NATO and Cyber Defence
The NATO Summit held on 8-9 July in Warsaw attracted more than its share of attention from media worldwide as a result of Brexit and NATO military exercises on the Russian border. But what escaped the media lens was a path-breaking decision by NATO leaders to recognise cyber operations as one of its domains of war, alongside land, sea and air.
The red-carpet for the historic NATO Warsaw Summit to integrate cyber operations with its domains of war was laid in 2014 when NATO, after deliberating for several years, came to the consensus that cyber attacks qualify as military assault. The decision meant that Article 5 of the NATO founding treaty could be invoked by a member state subject to a cyber attack and conventional weapons could be used in response. Article 5 defines the casus foederis—the reasons for the terms of the alliance to be triggered.
The significance of the Warsaw decision stems from the fact that in defending against a hybrid attack, NATO will now consider cyber operations as a key offensive strategy. This move has cleared some strategic ambiguity by NATO in the past when it came to cyber defence. Earlier its leaders placed cyber threats on par with nuclear weapons, but the cyber threats weren’t enough to formalise a cyber security policy.
As often is the case, events on the ground provided the impetus to NATO members in generating momentum and consensus on issues related to cyber defence and cyber space information. Cyber attacks such as the distributed denial of service (DDOS) attacks on Estonia in 2007, the industrial control system breach in a German steel mill in 2014, the spear phishing via cyber intrusion into the White House internal security control network in April 2015, or the cyber hack in the same month of French television Network TV5Monde not only intruded on the cyber infrastructure of various NATO members but exposed the absence of cyber defence doctrines in the North Atlantic Security community.
The genesis of NATO’s cyber defence strategy was laid in its 2002 summit in Prague where, for the first time, cyber defence featured on its political agenda. And in its 2006 Riga summit, NATO members advocated to “develop a NATO Network Enabled Capability to share information, data and intelligence reliably, securely and without delay in Alliance operations, while improving protection of our key information systems against cyber-attack.”
The 2007 cyber attack on Estonia was largely believed to be the handiwork of hackers in Russia with Kremlin providing logistical support. Even before investigations into Estonia’s cyber attacks could be concluded, in August 2008 NATO was given another glimpse of Russia’s cyber capabilities with its use in the Georgian conflict. The use of cyber warfare as a Russian strategy acted as a catalyst for NATO to revise the cyber defence policy paper it had released in January 2008.
The onus was put on the North Atlantic Council—NATO’s chief decision-making body—to forge an action plan to implement the new strategic concept with respect to cyber defence adopted by NATO at its 2010 Lisbon summit. Several subsequent NATO summits were aimed at upgrading NATO Computer Incident Response Capability (NCIRC) as well as assimilating cyber defence strategy as part of the NATO defence planning process.
Most of the critical infrastructure in Europe lies in the hands of private enterprise or is a public-private collaboration. Achieving cooperation between government and the private sector to enable enhanced exchange of information and implementation of safety regulations regarding cyber security remains a challenge for NATO. President Obama understood the importance of this partnership in cyberspace when he signed a long-awaited executive order requiring federal agencies to share cyber threat information with private companies.
Cooperation in cyberspace between various stakeholders is sure to lead to confrontation between the collaborators on intelligence sharing, cultural and legal issues but evidence suggests that private players are coming on board to support this multilateral initiative to increase their resilience against cyber attacks.
Determining the proportionality of response to a cyber attack is another challenge for an organisation like NATO, which is founded on the principle of collective defence. Imagine a small-scale cyber intrusion by a rival nation on a NATO member nation resulting in critical information ransack: would such an attack invoke Article 5 of NATO constitution? Or a cyber attack on critical infrastructure which results in physical damage to life and property: is going full throttle in the virtual space in retaliation against such an attack the way forward? Or should the response be a package of economic, kinetic and diplomatic response in the physical space?
It’s a common saying in cyberspace that a network is only as strong its vulnerability. Any cyber defence strategy by NATO would require significant consensus building among NATO and its allies regarding cyber attack-immune civilian infrastructure. The recent EU-NATO agreement is a shining example where both parties were able to iron out their cultural and legal differences to enhance shared security and work towards building a cyber coalition.
By bringing cyber security into its policy focus and allocating increased resources towards it, NATO plans to create a credible deterrence against cyber attackers. NATO has to make sure that its cyber defence strategy is dynamic and robust enough to adapt to the continuously changing face of cyber warfare.
Vibhore Singh is currently studying for a Master of International Relations at the Australian National University, Canberra. He has significant work experience in the software and information technology industry across India and Southeast Asia. This article is published under a Creative Commons Licence and may be republished with attribution.
Published August 1, 2016