top of page

NATO Policy on Cyber Defense: Have We Learned from the Past?

By Lindsay Kihnel, Transatlantic Security Analyst


Cyber warfare is a growing threat to many states, and even NATO – the most effective military alliance in the world – has not been able to protect itself from all cyber attacks, as seen in the cases of Estonia (2007) and Canada (2011). In June 2013, NATO held its first meeting dedicated to cyber defense, and its defense ministers agreed that they needed to have a fully operational policy in this area by the fall. NATO coordinates and advises its member states on cyber defense policy through bodies ranging from the North Atlantic Council (responsible for high-level political guidance and decision-making) to its Computer Incident Response Capability Technical Center (responsible for “technical and operational cyber security services”).

The current policy being implemented focuses on: integrating cyber defense considerations into NATO structures; prevention, resilience and defense of critical cyber assets; developing cyber defense capabilities; consolidating protection of NATO’s networks; developing minimum requirements for cyber defense of national networks critical to NATO’s core tasks; providing assistance to Allies; and reducing vulnerabilities of critical national structures. NATO also engages external actors to promote awareness and share best practices. An example of this is Locked Shields, an annual cyber defense exercise aimed at training IT specialists to detect and alleviate large-scale cyber attacks.

NATO cyber defense policy largely stems from previous attacks and the lessons learned in their aftermath. The first major incident that galvanized preparations in this area occurred in April 2007 when, following tensions with Russia over the removal of a Soviet war memorial, Estonian government networks were harassed by a denial of service attack from an anonymous source. Estonia, which was particularly vulnerable to this attack because of its highly developed electronic infrastructure, experienced an interruption to online government services and had to shut down its banking system. In response, NATO member states began to debate new directions for cyber security and the appropriate punishments for states found to have engaged in such attacks. Secondly, the January 2011 cyber attacks against Canada helped to mold current policy. The Canadian government reported a major cyber attack against its agencies, including Defense Research and Development Canada, leaving many government officials without internet access for almost two months. Following the attacks, Canada launched several public awareness campaigns, such as the booklet Canada’s Cyber Security Strategy, educating Canadians on cyber threats and how to combat them.

As cyber attacks continued to be employed, most recently during the Ukraine crisis, a pressing question is whether or not NATO’s Article 5 should be invoked in response. While Article 5 specifies that “armed attacks” trigger a response by all NATO members, cyber attacks are generally considered to be an unconventional form of warfare. Nonetheless, they should be designated as armed attacks because they can inflict as much damage as a conventional bomb in terms of lives lost and physical damage. As the 2010 NATO Strategic Concept states: “Cyber-attacks are becoming more frequent, more organised and more costly in the damage that they inflict on government administrations, businesses, economies, and potentially also transportation and supply networks and other critical infrastructure; they can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability…” While uncertainties hinder a clearer policy on this issue – particularly in determining the origins of attacks – cyber attacks constitute a growing threat that needs to be taken seriously if NATO is to fulfill its Article 5 pledge and maintain its credibility as an alliance, especially given its members’ increasing dependence on information technology. State and non-state actors thinking of launching cyber-attacks need to know that swift and unified measures will be taken against them in the form of a collective defense response. 


bottom of page