At the Warsaw Summit NATO officially recognized cyber domain as a domain of warfare “in which NATO must defend itself as effectively as it does in the air, on land, and at sea.”
So far the top priority for NATO has been the protection of its own communication and information systems (CIS) and infrastructures, but now the member states have made a priority of protecting their national networks as well. This high political level commitment should alleviate existing gaps in capacity and capabilities among the Allied countries and foster the overall resilience of the Alliance. Notably, cooperation with the EU in countering hybrid and cyber threats received a new impetus. At the same time in the area of cyber defence, NATO seems to continue doing mostly the same as it has done so far, albeit with greater effort.
Among other activities, the Alliance will continue sharing information, improving situational awareness, integrating cyber defence into operational planning, by agreeing for instance on further capability targets, and cooperating on education and training. It will continue to facilitate cooperation across the Alliance with efforts like Smart Defence projects, cyber defence exercises, and other education and training opportunities. It will expand the capabilities and scope of NATO’s cyber range in Tallinn.
On the other hand, individual member states took greater responsibility to protect their CIS networks, including those that NATO depends on. Indeed, some member states still lack basic policies such as a national cyber security strategy. Protecting national assets deployed in NATO missions is of utmost importance since due to interconnectivity, NATO is only as strong as the least mature member state. Political commitment to augmenting financial and other resources, speeding up the implementation of cyber defence capability targets, improving national skills and expertise, and sharing information and national threat assessments should now be translated into tangible policies and actions with clear goals, means, and ends.
In Warsaw, NATO underlined its coordinating and facilitating role in supporting its member states in cyber defence that along with resilience remains a national responsibility. The agreed requirements for national resilience, including the protection of national critical infrastructure, will be implemented. Since NATO missions and operations depend heavily on national energy, transportation, and communication infrastructures, NATO will support Allies in protecting these assets both against hybrid and cyber threats. To reduce vulnerabilities to these threats and address existing gaps, NATO took a role in assessing the progress of member states. Also, NATO’s partners will be supported in their efforts to enhance national resilience.
Perhaps most importantly, NATO announced in Warsaw that cooperating with the EU in countering hybrid and cyber threats is a strategic priority. The EU plans to establish a hybrid threat centre of excellence, with possible location in Finland. Cooperation areas include information and intelligence sharing between staffs – where there is no formal agreement between the two organizations to share classified information, except the technical arrangement between cyber response teams concluded in February 2016 – and cooperating on analysis, prevention, and early detection. NATO and the EU also pledged to cooperate with regards to cyber elements in NATO’s and CSDP exercises, as well as education and training, including coordinating their exercises. Both organizations will set up necessary coordination mechanisms and procedures, and progress will be regularly assessed.
While NATO’s strong emphasis on cyber defence sends a clear signal to friends and adversaries alike about its renewed commitment to maintain freedom of action and decision in cyber and other domains and in all circumstances, it is not clear how the Alliance will achieve it. Even though Allied countries are able to invoke Article 5 of the Washington Treaty in case of serious hybrid and cyber threats, NATO does not possess commonly shared cyber means that would permit defending individual member states against them. So far the Allied countries must protect their networks by themselves.