Atlantic Council

From Jason Healey, the New Atlanticist:  Earlier this month, the Alliance’s defense ministers adopted a new Cyber Defense Policy and Action Plan, fulfilling and moving beyond the policy basics of the Strategic Concept from the 2010 Lisbon Summit. Though the details are still classified, this blog will discuss the basics of the new policy which seems to root NATO in the things they must do, rather than overextending the Alliance to create new missions or reasons to exist.

Especially since the 2007 cyber attacks on Alliance member Estonia, NATO has been working to develop appropriate policy responses to potentially similar incidents. As such, the new focuses have been on improving a coordinated NATO approach, enhancing cyber defense capabilities to stop threats and improve responses, and cooperating with the larger international community. . . .

The policy seems to give particular attention to how the Alliance would respond to cyber incidents. When NATO itself suffers a cyber incident, the Computer Incident Response Capability would lead the technical defense and response, in coordination with the Cyber Defense Management Board.   To assist this process, there will be memorandums of understanding (MOUs) between each nation’s cyber defense organizations and this Board.

More importantly, the policy makes clear that if an Ally were subjected to some kind of cyber incident any decision on collective defense (per under Article 5 of the NATO Charter that an attack on one is an attack on all) will be a political, not a technical or even military, decision. That is, the matter will be decided by the senior policy makers of the Alliance and of each Ally and not by the incident response teams or individual commanders.  And even though the technologists or the media may call a cyber incident an “attack” does not make it a military-style attack envisioned under Article 5. . . .

Though the defense ministers confirmed that NATO would “maintain ambiguity” about responding to cyber attacks, it is very unlikely the North Atlantic Council would invoke collective defense unless cyber attacks caused significant damage and deaths, equivalent to kinetic military force. (If the cyber attack is part of a larger crisis, NATO will rely on its existing crisis management procedures.)

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey.  (photo: NATO)

To learn more about the program, please visit the Cyber Statecraft Initiative page for more information.