace.

In September 2014, NATO launched an initiative to boost cooperation with the private sector on cyber threats and challenges. Endorsed by Allied Leaders at the Wales Summit, the NATO Industry Cyber Partnership (NICP) was presented at a two-day cyber conference held in Mons, Belgium, where 1,500 industry leaders and policy makers gathered to discuss cyber collaboration. The NICP recognises the importance of working with industry partners to enable the Alliance to achieve its cyber defence objectives. 

In February 2016, NATO and the EU concluded a Technical Arrangement on Cyber Defence to help both organisations better prevent and respond to cyber attacks. This Technical Arrangement between NCIRC and the Computer Emergency Response Team of the EU (CERT-EU) provides a framework for exchanging information and sharing best practices between emergency response teams.

At the 2016 NATO Summit in Warsaw, Allied Heads of State and Government reaffirmed NATO's defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself. This improved NATO's ability to protect and conduct its missions and operations. The Alliance also welcomed efforts undertaken in other international fora to develop norms of responsible state behaviour and confidence-building measures to foster a more transparent and stable cyberspace.

Also at the Warsaw Summit, Allies committed through a Cyber Defence Pledge to enhancing the cyber defences of their national networks and infrastructures, as a matter of priority. Each Ally pledged to improve its resilience and ability to respond quickly and effectively to cyber threats, including as part of hybrid campaigns.

In December 2016, NATO and the EU agreed on a series of more than 40 measures to advance how the two organisations work together – including on countering hybrid threats, cyber defence, and making their common neighbourhood more stable and secure. On cyber defence, NATO and the EU agreed to strengthen their mutual participation in exercises, and foster research, training and information-sharing. 

In February 2017, Allied Defence Ministers approved an updated Cyber Defence Action Plan, as well as a roadmap to implement cyberspace as a domain of operations. This increased Allies' ability to work together, develop capabilities and share information. 

Also in February 2017, NATO and Finland (which was, at the time, a partner country and acceded to NATO in 2023) stepped up their engagement with the signing of a Political Framework Arrangement on cyber defence cooperation. The arrangement allows NATO and Finland to better protect and improve the resilience of their networks.

In December 2017, NATO and EU ministers agreed to step up cooperation between the two organisations in a number of areas, including cyber security and defence. Areas of cooperation include the analysis of cyber threats and collaboration between incident response teams, as well as the exchange of good practices concerning the cyber aspects and implications of crisis management.

At the 2018 NATO Summit in Brussels, Allied Leaders agreed to set up a new Cyberspace Operations Centre as part of NATO's strengthened Command Structure. The Centre provides situational awareness and coordinates NATO's operational activity in and through cyberspace. Allies also agreed that NATO can draw on national cyber capabilities for its operations and missions. Allies maintain full ownership of those contributions, just as Allies own the tanks, ships and aircraft in NATO operations and missions. 

In February 2019, NATO Defence Ministers endorsed a NATO guide that sets out a number of tools to further strengthen NATO's ability to respond to significant malicious cyber activities. NATO needs to use all the tools at its disposal, including political, diplomatic and military, to tackle the cyber threats that it faces. The response options outlined in the NATO guide help NATO and its Allies to enhance their situational awareness about what is happening in cyberspace, boost their resilience, and work together with partners to deter, defend against and counter the full spectrum of cyber threats.

At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy to support NATO's three core tasks, as well as its overall deterrence and defence posture. NATO must actively deter, defend against and counter the full spectrum of cyber threats at all times – during peacetime, crisis and conflict – and at the political, military and technical level. Allies recognised that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack. Allies also agreed to make greater use of NATO as a platform for political consultation among Allies, sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses.

In September 2021, the North Atlantic Council appointed NATO's first Chief Information Officer (CIO) to facilitate the integration, alignment and cohesion of ICT systems NATO-wide.

At the 2023 NATO Summit in Vilnius, Allies endorsed a new concept to enhance the contribution of cyber defence to NATO's overall deterrence and defence posture. It will enhance NATO's shared situational awareness and cyber resilience, making the Alliance more secure and better able to mitigate the potential for significant harm from cyber threats. 

At the Vilnius Summit, Allies also restated and enhanced the Cyber Defence Pledge and committed to more ambitious goals to strengthen national cyber defences as a matter of priority, including for critical infrastructures. Recognising the need to receive assistance swiftly, NATO also launched the Virtual Cyber Incident Support Capability (VCISC) to support national mitigation efforts in response to significant malicious cyber activities. Leaders also announced the first comprehensive NATO Cyber Defence Conference in Berlin in November 2023, to bring together decision-makers across the political, military and technical levels.

At the 2024 NATO Summit in Washington, D.C., Allies agreed to establish the NATO Integrated Cyber Defence Centre to enhance network protection, situational awareness and the implementation of cyberspace as an operational domain.