Cyber defence

Last updated: 04 Apr. 2023 15:22

Cyber threats to the security of the Alliance are complex, destructive and coercive, and are becoming ever more frequent. NATO will continue to adapt to the evolving cyber threat landscape. NATO and its Allies rely on strong and resilient cyber defences to fulfil the Alliance’s core tasks of collective defence, crisis management and cooperative security. The Alliance needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats it faces.

Cyber defence is part of NATO’s core task of collective defence.
NATO Allies have affirmed that international law applies in cyberspace.
NATO's main focus in cyber defence is to protect its own networks, operate in cyberspace (including through the Alliance’s operations and missions), help Allies to enhance their national resilience and provide a platform for political consultation and collective action.
In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea.
Allies also made a Cyber Defence Pledge in July 2016 to enhance their cyber defences, and have continued to bolster their national resilience as a matter of priority.
NATO reinforces its cyber capabilities, including through education, training and exercises.
Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.
NATO Cyber Rapid Reaction teams are on standby 24 hours a day to assist Allies, if requested and approved.
At the 2018 NATO Summit in Brussels, Allies agreed to set up a Cyberspace Operations Centre as part of NATO’s strengthened Command Structure. They also agreed that NATO can draw on national cyber capabilities for operations and missions.
In February 2019, Allies endorsed a NATO guide that sets out a number of tools to further strengthen NATO’s ability to respond to significant malicious cumulative cyber activities.
NATO and the European Union (EU) are cooperating through a Technical Arrangement on Cyber Defence, which was signed in February 2016. In light of common challenges, NATO and the EU are strengthening their cooperation on cyber defence, notably in the areas of information exchange, training, research and exercises.
NATO is intensifying its cooperation with industry through the NATO Industry Cyber Partnership.
At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy, which supports NATO’s core tasks and overall deterrence and defence posture to enhance further the Alliance’s resilience.
Allies are using NATO as a platform for political consultation, sharing concerns about malicious cyber activities and exchanging national approaches and responses, as well as considering possible collective responses.
Allies are promoting a free, open, peaceful and secure cyberspace, and pursuing efforts to enhance stability and reduce the risk of conflict by supporting international law and voluntary norms of responsible state behaviour in cyberspace.

NATO’s approach to cyber defence

NATO policy on cyber defence

To keep pace with the rapidly changing threat landscape and maintain robust cyber defences, NATO adopted an enhanced policy and action plan, which were endorsed by Allies at the 2014 NATO Summit in Wales. The 2014 policy established that cyber defence is part of the Alliance’s core task of collective defence, confirmed that international law applies in cyberspace, set out the further development of NATO’s and Allies’ capabilities, and intensified NATO’s cooperation with industry.

At the 2016 NATO Summit in Warsaw, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. As most crises and conflicts today have a cyber dimension, treating cyberspace as a domain enables NATO to better protect and conduct its operations and missions.

At the Warsaw Summit, Allies also pledged to strengthen and enhance the cyber defences of national networks and infrastructures, as a matter of priority. Together with the continuous adaptation of NATO’s cyber defence capabilities, this will reinforce the cyber defence and overall resilience of the Alliance.

At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy, which supports NATO’s three core tasks of collective defence, crisis management and cooperative security, as well as its overall deterrence and defence posture. NATO’s defensive mandate was reaffirmed, and Allies committed to employing the full range of capabilities to actively deter, defend against and counter the full spectrum of cyber threats at all times. Responses need to be continuous and draw on elements of the entire NATO toolbox that include political, diplomatic and military tools. Allies also recognised that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack. The nature of cyberspace requires a comprehensive approach through unity of effort at the political, military and technical levels. The 2021 policy and its corresponding action plan will drive forward activities across these three levels.

Developing the NATO cyber defence capability

The NATO Computer Incident Response Capability (NCIRC), based at SHAPE in Mons, Belgium, protects NATO’s own networks by providing centralised and round-the-clock cyber defence support. This capability evolves on a continual basis and maintains pace with the rapidly changing threat and technology environment.

NATO has also established a Cyberspace Operations Centre in Mons, Belgium. The Centre supports military commanders with situational awareness to inform the Alliance’s operations and missions. It also coordinates NATO’s operational activity in cyberspace, ensuring freedom to act in this domain and making operations more resilient to cyber threats.

To facilitate an Alliance-wide common approach to cyber defence capability development, NATO also defines targets for Allied countries’ implementation of national cyber defence capabilities via the NATO Defence Planning Process.

NATO helps Allies to enhance their national cyber defences by facilitating information-sharing, exchange of best practices and by conducting cyber defence exercises to develop national expertise. Similarly, individual Allied countries may, on a voluntary basis and facilitated by NATO, assist other Allies to develop their national cyber defence capabilities.

Increasing NATO cyber defence capacity

Cyber defence is as much about people as it is about technology. NATO continues to improve the state of its cyber defence through education, training and exercises.

NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyber defence elements and considerations into the entire range of Alliance exercises, including the Crisis Management Exercise (CMX). NATO is also enhancing its capabilities for education and training, including the NATO Cyber Range, which is based at a facility provided by Estonia.

NATO has a number of practical tools to enhance situational awareness and facilitate information exchange, including points of contact with the national cyber defence authorities in each of the 31 Allied capitals. A dedicated Memorandum of Understanding (MOU) sets out arrangements for the exchange of a variety of cyber defence-related information and assistance to improve cyber incident prevention, resilience and response capabilities.

Technical information is also exchanged through NATO’s Malware Information Sharing Platform, which allows indicators of compromise to be shared among Allied cyber defenders.

The NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia is a NATO-accredited research and training facility focused on cyber defence education, consultation, lessons learned, research and development. Although it is not part of the NATO Command Structure, the CCD CoE offers recognised expertise and experience.

The NATO Communications and Information (NCI) Academy in Oeiras, Portugal provides training to personnel from Allied (as well as non-NATO) countries relating to the operation and maintenance of NATO communications and information systems. The NCI Academy also offers cyber defence training and education.

The NATO School in Oberammergau, Germany conducts cyber defence-related education and training to support Alliance operations, strategy, policy, doctrine and procedures.

The NATO Defense College in Rome, Italy fosters strategic thinking on political-military matters, including on cyber defence issues.

Cooperating with partners

Cyber threats defy state borders and organisational boundaries, and so NATO engages with a number of partner countries and other international organisations to enhance shared security.

Engagement with partner countries is based on shared values and common approaches to cyber defence. Requests for cooperation with the Alliance are handled on a case-by-case basis.

NATO also works with, among others, the European Union (EU), the United Nations (UN) and the Organization for Security and Co-operation in Europe (OSCE).

Cyber defence is one of the areas of strengthened cooperation between NATO and the EU, as part of the two organisations’ increasingly coordinated efforts to counter hybrid threats. NATO and the EU share information between cyber response teams and exchange best practices. Cooperation is also being enhanced on training, research and exercises with tangible results in countering cyber threats.

At the 2021 NATO Summit in Brussels, Allies reaffirmed their commitment to acting in accordance with international law, including the UN Charter, international humanitarian law and international human rights law in order to promote a free, open, peaceful and secure cyberspace. They also committed to further pursuing efforts to enhance stability and reduce the risk of conflict.

Cooperating with industry

The private sector is a key player in cyberspace, and technological innovations and expertise from the private sector are crucial to enable NATO and Allied countries to respond effectively to cyber threats.

Through the NATO Industry Cyber Partnership (NICP), NATO and its Allies are working to reinforce their relationships with industry and academia. This partnership includes NATO entities, national Computer Emergency Response Teams (CERTs) and Allies’ industry representatives. Information-sharing, exercises, and training and education are just a few examples of areas in which NATO and industry are working together.

Governance

NATO’s Comprehensive Cyber Defence Policy is implemented by NATO’s political, military and technical authorities, as well as by individual Allies. The North Atlantic Council, NATO’s principal political decision-making body, provides high-level political oversight on all aspects of implementation.

The Cyber Defence Committee, subordinate to the North Atlantic Council, is the lead committee for political governance and cyber defence policy. The NATO Consultation, Command and Control Board constitutes the main committee for consultation on technical and implementation aspects of cyber defence. The NATO Military Authorities and the NATO Communications and Information Agency bear specific responsibilities for identifying the statement of operational requirements, acquisition, implementation and operating of NATO’s cyber defence capabilities. Allied Command Transformation is responsible for the planning and conduct of the annual Cyber Coalition Exercise.

The NATO Chief Information Officer (CIO) facilitates the integration, alignment and cohesion of Information and Communications Technology (ICT) systems NATO-wide, and oversees the development and operation of ICT capabilities. The CIO is also the single point of authority for all cyber security issues throughout NATO. This includes leading incident management, orienting specific investments, improving NATO’s cyber security posture, as well as increasing cyber security awareness NATO-wide.

The NATO Communications and Information Agency, through its NCIRC Technical Centre in Mons, Belgium, is responsible for the provision of technical cyber security services throughout NATO. The NCIRC Technical Centre has a key role in responding to any cyber incidents affecting NATO. It handles and reports incidents, and disseminates important incident-related information to system/security management and users.

Evolution

Although NATO has always protected its communications and information systems, the 2002 NATO Summit in Prague first placed cyber defence on the Alliance’s political agenda. Allied leaders reiterated the need to provide additional protection to these information systems at the 2006 NATO Summit in Riga.

Following the cyber attacks against Estonia’s public and private institutions in 2007, Allied defence ministers agreed that urgent work was needed in this area. As a result, NATO approved its first Policy on Cyber Defence in January 2008.

In the summer of 2008, the conflict between Russia and Georgia demonstrated that cyber attacks have the potential to become a major component of conventional warfare.

NATO adopted a new Strategic Concept at the 2010 NATO Summit in Lisbon, which recognised for the first time that cyber attacks could reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability.

In June 2011, NATO defence ministers approved the second NATO Policy on Cyber Defence, which set out a vision for coordinated efforts in cyber defence throughout the Alliance within the context of the rapidly evolving threat and technology environment.

In April 2012, cyber defence was introduced into the NATO Defence Planning Process. Relevant cyber defence requirements are identified and prioritised through the defence planning process.

At the 2012 NATO Summit in Chicago, Allied leaders reaffirmed their commitment to improving the Alliance’s cyber defences by bringing all of NATO’s networks under centralised protection and implementing a series of upgrades to NATO’s cyber defence capability.

In July 2012, as part of the reform of NATO’s agencies, the NATO Communications and Information Agency was established.

In February 2014, Allied defence ministers tasked NATO to develop a new, enhanced cyber defence policy that addressed collective defence, assistance to Allies, streamlined governance, legal considerations and relations with industry.

In April 2014, the NAC agreed to rename the Defence Policy and Planning Committee/Cyber Defence as the Cyber Defence Committee.

At the 2014 NATO Summit in Wales, Allies endorsed a new cyber defence policy. In this policy, cyber defence was recognised as part of NATO’s core task of collective defence, which means that a cyber attack could be grounds to invoke Article 5 of NATO’s founding treaty. Allies also recognised that international law applies in cyberspace.

In September 2014, NATO launched an initiative to boost cooperation with the private sector on cyber threats and challenges. Endorsed by Allied leaders at the Wales Summit, the NATO Industry Cyber Partnership (NICP) was presented at a two-day cyber conference held in Mons, Belgium, where 1,500 industry leaders and policy makers gathered to discuss cyber collaboration. The NICP recognises the importance of working with industry partners to enable the Alliance to achieve its cyber defence objectives.

In February 2016, NATO and the EU concluded a Technical Arrangement on Cyber Defence to help both organisations better prevent and respond to cyber attacks. This Technical Arrangement between NCIRC and the Computer Emergency Response Team of the EU (CERT-EU) provides a framework for exchanging information and sharing best practices between emergency response teams.

At the 2016 NATO Summit in Warsaw, Allied Heads of State and Government reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. This improved NATO’s ability to protect and conduct its missions and operations. The Alliance also welcomed efforts undertaken in other international fora to develop norms of responsible state behaviour and confidence-building measures to foster a more transparent and stable cyberspace.

Also at the Warsaw Summit, Allies committed through a Cyber Defence Pledge to enhancing the cyber defences of their national networks and infrastructures, as a matter of priority. Each Ally pledged to improve its resilience and ability to respond quickly and effectively to cyber threats, including as part of hybrid campaigns.

In December 2016, NATO and the EU agreed on a series of more than 40 measures to advance how the two organisations work together – including on countering hybrid threats, cyber defence, and making their common neighbourhood more stable and secure. On cyber defence, NATO and the EU agreed to strengthen their mutual participation in exercises, and foster research, training and information-sharing.

In February 2017, Allied defence ministers approved an updated Cyber Defence Action Plan, as well as a roadmap to implement cyberspace as a domain of operations. This increased Allies’ ability to work together, develop capabilities and share information.

Also in February 2017, NATO and Finland (which was, at the time, a partner country and acceded to NATO in 2023) stepped up their engagement with the signing of a Political Framework Arrangement on cyber defence cooperation. The arrangement allows NATO and Finland to better protect and improve the resilience of their networks.

In December 2017, NATO and EU ministers agreed to step up cooperation between the two organisations in a number of areas, including cyber security and defence. Areas of cooperation include the analysis of cyber threats and collaboration between incident response teams, as well as the exchange of good practices concerning the cyber aspects and implications of crisis management.

At the 2018 NATO Summit in Brussels, Allied leaders agreed to set up a new Cyberspace Operations Centre as part of NATO’s strengthened Command Structure. The Centre provides situational awareness and coordinates NATO’s operational activity in and through cyberspace. Allies also agreed that NATO can draw on national cyber capabilities for its operations and missions. Allies maintain full ownership of those contributions, just as Allies own the tanks, ships and aircraft in NATO operations and missions.

In February 2019, NATO defence ministers endorsed a NATO guide that sets out a number of tools to further strengthen NATO’s ability to respond to significant malicious cyber activities. NATO needs to use all the tools at its disposal, including political, diplomatic and military, to tackle the cyber threats that it faces. The response options outlined in the NATO guide help NATO and its Allies to enhance their situational awareness about what is happening in cyberspace, boost their resilience, and work together with partners to deter, defend against and counter the full spectrum of cyber threats.

On 3 June 2020, the North Atlantic Council issued a statement condemning the destabilising and malicious cyber activities taking place in the context of the coronavirus pandemic. The statement expressed Allied solidarity and mutual support for those dealing with the consequences of these malicious cyber activities, including healthcare services, hospitals and research institutes. The statement also called for respect for international law and norms of responsible state behaviour in cyberspace.

At the 2021 NATO Summit in Brussels, Allies endorsed a new Comprehensive Cyber Defence Policy to support NATO’s three core tasks of collective defence, crisis management and cooperative security, as well as its overall deterrence and defence posture. NATO must actively deter, defend against and counter the full spectrum of cyber threats at all times – during peacetime, crisis and conflict – and at the political, military and technical level. Allies recognised that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack. Allies also agreed to make greater use of NATO as a platform for political consultation among Allies, sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses.

On 19 July 2021, the North Atlantic Council issued a statement of solidarity with those affected by malicious cyber activities including the Microsoft Exchange Server compromise. The statement highlighted recent ransomware incidents and other malicious cyber activity, targeting critical infrastructure and democratic institutions, as well as exploiting weaknesses in supply chains. The statement condemned such malicious cyber activities and underlined the important role all States have to play in promoting and upholding voluntary norms of responsible state behaviour.

In September 2021, the North Atlantic Council appointed NATO’s first Chief Information Officer (CIO) to facilitate the integration, alignment and cohesion of ICT systems NATO-wide.

HIGH-QUALITY B-ROLL

Cyber defence

News

NATO Exercise Cyber Coalition concludes in Estonia03 Dec. 2022
NATO’s flagship cyber defence exercise kicks off in Estonia28 Nov. 2022
NATO Secretary General warns of growing cyber threat 10 Nov. 2022
NATO Deputy Secretary General emphasises the need for the responsible use of new technologies03 Nov. 2022
Using quantum technologies to make communications secure27 Sep. 2022

Countering terrorism

Defence Against Terrorism Programme of Work (DAT POW)

Emerging and disruptive technologies

NATO’s response to hybrid threats

Video

- How does NATO defend against cyber attacks? 20 Sep. 2019
- NATO Secretary General at the Cyber Defence Pledge Conference, London, 23 MAY 2019 23 May. 2019
- How could cyber attacks affect you? 25 May. 2018
- E-Warriors: The Estonian Cyber Defence Unit 12 Jan. 2018

Infographic

Infograph - Cyberdefence & NATO

NATO Review

- NATO’s role in cyberspace 12 Feb. 2019 Cyber threats to Alliance security are becoming more frequent, complex, destructive and coercive. Laura Brent of NATO’s Emerging Security Challenges Division looks at the challenges facing the Alliance and at the steps that have been taken in cyber defence over the past decade. The views expressed are her own.
- Spending for success on cyber defence 06 Apr. 2017 Why is it so important to invest in cyber defence? What do nations need to spend on? Neil Robinson of NATO’s cyber defence policy team explains.
- Cyber resilience: protecting NATO’s nervous system 12 Aug. 2016 Without the right information, at the right time, in the right place, the ability of NATO commanders to take a decision is compromised. Information technology provides the glue for command and control capability.
- Cyber defence 08 Jun. 2016 Cyber attacks can affect most areas of our lives and are increasing in speed, sophistication and diversity. Should NATO do more to contribute to cyber defence?
- NATO: changing gear on cyber defence 08 Jun. 2016 The public-private character of how the Internet is governed highlights the need to work together – a key issue when reviewing NATO’s role. Cooperation between like-minded states and international organisations remains the best way to address many cyber risks.
- Hackers for hire 28 Jun. 2013 Hackers are the 21st century warriors who worry many. As everything we use becomes increasingly connected, so their opportunities to hack, divert or destroy increase. NATO Review talked to some hackers to see what motivates them – and finds out that they can actually be a force for good too.
- The history of cyber attacks - a timeline 24 Jun. 2013 NATO Review's timeline on cyber attacks shows the history - and seriousness - of attacks since they began in the 1980s. Use the interactive timeline to find out about some of the major - and most audacious - cyber attacks since the first worm got loose in 1988.
- Cyberwar - does it exist? 24 Jun. 2013 Cyber war does not exist. This is the bald statement summarising the work of Dr Thomas Rid of King's College London, who feels that cyber attacks meet none of the conditions of war. NATO Review asked how he came to this conclusion and what it meant for the security field.
- Cyber - the good, the bad and the bug-free 24 Jun. 2013 The changing threats to the world since 2001 is evident. When 9/11 occurred, there were just over 513 million Internet users (just over 8% of the world's population). But today's world has over 2.7 billion users of the Internet (or nearly 39% of the global population)…..
- Cyber security infographic 24 Jun. 2013 No time to watch a video on cyber attacks? No problem. Here we provide an infographic highlighting the main threats (and prevention techniques) for those who fear cyber attacks in government bodies. From phishing to spam and from big data to data leakage, this GovLoop infographic explains what to look for and where.
- Cyber attacks: how can they hurt us? 24 Jun. 2013 What damage can cyber attacks actually do? NATO Review asks the White House's former director of cyber infrastructure protection what we should be worried about - and how knowledge of cyber attacks' potential may be more limited than portrayed.
- Cyber: how it can be used - in pictures 24 Jun. 2013 Cyber is never the easiest subject to illustrate (without numerous pictures of cables, keyboards and flashing computer lights), but NATO Review has managed to find a number of events and issues which highlight how the use of cyber techniques has boomed.
- Cyber attacks, NATO - and angry birds 24 Jun. 2013 If any NATO country knows about cyber attacks, it's Estonia. The country suffered a high profile series of attacks on institutions across the country in spring 2007. NATO Review asked Estonia's President what the country learned from this and why he feels the area deserves more attention.
- Crime, computers and security in 2012 23 Jan. 2012 What's going to happen in 2012? Some things are easy to see: we'll see more attacks by criminals. We'll see more attacks by hactivists (like the infamous Anonymous group). But most importantly, we'll see that many of the future real-world crisis will have a cyber element in them as well. Certainly, any future war between technically developed nations is likely to incorporate computer attacks.
- New threats: the cyber-dimension 08 Sep. 2011 September 11th, 2001 has often been called the day that changed everything. This might not be true for our day to day life, but in security, it really marked a new era. Together with the Twin Towers, our traditional perceptions of threats collapsed. The Cold War scenario that had dominated for over 50 years was radically and irrevocably altered.
- Social media - the frontline of cyberdefence? 23 Mar. 2011 There are those who see social media as a threat to their security. Not just individuals, not just companies, but also governments. Why is this? And how much of a soft underbelly do social networks present?
- China and the West: Keyboard conflicts 21 Apr. 2010 Both the West and China have highlighted the importance of the Web - in different ways. Here we look at how it is becoming centre stage in cyber attacks between the two and the efforts both sides are making to beef up their defences.