North Atlantic Treaty Organisation

The North Atlantic Treaty Organization (NATO) is a regional organisation of 29 countries in the area of the North Atlantic, which was established in 1949 by the North Atlantic Treaty. It is a military and political alliance, constituting a system of collective defence and crisis management for its members.

Cyber defence became part of NATO’s political agenda at the Prague Summit in 2002, and has been reiterated ever since. The cyber attacks against Estonia in 2007 may be seen as initiating the gradual shift in the attention the Alliance has paid to cyber defence since then. NATO’s first cyber defence policy was prepared in 2008. At the Lisbon Summit in 2010, cyber defence was included in NATO’s Strategic Concept, and the summit declaration precipitated the update of the Cyber Defence Policy in 2011 and the creation of an accompanying Action Plan in 2012. On 5 September 2014, a new enhanced Cyber Defence Policy was approved at the Wales Summit. The Policy ‘clarifies that a major digital attack on a member state could be covered by Article 5 [of the North Atlantic Treaty].’ ((Steve Ranger, “NATO updates cyber defence policy as digital attacks become a standard part of conflict”,…)) The Policy further improves information-sharing and mutual assistance between Allies, enhances training and exercises and furthers cooperation with the industry. At the Warsaw Summit in 2016, NATO recognised cyberspace as a domain of operations, and pledged to further develop NATO-EU cyber defence cooperation, and to commit more resources to cyber defence capabilities. In 2018, the defence ministers of NATO members states agreed on the creation of a new Cyber Operation Centre at SHAPE to help integrate cyber into NATO planning and operations at all levels.

The NATO Policy on Cyber Defence is implemented by NATO’s political, military and technical authorities, as well as by individual Allies. The North Atlantic Council provides high-level political oversight on all aspects of implementation and is appraised of major cyber incidents and attacks, and it exercises principal authority in cyber defence-related crisis management.

The Cyber Defence Committee (CDC), prior to April 2014 known as the Defence Policy and Planning Committee (Cyber Defence), is a senior advisory body to the NAC in matters of cyber defence, while also providing consultation to the Allies and exercising overall governance of NATO’s internal cyber defence.

The Cyber Defence Management Board (CDMB) operates under the auspices of the Emerging Security Challenges Division of NATO HQ. It consists of representatives of all major stakeholders in cyber security within NATO, such as Allied Command Operations (ACO), Allied Command Transformation (ACT) and the NATO agencies. CDMB does the strategic planning and executive direction regarding NATO networks. It also signs Memoranda of Understanding with Member States to facilitate information exchange and coordinate assistance.

The NATO Consultation, Control and Command (NC3) Board constitutes the main committee for consultation on technical and implementation aspects of cyber defence.

The NATO Communications and Information Agency (NCIA) was created on 1 July 2012, pursuant to the aim in the Lisbon Summit Declaration, by merging 7 NATO agencies dealing with CIS and cyber activities. NCIA is the primary CIS provider for NATO. The NATO Computer Incident Response Capability (NCIRC) is incorporated in the NCIA and it is the body responsible for the centralised technical protection of NATO cyber assets. The NCIRC reached full operational capability in May 2014. ((NATO, Cyber defence,

The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) is a NATO-accredited research and training facility dealing with education, consultation, lessons learned, research and development in the field of cyber security. Currently it has 22 Sponsoring Nations (NATO Member States) and 3 Contributing Participants (Austria, Finland and Sweden). NATO CCD COE is funded, directed and tasked by the Sponsoring Nations, but services are also requested by NATO via the ACT, even though it is not included in the NATO organisational structure.