NATO updates cyber defence policy as digital attacks become a standard part of conflict

NATO has updated its cyber defence policy in the light of a number of international crises that have involved cyber security threats.
Written by Steve Ranger, Global News Director

Reflecting how all international conflicts now have some digital component, NATO has updated its cyber defence policy to make it clear that a cyber attack can be treated as the equivalent of an attack with conventional weapons.

The organisation's new cyber defence policy clarifies that a major digital attack on a member state could be covered by Article 5, the collective defence clause. That states that an attack against one member of NATO "shall be considered an attack against them all" and opens the way for members to take action against the aggressor — including the use of armed force — to restore security.

That NATO is updating its cyber defence strategy now shows how rapidly cyber warfare has jumped up the agenda. While defence strategies are usually expected to last a decade, its last cyber strategy was only published three years ago.

Jamie Shea, deputy assistant secretary general for emerging security challenges, told ZDNet: "For the first time we state explicitly that the cyber realm is covered by Article 5 of the Washington Treaty, the collective defence clause. We don't say in exactly which circumstances or what the threshold of the attack has to be to trigger a collective NATO response and we don't say what that collective NATO response should be.

"This will be decided by allies on a case-by-case basis, but we established a principle that at a certain level of intensity of damage, malicious intention, a cyber attack could be treated as the equivalent of an armed attack."

The new policy has been approved by NATO defence minister and will be endorsed at its Wales summit in September. Other elements of the policy will help improve information sharing and mutual assistance between allies, bolster NATO's cyber defence training and exercises, and boost cooperation with industry.

"It takes account of the fact that all of the major international crises that we've seen recently looking at Georgia, Syria and now Ukraine have a rather big and ongoing cyber dimension which shows that a lot of sophisticated methods and techniques are being employed," Shea said.

"It's certainly meant as a deterrent. It's not meant to be escalatory, but a signal that NATO is not defending itself only in 20th century terms."

For a number of years there has been debate about whether a digital attack could have the same effect as an attack with conventional weapons. The event that threw the issue into relief came in 2007, when Estonia faced a digital assault on its critical infrastructure (since 2008, the country has hosted the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn).

Following the Estonian incident, many have argued that an extended and severe digital assault on a nation could be considered the equivalent of a physical attack, but by updating its policy NATO has made its position on the issue clearer.

The new policy doesn't spell out when an cyber attack could trigger an Article 5 response — if only because it's very hard to define the nature of such an assault (Article 5 has itself only been invoked by NATO once). Cyber attacks also bring with them the tricky problem of attribution — that is, it's extremely hard to work out exactly where an attack is coming from, and even harder to deduce who it is being orchestrated by. Despite that, the update to NATO's cyber defence policies could have the effect of making countries more cautious about when they use cyber weapons as part of any conflict.

Some, however, have called for NATO to go further and, like some of its members, adopt an explicit strategy around cyber-offence: "NATO must move past its current cyber defence policy and provide operational capabilities to defend itself and its allies by collective pre-emptive and retaliatory actions," wrote Klara Tothova Jordan, assistant director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security recently.

A number of NATO members — most notably the US and the UK — have been building up their cyberwarfare capabilities over the past few years, including their ability to attack adversaries by digital means as well as defend themselves. However, because of the unusual nature of cyber weapons — in that they are mostly sophisticated pieces of malware built on obscure zero-day flaws in commercial software — it's hard to use them as a deterrent.

As Christian-Marc Lifländer, policy advisor on cyber defence at NATO, told ZDNet: "What is special about the cyber field is when you talk about the whole notion of deterrence — for example, we are able to count the tanks, the planes, the ships, we know what the opponent has. But when it comes to the cyber issue the moment you show what you have you lose it. So that is making the case difficult how do you signal resolve how do you signal your willingness to respond without giving away the very capability that you have? That is making the situation not very transparent — it is difficult to see what is there and what is not."

But as most countries are increasingly dependent on technology the threat of digital attacks is likely to increase, not lessen. That's the case with developments such as the so-called Internet of Things where everyday items are connected to the internet to allow them to share data and communicate. As Lifländer joked: "Yes, you will have such a thing as a strategic toaster."

A recent report from the Atlantic Council and the Norwegian Institute for Defense Studies said NATO should create a cyber 'exercise range'. While the US and the UK lead the world in cyber capabilities, the report said, other NATO members, especially those with limited resources, are lagging behind.

"Creating a NATO Cyber 'Exercise Range' would... send an important signal about the Alliance's seriousness about cyber defense and security", the report said, which also called for a 'Senior Cyber Committee', like NATO's current Nuclear Planning Group, to meet regularly to discuss cyber security across the alliance. The report, NATO in a era of global competition, also warned of the emergence of a new style of 'hybrid warfare' which includes cyber warfare among other elements.

"The Russian invasion of Georgia in 2008 and the Ukraine crisis showcase the potency of hybrid warfare. This is an approach that combines conventional military forces with information operations, provocateurs, cyber, and economic measures that would test NATO’s ability to reassure its members," it warned.

Further reading

Editorial standards