Last November’s NATO summit in Lisbon agreed to a new security concept that frames the way the alliance will address the full range of emerging threats to our collective peace and security.
Among the most pressing and potentially dangerous of these threats are cyberattacks. NATO leaders committed to a renewed cyberdefense policy and to taking immediate action to protect the alliance’s information systems against hostile attacks.
As the custodian of NATO’s military future, Allied Command Transformation, which I command, has a central role in developing the capabilities and supporting the doctrine that NATO will need to put in place to achieve those objectives.
The decisions taken in Lisbon are only the most recent steps in a process that began with the series of cyberattacks on Estonia in the spring of 2007, which struck not only military targets but also key civilian infrastructure. The damage they caused to an ally was a wake-up call for NATO. Our cyber-dependent societies and militaries were vulnerable.
Today, a critical element of any cyberdefense strategy is the understanding that cyberspace is international by nature. No one country can deal effectively with cyberthreats on its own.
For its members, NATO offers an established and proven forum for collective action. Cooperation within NATO, however, does not and should not preclude working with other nations, beginning with its partners, and other multilateral or international organizations — the European Union, for example — whose areas of strength in cyberdefense complement those of the alliance.
NATO operations rely heavily on cyber-enabled networks. This dependence has already led the alliance to make significant progress in defending its command, control and cybersystems.
Its permanent mission involves countering the daily attempts made by hackers to break into our systems, which are by necessity interconnected, making a weakness in one country’s systems a weakness in all.
Indeed, allied nations need to share data and intelligence both in the conduct of operations and for planning and coordination. Such requirements have been expanding exponentially since the start of our common mission in Afghanistan.
But sharing will grow only if there is mutual trust in the security of the information being communicated. Our nations’ forces therefore need to pool their best practices and techniques and implement common standards.
Protection by itself is, of course, not sufficient. NATO must also be able to restore, adapt or reconstitute its systems following a successful attack — a key part of what may be called “consequence management” capabilities.
Several valuable tools, developed over these past few years, are becoming available to NATO. Its Computer Incident Response Center will be fully operational next year, and the Cooperative Cyber-Defense Center of Excellence, formally established in 2008 in Tallinn, Estonia, is now up and running.
However, these specifically military efforts cannot be isolated from the wider cybersecurity issues our nations are tackling. The alliance thus recognizes the imperative for policies that would bring civilian and military capabilities together.
The concept of “in-depth cyberdefense,” which was endorsed at the Lisbon summit, is not intended to be a military-only, or even a military-centric, strategy. It necessarily cuts across the portfolios of a variety of actors, as it spans the technology employed, the awareness of users, and the physical protection of key elements of our hardware.
As a consequence, civilian authorities in all member nations have the lead responsibility on cybersecurity. NATO is therefore working in support of whole-of-government approaches to cyberdefense — led by civilian agencies in each nation — and with actors outside government.
Key among these are commercial suppliers and the wider industrial base, since NATO-wide, 85 percent of critical infrastructure is in private hands.
In discussing a hypothetical major attack, NATO leaders are often asked what circumstances would trigger a response under Article V of the Washington treaty — in other words, when would an attack against one be considered an attack on all?
It would not be prudent to try to define exact tripwires in advance, or to tie our hands as to how we would react. But assuredly, the alliance would respond deliberately to any significant attack, adapting its reaction to the extent of the damage, the degree of certainty in attribution, the identity of the attackers and their perceived intentions.
The challenges NATO faces in the cyber-domain are unlike any it has confronted in the past, but the alliance has established through the years that credible deterrence, backed up by collaboration on robust protection measures and permanent political consultation, is the strongest possible defense against a variety of threats.
This insight inspires its response to cyber-issues. In cyberspace and across a wide range of emerging threats, the decisions taken in Lisbon fully enable NATO to continue to deliver the type of credible collective defense that has made it the most successful alliance in the modern era.
By General Stéphane Abrial of France, the commander of NATO’s Allied Command Transformation based in Norfolk, Virginia.