NATO is developing new measures to enhance the protection of its communication and information systems against attempts at disruption through attacks or illegal access. These efforts form practical aspects of a common policy on cyber defence.
This new policy establishes the basic principles and provides direction to NATO’s civil and military bodies in order to ensure a common and coordinated approach to cyber defence and any response to cyber attacks. It also contains recommendations for individual NATO countries on the protection of their national systems.
NATO’s policy on cyber defence was approved in January 2008 and has been endorsed by heads of state and government at the Bucharest Summit in April.
What does this mean in practice?
The Alliance’s relevant military and technical committees and bodies, as well as the Allies individually, are now engaged in implementing the policy. In line with this, a cyber defence Centre of Excellence has been set up in Estonia and NATO's Military Committee recently agreed on a Cyber Defence Concept which adds practical action programmes to fit within the overarching policy.
These actions include the creation of a Cyber Defence Management Authority, which brings together the key actors in NATO’s cyber defence activities. The Authority will manage cyber defence across all NATO’s communication and information systems and could support individual Allies in defending against cyber attacks upon request.
NATO is encouraging the use of government and industry best practices to avoid the duplication of efforts. The Allies are working in close coordination with an industrial consortium to achieve it.
Three phases of practical activity
At the 2002 Prague Summit, NATO leaders directed that a technical NATO Cyber Defence Programme be implemented. This consisted of a three-phased programme of practical activities.
- The first phase covered the creation of the currently functioning NATO Computer Incident Response Capability (NCIRC) and establishing its interim operating capability;
- The second phase involved bringing the NCIRC up to full operational capability;
- The third phase consists of incorporating lessons learned from phase one and two, as well as using the latest cyber defence measures to enhance NATO’s cyber defence posture.
Addressing the technical and political aspects
Up until the cyber attacks on Estonia in the spring of 2007, NATO primarily addressed the protection of its own systems rather than efforts to assist Allies to protect theirs. These efforts, to a large extent, consisted of protecting NATO's encrypted communication and information system that handles the traffic of classified information throughout the Alliance.
The attacks on Estonia, which were conducted through the Internet against open, public websites, did not imply any new threat to this system but did in no way obviate the need to protect it. They served as a reminder of the vulnerabilities of key systems in open, modern societies to acts of hostility. In this way, the attacks also demonstrated the need for an Alliance cyber defence policy that would also address cooperation to protect critical communication systems beyond the encrypted networks.
Cooperating with partners
NATO is exploring the potential for practical cooperation on cyber defence. This cooperation will be developed incrementally, beginning with exchanges of information on basic political principles.
How did the policy evolve?
The 2002 Prague Summit marked NATO’s first tasking with regards to cyber defence activities. Building on the technical achievements put in place since Prague, Allied leaders acknowledged the need to protect information systems over the longer term at the NATO Riga Summit in November 2006.
A major cyber attack on Estonian public and private institutions in April and May 2007 prompted NATO to take a harder look at its cyber defences. At their meeting on 14 June 2007 Allied Defence Ministers agreed that urgent work was needed in this area.
Following this, NATO conducted a thorough assessment of its approach to cyber defence resulting in a report to Allied Defence Ministers in October 2007.
The report recommended specific roles for the Alliance as well as the implementation of a number of new measures aimed at improving protection against cyber attacks. The report also called for the development of a NATO cyber defence policy. This policy was agreed in early 2008.
Which bodies have a central role?
The North Atlantic Council – NATO’s top political decision-making body - has overall control over NATO’s policies and activities with regard to cyber defence. NATO’s Consultation, Control and Command Agency (NC3A) and the NATO Military Authorities (NMA) bear particular responsibility for the implementation of the new policy. NATO’s Computer Incident Response Capability (NCIRC) will have a key role in responding to any cyber aggression against the Alliance.