NATO Set To Ratify Cyber-Defence Declaration
NATO is set to add cyber-threats to its fundamental treaty – but reportedly has little idea about the computer arsenals of its member countries
NATO has confirmed that it plans to add cyber-attacks to the list of threats that would trigger a collective response when leaders of the organisation meet in Newport, Wales, later this week.
However, exactly what would constitute such an attack remains ambiguous, and NATO reportedly has little in the way of cyber-response capacity. The organisation, the headquarters of which is in Brussels, also lacks clear information on the cyber-weaponry of member states such as the US and the UK, which would be needed to form a detailed cyber-strategy, according to reports.
Washington Treaty
NATO announced last week it plans to modify the Washington Treaty, the 1949 accord upon which the alliance is based, with Jamie Shea, the official in charge of emerging security threats, telling the Boston Globe that the new treaty will “explicitly state that the cyber realm is covered by Article 5”. The declaration is to be ratified this week, having been approved by NATO defence ministers in June, according to The New York Times.
The shift is intended to respond to the emergence of increasingly serious cyber-attacks, such as those that paralysed Estonia in 2007 and Georgia in 2008. Russia is suspected to have been behind those incidents, but has denied involvement. Other sophisticated cyber-campaigns have been attributed to Chinese and Iranian hackers.
The declaration marks a change in attitude on the part of NATO, which in 2010 rejected a proposal to add attacks on a nation’s financial systems or electrical grid to Article 5.
However, NATO officials admitted that the move is only a first step, with a “complete strategy” remaining to be formulated.
“Our declaration is a start, but I cannot tell you it is a complete strategy,” Anders Fogh Rasmussen, the departing NATO secretary general, said during a visit to Washington this summer, according to the Times.
Ambiguity
Shea confirmed that, for the time being, the definition of what constitutes a cyber-attack will be left intentionally ambiguous. “We don’t say exactly which circumstances or what the threshold of the attack has to be to trigger a collective NATO response and we don’t say what the collective NATO response should be,” he said.
US officials have publicly stated that a cyber-attack that appeared to be intended to prepare the way for a conventional military assault could trigger Article 5. A computer attack that inflicted serious material damage or took lives could also see a conventional military response, according to public statements by the US government.
However, NATO has no cyber-weapons of its own, and has never been briefed on the cyber-capabilities of member states such as the US and the UK, according to the Times’ report.
No ‘detailed plans’
Ivo Daalder, a former US ambassador to NATO and currently president of the Chicago Council on Global Affairs, said NATO’s cyber-defence capabilities are “still pretty basic”.
NATO lacks “detailed plans” about a cyber-response of the kind that exist for conventional or nuclear war, the report said, quoting an unnamed senior NATO official.
Member states such as the US, the UK and Germany, which do have advanced cyber-weaponry, have declined to brief NATO on their arsenals, in part to prevent other NATO members from obtaining the information, according to the official.
NATO officials were reduced to reading the NSA documents released by Edward Snowden in order to form an idea of the US’ computer operations against Iran and China, according to the report.
Are you a security pro? Try our quiz!