North Atlantic Cyber Defense: the Warsaw Pledge By Léonard Rolland, Ministère des Affaires Etrangères

Meeting on the occasion of the Warsaw Summit on 7 and 8 June 2015, NATO Heads of States and Governments adopted a « Cyber Defense Pledge » through which they promised to significantly increase their national cyber defense efforts. This initiative is to be conceived as an element of cohesion and risk reduction within the Alliance.

Summit after Summit, the Alliance has been refining its cyberspace strategy. In 2014 in Wales, NATO members acknowledged that Article 5 of the Atlantic North Treaty, which states that the Alliance as a whole may respond to an armed attacked against one its members, was applicable to large scale cyberattacks. In order to better reflect the spirit of the Treaty and in particular the link between Article 5 and Article 3, according to which member States must maintain and develop their individual and collective capacity to resist armed attacks, Member States in Warsaw solemnly undertook to reinforce their national capacities to resist cyber-attacks, as a way to complement this initial step forward. As a matter of fact, « burden sharing » is an essential feature of transatlantic solidarity, as embodied in article 5, and Head of States and Governments effectively endorsed this principle at the 2014 Welsh Summit when committing to dedicate at least 2% of their country GDP to their defense efforts.

A brief one and a half pager, the Cyber Defense Pledge requires each Member to provide adequate resources and training for the development of the full range of cyber defense capabilities, « from fundamental cyber hygiene to most advanced and robust cyber defense ». Only in this way will the Alliance be able to « keep pace with the fast evolving cyber threat landscape », and will guarantee that its members will be equally « capable of defending themselves in cyberspace as in the air, on land and at sea ». This wording is consistent with the concomitant recognition during the Summit of cyberspace as an operational domain. Finally, the document highlights the complementarity between NATO’s purely military initiatives, and broader efforts carried out by the EU through legally binding regulation of the EU Digital Single Market. The recent NIS Directive (Network and Information Security) adopted last July provides in this regard for a global strengthening of critical infrastructure cybersecurity across Europe.

The Pledge initiative, which will have to translate into measurable and concrete outcomes (the document includes a review meeting clause), was carried by France well before the Summit. It anchors NATO’s work in a realistic vision of cyber defense challenges. As rivals in cyberspace are able to play with thresholds – as it can be the case with the « armed attack » criteria mentioned in Article 5, and because they are able to conceal their identity in the “fog of cyberwar”, the most appropriate response consists for now in reducing our individual and collective attack surface. France understood this need since the 2008 White Paper, and never stopped reinforcing its military and civilian efforts ever since, in order to guarantee our defense and security in the digital world. We now have to share with all our allies the experience in military cyber defense that we acquired mostly during recent operations, and to help them build-up capacities to face now « emerged » risks and threats.