NATO’s Cyber Policy 2002-2019: A very, very brief overview

Over the years, NATO members have presented and rolled out several plans for improving cyber-defense governance. Official commitments made at NATO summits on cyber security have become increasingly granular. One topic that government leaders have long avoided talking about, however, is their own willingness and capacity to conduct military cyber operations.

Times are changing. As one senior official put it at a military cyber conference: “Speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced”. Last year the Alliance reached a landmark that went largely unnoticed: there are now more member states which have publicly declared they are seeking to establish an offensive cyber capability than there are member states which have remained publicly silent on this issue.  In late 2018, it was also announced that at least five countries would contribute national cyber forces to NATO missions and operations.

The coming days senior leaders will meet in London for the NATO Summit. Whilst I do not expect cyber policy to be a leading topic on the agenda (after all, there are bigger issues to worry about and space is now recognized as the newest domain of warfare by NATO), its a good opportunity to take stock of NATO’s cyber efforts over the past two decades. 

Below I have provided an overview of evens between 2002-2019 & list of reading  which I found particularly useful and relevant, preparing for NATO cyber-related events and workshops. 

Period of early awareness 2002-2016

2002 Prague Summit: First time NATO recognize that the Alliance should “Strengthen our capabilities to defend against cyber attacks.

2008 Bucharest Summit: Adoption ‘Policy on Cyber Defense’ 

Aim is to “protect key information systems in accordance with their respective responsibilities; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber attack. We look forward to continuing the development of NATO’s cyber defence capabilities and strengthening the linkages between NATO and national authorities.”

2014 Wales Summit: Discussion cyber in relation to Article 5

“Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”

Operationalizing cyber as a domain 2016 – 

Warsaw Summit 2016 : cyberspace officially recognized as a domain of operations

Brussels Summit 2018: NATO reiterated its commitment to implement the cyber defense pledge & officially announced establishment Cyber Operations Center

Offering ‘Soveiregn Cyber Effects’

Latest news I found on this comes from Cyberscoop: “Nine NATO members have signed on to offer their capabilities: the U.S., the UK, The Netherlands, Estonia, Norway, Germany, France, Denmark, and Lithuania” 

Laura Brent from NATO has written on this as well (generally great overview)

For a US perspective see Trey Herr and Jackie Schneider CFR piece.

Cyber Defense Pledge

Each member country pledges, among other things, to “develop the fullest range of capabilities to defend [their] national infrastructures and networks,” and reaffirms the alliance’s commitment to international law in cyberspace.

My view on this Pledge is that it still leaves most strategic questions unanswered. Eg. As I asked in a piece with Alex Grisby; “are information operations part of the Cyber Defense Pledge or is it conveniently bracketed off as something different (possibly part of Finland’s Hybrid Warfare Center)?” 

Cyber Operations Center (CYOC)

There is a lot of hype about the CYOC. Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. Others argue that CYOC is a “big deal

Best description about the goal and workings of CYOC is by Don Lewis in War on the Rocks (also read his discussion on NATO’s ‘Roadmap to Implement Cyberspace as a Domain of Operations’):

“The Cyberspace Operations Centre can leverage the strategic staff capabilities of the existing headquarters without having to provide them for itself, which also serves to hasten its development. The center functions as the theater component for cyberspace, just as the geographic commands do for their respective operational domains. The deputy chief of staff for cyberspace is supreme allied commander Europe’s domain advisor for cyberspace. The director of the Cyberspace Operations Centre reports to deputy chief of staff for cyberspace.”

Together with Daniel Moore, I have been critical about CYOC’s “game changing” role. Discussion can be found here – we certainly don’t believe it makes NATO “more aggressive” – and that’s a good thing.

Other NATO programs/institutions:

  • The NATO School in Oberammergau, Germany
  • The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia
  • The NATO Computer Incident Response Capability (NCIRC) based in SHAPE, Mons
  • The NATO Defence College in Rome, Italy
  • The Trust Fund on Cyber Defence for Ukraine

Useful source for overview can be found here

Also, if you have a bit more time, read the excellent RAND report on ‘Operationalizing Cyberspace as a Military Domain

*Introduction of this blog is based on my CyCon 2019 piece ‘NATO Members’ Organizational Path Towards Conducting Offensive Cyber Operations: A Framework for Analysis 

Leave a Reply

Your email address will not be published. Required fields are marked *