Cyber defence at the 28th NATO Summit in Brussels, 11-12 July 2018

The 2018 NATO Summit in Brussels reaffirmed the Alliance’s commitment to continue its adaptation process to the evolving cyber threat landscape.

 

Introduction

Although approached with much scepticism and surrounded by a range of uncertainties (mainly related to the alleged failure of NATO members to meet defence spending targets), the Summit last July made significant progress in reaffirming the Allies’ support for NATO cyber defence policy. Many statements reiterated concepts that had already appeared in past summits’ declarations, but the evolution in the Alliance Cyber Policy, although slow and complicated by many factors, is tangible. An overview of the earlier NATO summits will help to appreciate the slow but steady progress in the new domain.

Cyber defence evolution in the earlier NATO Summits

The NATO Summit storyline sees cyber defence first appear on NATO’s agenda at the 2002 Prague Summit, where a single sentence of the final declaration was dedicated to cyber defence.¹ The 2006 Riga Summit confirmed cyber defence as a priority of the Alliance,² but it was not until the 2008 Bucharest Summit that a first formal common policy on cyber defence was endorsed and the structures and authorities to carry it out started to be developed.³ Since then, the swift evolution and complexity of cyberattacks across the world have pushed the issue to the top of the NATO security agenda. In 2010 at the Lisbon Summit, cyber defence was confirmed as a priority (mentioned 11 times in the final communiqué) and appeared for the first time in the new Strategic Concept, emphasising that cyber threats constitute a direct threat to national and Euro-Atlantic prosperity, security and stability. This spurred NATO to develop its ability to prevent, detect and defend against these threats, recover after cyber-attacks and enhance and coordinate national cyber defence capabilities.

In May 2012 at the Chicago Summit, NATO reaffirmed the cyber defence commitments made at the Lisbon Summit and pledged to provide the resources and to complete the necessary reforms to bring all NATO bodies under centralised cyber protection.⁴ For the first time, individual nations committed to identifying and delivering national cyber defence capabilities that would strengthen Alliance collaboration and interoperability, and to deeper engagement with relevant partner nations and international organisations.⁵

At the 2014 Wales Summit, an Enhanced Cyber Defence Policy was endorsed, emphasising cyber defence as part of NATO’s core task of collective defence.⁶ Influenced by the publication of the Tallinn Manual in 2013, the policy also recognised that international law, including international humanitarian law and the UN Charter, applied in cyberspace; and the possible resort to Article 5 of the NATO Charter⁷ in case of a cyberattack against one of the Allies was mentioned for the first time. At the Warsaw Summit in 2016,⁸ the Allies recognised cyberspace as a domain of operations and adopted the Cyber Defence Pledge, a long-term Alliance commitment to strengthen the cyber defences of national networks and infrastructures, implying nations becoming capable of defending themselves in cyberspace, in line with the provision of Article 3 of the North Atlantic Treaty.

Noteworthy developments at the 2018 NATO Summit

The heads of state and government participating in the Brussels Summit had several topics waiting for them, with the main ones related to reinforcing the Alliance’s deterrence and defence, stepping up the fight against terrorism and fairer burden-sharing between NATO members, the latter being the most debated in the preceding weeks. But despite the grim expectations on the eve of the Summit, several significant decisions were adopted by the Allies. These included: raising the readiness of forces with the launch of the NATO Readiness Initiative, ensuring more high-quality, combat-capable national forces at high readiness available to NATO;⁹ modernising the military command structure by establishing a Joint Force Command Norfolk Headquarters in the United States and a Joint Support and Enabling Command in Germany; reaffirming the commitment to all aspects of the Defence Investment Pledge agreed at the 2014 Wales Summit; improving the balance of sharing the costs and responsibilities of Alliance membership;¹⁰ enhancing Alliance military mobility; and setting up counter-hybrid support teams.

The Summit’s focus on cyber defence and security was as intense as at previous meetings, with a clear strategic direction for Alliance activities in the cyber domain, reminding all NATO members of the principle contained in Article 3 of the North Atlantic Treaty¹¹ on national responsibility to maintain and develop NATO members’ individual and collective capacity to resist armed attacks.

The Summit clearly reflected the Alliance’s perception of the unpredictable global security scene – ‘a time when the security and the rules-based international order are being challenged’, as stated in the final communiqué – with enduring challenges and threats from all strategic directions jeopardising Euro-Atlantic security and stability. Disinformation campaigns, attempted interference in elections and malicious cyber activities are all hybrid challenges that require what the Brussels Declaration called the ‘360-degree approach to security’ and the effective fulfilment of the three core tasks as set out in the 2010 Strategic Concept.¹²

Within this 360-degree approach, NATO framed its determination to continue to adapt to the evolving cyber threat landscape, which is affected by both state and non-state actors, including state-sponsored.  Some relevant decisions were adopted, namely: enhancing the cyber defences of national infrastructures and networks; setting up a Cyberspace Operations Centre; adopting a new biometric data policy; and increasing the number and quality of cyber exercises to ensure the Alliance’s responsiveness.

• National cyber defence capabilities development

The Summit Declaration firstly expressed NATO’s determination to support the development of strong national cyber defences through full implementation of the Cyber Defence Pledge. Individual NATO members’ capability enhancement means strengthening the Alliance’s overall deterrence and defence posture, characterised by a defensive mandate but not preventing the Alliance from employing the full range of capabilities – including cyber – to ‘deter, defend against and to counter the full spectrum of cyber threats, including those conducted as part of a hybrid campaign’.¹³ It was stressed that the ability to meet the challenges of a changing security environment is underpinned by an array of robust, sophisticated and evolving capabilities across all domains. NATO capability development in this field also includes Defence Capabilities Building assistance measures designed to help NATO’s partners’ authorities¹⁴ to further develop their cyber defence capacities.

• Integration of sovereign cyber effects

Paragraphs 20 and 29 of the Summit final declaration contain the most interesting statements related to cyber. In paragraph 20, the Allies declared agreement on ‘how to integrate sovereign cyber effects, provided voluntarily by Allies, into Alliance operations and missions, in the framework of strong political oversight’.¹³ The terms of the ‘agreement on how to integrate sovereign cyber effects’ were not disclosed. Thus, what ‘integration’ really means in this context of ‘cyber effects’ remains uncertain, at least until further clarity is given by NATO on the issue. However, the wording seems to reveal that the discussion on the topic (integration of ‘sovereign cyber effects’) might have been a complex one, with Allies striving to reach a common understanding. The need to affirm that political oversight of the entire process would be particularly intense (‘strong political oversight’), might suggest that sensitive matters were at stake, and that Allies may have had sharply differing views regarding the potential conduct of cyber operations.

In reality, NATO Allies normally maintain a tight control over NATO actions. In NATO, all decisions taken by the North Atlantic Council entail a previous consensus process in which ‘no Ally can be outvoted and for the outcome of which each Ally therefore bears responsibility’.¹⁵ With other conventional operations, Allies will express differing substantive national obligations with respect to the implementation of cyber operations, particularly when the object of the integration is not capability, but effect. In the declaration context, the term ‘effect’ cannot be interpreted as simply referring to the integration of national ‘cyber capabilities’. An ‘effect’ is normally intended to mean a change which is a result or consequence of an action or other cause. In the NATO Standard AJP-3.9 – Allied Joint Doctrine for Joint Targeting,¹⁶ ‘effects’ are those results or changes ‘necessary to achieve the commander’s objectives’. The use of the term ‘effect’ raises some doubts, not for the first time, even within the Alliance.¹⁷

The difference between integrating ‘cyber capabilities’ and integrating ‘cyber effects’ is of some importance and might have significant consequences, for example as regards the attributability of the conduct. It also gives rise to a series of questions: integrating only ‘effects’ might imply that an Operational Commander could not be aware of the cyber means and methods used to achieve that effect; and under International Humanitarian Law and the Law of Armed Conflict the achievement of a determined effect cannot disregard the means and methods used to produce it. In the targeting cycle, for example, will it mean achieving the Commander’s desired effects while disregarding how these effects will be achieved because some Allies will not be willing to disclose their cyber capabilities? This is hard even to imagine.

For conventional operations as for cyber operations, potential engagements may be carried out by units under national command within the overall NATO operational context.

Another question: given that cyber capabilities are ‘voluntarily provided by the Allies’, does the potential legal responsibility for a hypothetical violation of International Humanitarian Law or another applicable body of law fall to the Alliance itself or to the contributing state whose cyber-capabilities produced the ‘effect’? Under the established principles of international law and as agreed in the Tallinn Manual,¹⁸ an international organisation bears international legal responsibility for a cyber operation that breaches an international legal obligation and is attributable to the organisation.¹⁹ Article 7 of the International Law Commission’s Articles on the Responsibility of International Organisations states that only conduct over which the organisation exercises effective control is attributable to the organisation.²⁰ The basis for attribution in this case is the presumption that international organisations involved in military operations have effective control over military contingents with respect to the conduct of operations during the period when they are placed at the disposal of the international organisation.²¹

Another question: would allowing NATO members to provide ‘sovereign cyber effects’ to Alliance operations challenge the presumption by affecting the degree of control that NATO has on a specific cyber operation? Considering that the ‘sovereign cyber effects provided voluntarily by Allies’ may remain under the control of the Nations (at least to a certain degree), the conduct could be attributed to the Alliance, not automatically, but following a case-by-case assessment of NATO’s ‘effective control’ on the operation.

• Attribution, coordinated response and developing measures

While NATO members decided to continue to work together to develop ‘measures’ which would enable the Allies to impose costs on those who harm them (leaving it open to interpretation what exactly those ‘measures’ might be), they also agreed that individual Allies may consider, when appropriate, attributing malicious cyber activity and responding in a coordinated manner, recognising that attribution is a sovereign national prerogative. While the first statement might open the door for a collective response to a hostile cyber operation, the second brings us back to a principle of international law – one that is established, but to some extent nowadays questionable – according to which only an injured state may engage in countermeasures, whether cyber in nature or not (Rule 24 of the Tallinn Manual).The principle, though, is not definitely settled and is open not only to criticism (for example, as to why collective use of force is admitted and measures not involving the use of force are not), but also to different and possibly divergent states’ and international organisations’ practices.

• Cyberspace Operations Centre

Paragraph 29 of the final communiqué contains another important decision. As part of the Alliance´s efforts to adapt and strengthen the NATO Command Structure, NATO announced the establishment of a Cyberspace Operations Centre in Belgium²² to provide situational awareness and coordination of NATO operational activity within cyberspace, including the planning for exercises and operations.²³ The Centre is designed to allow the Alliance to ‘respond more effectively’ to cyber-attacks by integrating different national capabilities (not ‘effects’, in this case) provided voluntarily by Allies, and cyber measures with conventional military capabilities, adapting the tool to the circumstances. Prospectively, this will enable coordination between NATO’s different military capabilities and will facilitate the Alliance’s rapid response to possible threats. Equipping itself with a dedicated structure to effectively coordinate and facilitate NATO’s balanced responses to cyberattacks or threats by either conventional or cyber means, might be a game changer in the new operational domain; but only ‘might’, as integration and interoperability, especially when dealing with cyber operations, is not an easy target. NATO’s interoperability policy defines the term as the ‘ability for Allies to act together coherently, effectively and efficiently to achieve tactical, operational and strategic objectives’.²⁴ Predictably, it will take some time training and operating together to develop a common understanding of how to implement the desired descending intent in real operations.

• New biometric data policy

Terrorist organisations’ distorted use of technology was also addressed at the Brussels Summit. The Alliance decided to continue to improve capabilities and technologies and to counter terrorist misuse of technology.  In this framework, a new biometric²⁵ data policy has also been agreed. In the Alliance’s view, the newly approved biometric data policy, consistent with applicable national and international law and subject to national requirements and restrictions, ‘will further support NATO members’ ability to identify returning foreign terrorist fighters […] and to comply with UNSCR 2396 on the development and implementation of systems to collect biometric data in order to responsibly and properly identify terrorists, including foreign terrorist fighters’.²⁶

• Cyber exercises

The Allies also agreed that the Alliance’s political and military cyber responsiveness would be assured through more regular cyber exercises.

• Counter Hybrid Support Teams

The Brussels Summit also addressed the hybrid threat. It was made clear that, in case of a hybrid campaign targeting a NATO member state, while the primary responsibility for responding rests with the targeted nation, NATO will be ready, upon Council decision, to assist the victim Ally at any stage through the newly established Counter Hybrid Support Teams, designed to provide tailored, targeted assistance to Allies in preparing for and responding to hybrid activities, with the possibility to resort to Article 5 of the Washington Treaty in case of hybrid warfare.

• External cooperation

The Summit reaffirmed that NATO’s partnerships and cooperation initiatives with partner countries, international organisations and the private sector remain essential to NATO for the strategic contribution they can provide to Alliance and international security. A ‘Package on the South’ was endorsed, which includes a range of political and practical cooperation initiatives towards a more strategic, focused, and coherent approach to the Middle East and North Africa. Full Capability of the Regional Hub for the South²⁷ in Naples was declared. NATO cooperation with partners will also include supporting Ukraine’s efforts to strengthen its resilience against hybrid threats, by intensifying activities under the NATO-Ukraine Platform on Countering Hybrid Warfare. In addition, expressing the Alliance’s appreciation for the European parliament Cyber Defence Resolution adopted in June 2018,²⁸ the Brussel Summit final communiqué stressed that the EU remains a unique and fundamental partner for NATO, recognising the tangible results achieved in particular in operational cooperation on cyber security and defence and on countering hybrid threats.

Conclusions

Contrary to the forecasts on the eve of the Summit, many significant steps were taken in Brussels on the evolution path of NATO’s cyber defence policy. The final declaration contains specific requests and guidance to Allies and NATO bodies for an in-depth review of NATO’s current policy on cyber defence, in order to swiftly adapt it, with a cooperative and coordinated approach, to evolving cyber security threats. Cyber, therefore, emerges more and more as a component of the mix of nuclear, conventional and missile defence capabilities available to NATO to sustain credible deterrence and defence and to prevent conflict and war. Now it is for the relevant actors (Allies and NATO bodies) to translate the decisions taken in Brussels into action, according to their respective areas of competency and responsibility, and to provide a degree of clarity on some aspects of the Alliance’s cyber integration process that still appear uncertain.

 

Author: LTC Massimiliano Signoretti, NATO CCD COE

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

1. ‘We (the Heads of State and Government of the member countries of the North Atlantic Alliance) decided to strengthen our capabilities to defend against cyber attacks’ Prague Summit Declaration (par. 4 (f) ). [↩]
2. Cyber defence was included in the set of initiatives to increase the capacity of NATO forces to address contemporary threats and challenges by ‘improving protection of [the Alliance´s] key information systems against cyber attacks’, Riga Summit Declaration. [↩]
3. Thus meeting the need for NATO and nations ‘to protect key information systems in accordance with their respective responsibilities; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber-attack’, Bucharest Summit Declaration. [↩]
4. With the promise to further integrate cyber defence measures into Alliance structures and procedures, Chicago Summit Declaration, (par. 49). [↩]
5. Chicago Summit declaration, paragraph 49. [↩]
6. The policy reaffirmed the principles of the indivisibility of Allied security and recalled that the fundamental cyber defence responsibility of NATO is to defend its own networks and that the responsibility of Allies is to develop the relevant capabilities for the protection of national networks; Wales Summit Declaration (par. 72). [↩]
7. On a case-by-case basis and upon decision of the Security Council. [↩]
8. For a complete and accurate analysis of the Warsaw Summit’s outcome, see an earlier Incyder article ‘NATO Recognises Cyberspace as a ‘Domain of Operations’ at Warsaw Summit’. [↩]
9. From within the overall pool of forces, Allies will offer an additional 30 major naval combatants, 30 heavy or medium manoeuvre battalions, and 30 kinetic air squadrons, with enabling forces, at 30 days’ readiness or less. [↩]
10. The Summit registered the considerable progress made since the Wales Summit with four consecutive years of real growth in non-US defence expenditure. [↩]
11. ‘In order more effectively to achieve the objectives of this Treaty, the Parties, separately and jointly, by means of continuous and effective self-help and mutual aid, will maintain and develop their individual and collective capacity to resist armed attack’. [↩]
12. Collective defence, crisis management and cooperative security. ‘The Strategic Concept’ is an official document that outlines NATO’s enduring purpose and nature, and its fundamental security tasks. It also identifies the central features of the new security environment, specifies the elements of the Alliance’s approach to security and provides guidelines for the adaptation of its military forces. The 2010 Strategic Concept was issued at the Lisbon Summit and is accompanied by the Military Committee Guidance MC 400/3, March 2012. [↩]
13. Brussels Summit declaration, paragraph 20. [↩] [↩]
14. Tunisia was expressly mentioned, in the framework of the Mediterranean Dialogue. [↩]
15. ‘A NATO perspective on applicability and application of IHL to multinational forces’, P. M. Olsen, International Review of the Red Cross (2013). [↩]
16. Edition A Version 1, April 2016. [↩]
17. See AJP 3.9 Records of Specific Reservations, where the US express their reservations ‘with the way ‘effects’ are described in the AJP. [↩]
18. See Rule 31 of the Tallinn Manual 2.0. [↩]
19. See Article 4 Articles of the ILC’s on Responsibility of International Organizations: ‘There is an internationally wrongful act of an international organization when conduct consisting of an action or omission: (a) is attributable to that organisation under international law; and (b) constitutes a breach of an international obligation of that organisation’. [↩]
20. ‘The conduct of an organ of a State or an organ or an agent of an international organization that is placed at the disposal of another International organisation shall be considered under international law an act of the latter organization if the organisation exercises effective control over that conduct.’ [↩]
21. See on the topic ‘The International Responsibility of NATO and its Personnel during Military Operations’, David Nauta, November 2017. [↩]
22. In November 2017, NATO Secretary General Jens Stoltenberg, following the meeting of the North Atlantic Council at the level of Defence Ministers, announced that the Alliance would establish a new Cyber Operations Centre. [↩]
23. Brussels Summit declaration, paragraph 29. [↩]
24. NATO Standard, AJP-01 Allied Joint Doctrine, Edition E, Version 1 February 2017. [↩]
25. Defined as measurable physical and behavioural characteristics that enable the establishment and verification of an individual’s identity. Biometrics is the latest trend in cyber security for both personal devices and entire networks, and biometric technology is commonly and growingly used as a means of authentication for networks. [↩]
26. Brussels Summit declaration, paragraph 11. [↩]
27. Formally established in September 2017 as part of the NATO Strategic Direction South (NSD-S) initiative, the NSD-S Hub is a forum that connects Allies, partners and subject matter experts to better understand and overcome challenges, as well as look for opportunities in NATO’s South (Middle East, North Africa, Sahel, and Sub-Saharan Africa). [↩]
28. For an analysis of the European Parliament Cyber Defence Resolution, see an earlier Incyder article ‘European Parliament lists priorities for cyber defence and highlights cooperation with NATO’. [↩]