Leaders of the North Atlantic Treaty Organisation have endorsed a common policy on cyber defence at their summit in Bucharest, agreeing to set up a new authority that will coordinate NATO’s “political and technical” reactions to cyber attacks.
NATO leaders on Thursday (3 April) decided to develop the “structures and authorities” to carry out a new coordinated approach to cyber attacks. The new approach will aim to prevent and counter situations like the one seen in Estonia in summer 2007, when cyber terrorists crippled strategic network infrastructure, including banks.
The new tasks will be carried out by the Cyber Defence Management Authority (CDMA), the launch of which was expected at the Bucharest Summit. However, the launch of the new authority was delayed due to “technical and bureaucratic problems” despite there already being “a substantial agreement on the concept,” according to a NATO official who spoke to EURACTIV in Bucharest.
Despite strong pressure from some Eastern European members, and in particular Estonia, the competencies of the new authority will fall exclusively on Article 4 of the North Atlantic Treaty “for the foreseeable future,” the official said. In other words, members will “consult together” in case of cyber attacks, but will not be bound to “assist” each other as foreseen in Article 5 of the Treaty.
With an increasing number of government activities moved to the Internet, it remains to be seen what the Alliance would do in case of a cyber attack. The fall of the Twin Towers in 2001 led to the application of Article 5 and the beginning of the war against Taleban in Afghanistan.
However, a similar military reaction is “completely excluded” in case of cyber attack at this stage, according a NATO official involved with cyber defence dossiers. Instead, NATO is exploring ways to coordinate a “political and technical response,” the official told EURACTIV.
The Bucharest Final Declaration
on cyber defence states: "NATO remains committed to strengthening key Alliance information systems against cyber attacks. We have recently adopted a Policy on Cyber Defence, and are developing the structures and authorities to carry it out. We look forward to continuing the development of NATO's cyber defence capabilities and strengthening the linkages between NATO and national authorities."
Estonian President Toomas Hendrik Ilves confirmed his country's tough line on countering cyber attacks by invoking the use of Article 5 of the North Atlantic Treaty, which involves the direct intervention of NATO members. "Weapons should not matter. If you blow up a hospital or an electricity plant the threat is the same. But there is no symmetrical response." "What is the response after the attack?," he asked during a conference in Bucharest organised on the margins of the summit.
Commenting on the issue, a senior NATO official told EURACTIV he could "hardly imagine" how the alliance could rely on Article 5 on cyber defence issues "in the foreseeable future". But another NATO official said the issue was "very sensitive" and did not exclude the use of Article 5, provided it is bound to "political and technical responses".
Martin Selmayr, spokesperson for EU Information Society Commissioner Viviane Reding, underlined Brussels' support to every initiative aimed at improving the security of networks. He said the Commission's strategy is to strengthen the existing EU agency dealing with telecommunications security, the European Network and Information Security Agency, based in Crete.
"We need a rapid reaction force," Selmayr told EURACTIV. "What ENISA is doing now is sitting around a table and drafting reports. They are very accurate but this is not enough. We need a body that operationally deals with the security," he added, underlining that the new Telecoms Authority proposed by the Commission last November would provide a solution to this (see our Links Dossier on the Telecoms package review).
Cyber defence first appeared on NATO's agenda at the 2002 Prague Summit and was later confirmed as a priority at the Riga Summit of November 2006.
But the need to protect information systems gained new urgency with the cyber attack carried out against Estonia, a NATO member, in spring 2007.
Following the relocation of a Red Army soldier statue to the Estonian capital Tallinn, a concerted cyber attack hit key public and private infrastructures such as banks and telecommunication servers. The simultaneous connection of thousands of computers to the same servers caused the crippling of essential services based on the Internet, among which the payment of salaries.
This episode led NATO to agree on the future establishment of a new body, the Cyber Defence Management Authority (CDMA), which was given the task of initiating and coordinating an "immediate and effective cyber defence action where appropriate" (EURACTIV 13/02/08).