NATO’s Cyber Security Policy: The Historical Process and Critical Junctures
*Source: DoD/D.Myles Cullen ©
NATO’s Cyber Security Policy: The Historical Process and Critical Junctures
During the cold war, the North Atlantic Treaty Organization (NATO) acted with the logic of traditional security against its symmetrical enemy. With the end of the cold war, the NATO has been obliged to renew this understanding. In this renewal process, ‘cyber security,’ has occupied an important place as one of the most challenging issues. Especially the cyber-attacks against NATO during the Kosovo War in 1999, and then against the member state Estonia in 2007 have forced the NATO to become more cautious about cyber threats. In this study, the turning points in NATO’s ten-year cyber defence policy, which started with the organized cyber-attacks while the NATO was bombing Serbian forces in Kosovo in 1999, are examined as a historical process.
I. Introduction: New Security Understanding and Cyber Security
‘Traditional security’ understanding defines security with a reference to a state-centric and military threat-focused viewpoint. In this understanding, artificial or constructed threats define the security agenda. However, with the process of globalisation, since the 1980s, the traditional security approach has been abandoned in favour of the “new security” concept. According to Herald Müller, new security refers to social, individual, global, economic, information and environmental security. Cyber security is actually located at the intersection of all these new security areas. In fact, while daily cyber-attacks can affect individuals and information security, a comprehensive cyber-attack can have a direct impact on social, global, economic and environmental security.
In most general terms, “cyber security” is defined as a whole comprised of the tools, security concepts and guarantees, guidelines, risk management approaches and activities, training and technological advances that are used to protect cyber-space institutions, organizations and users. “Cyber threats” that have generated the phenomenon of cyber security, are defined as the possibility of a malicious attempt to disrupt a computer network or system. Finally, the NATO defines cyber space, in which these two phenomena take place, as “a numeric world that contains computers and computer networks, where people and computers exist together in which all aspects of online activities take place.”
II. NATO’s Cyber Security Policy: The Historical Process and Critical Junctures
1. Chechen War (1994 – 1996)
A short while after the end of the cold war, when the Chechens began to struggle for independence against Russia, Russian troops intervened in the Chechen capital Grozny in 1994. Before the intervention, the Russians thought that conflict would be short. However, soon after the beginning of the conflict, the situation was not like the Russian troops had initially thought when Chechen fighters uploaded on the internet the pictures of killed Russian soldiers. Russian mothers, who saw the photos of their dead children on the internet, came together immediately and created public opinion to end to this conflict. Chechen fighters who are aware of the benefits of this situation actually have taken the first steps of today’s social media by utilising comprehensively the internet every day. In addition, this has been an important signal for the NATO, because the NATO was still bearing the traces of the cold war status quo mentality and it was not prepared for a response in case of an abstract enemy rather than a concrete one. In the subsequent period, during the Kosovo War, it became obvious that the NATO was not ready for such a situation.
2. Kosovo War (1998 – 1999)
Just five years after the conflict between Russian troops and Chechen fighters, the NATO began air strikes against the Serb forces in March 1999 due to the disastrous conflict between people of Kosovo who demanded independence from the Federal Public of Yugoslavia and Serbian forces, which tried to prevent Kosovo’s independence. On 7th May 1999, after the US Air Forces accidentally shot the Chinese Embassy in Belgrade, three Chinese journalists lost their lives in the air attack and the embassy building was damaged.
Although then US President Bill Clinton stated that it was an accident and officially apologised, both the Chinese government and the Chinese public thought that the incident was intentional. In the succeeding period, the government-backed Chinese red hacker group organised a series of cyber-attacks to the NATO’s and US’s major websites. Besides Chinese hackers, Serbian hackers have also conducted serious cyber-attacks. During these attacks, approximately 100 servers, which also included the NATO Headquarters’ e-mail server, were locked. As a result, NATO could neither sustain an online cooperation within itself nor with the member countries. These attacks that targeted NATO’s central system by Chinese and Serbian hackers during the Kosovo War were the first direct cyber-attacks in the history of the NATO.
During the cold war, NATO’s war strategy was prepared against a visible and tangible enemy. However, the change in the perception of threat in the post-cold war era has forced the NATO to draft a new strategy document in 1999. Although there is limited reference to cyber threats in this document, the NATO has taken the first step in the field of cyber security through this new strategy paper.
3. 11 September 2001 Attacks and the Afterwards
After the attacks on September 11 in 2001, when the US prepared to invade Iraq, allies of the NATO discussed a potential ‘cyber Pearl Harbour’ or ‘cyber September 11’ at the Prague Summit in November 2002. Nine NATO member states (USA, Germany, United Kingdom, France, the Netherlands, Spain, Italy, Canada and Norway) cognizant of the importance of the subject, agreed to share more information about it in November 2003. In the same year, NATO initiated the Cyber Defence Program and the Computer Incident Response Capability in order to combat cyber threats. One year after these initiatives, Communication and Information System Services Agency was established in Mons in Belgium in order to set up and maintain multiple communications between the main headquarters and other headquarters. This agency is still responsible for providing the online communication between NATO’s headquarters.
As cyber threats have become increasingly apparent, the issue of cyber-threats and cyber security were extensively discussed at the Riga Summit in 2006. In particular, the allies realised the potentially serious consequences of the lack of a solid infrastructure that would protect NATO communications systems. During such a period, the conflict between Russia and Estonia gained a cyber dimension.
4. Cyber Attacks against Estonia (28th April – 23rd May 2007)
Estonia is one of the leading countries in the world that effectively uses internet and online systems. It was one of the most important centres of informatics in the Soviet Republic (USSR) during the cold war. For this reason, even after the cold war ended and Estonia became an independent state, Russia has always strived to keep good relations with Estonia. However, Estonia in search of alignment with the West, weakened its ties with Russia through the initiation of the NATO membership negotiation process at the Prague Summit in 2002 and through becoming a member of NATO in 2004. By 2007, its relations with Russia were almost completely broken.
When the Estonian authorities wanted to move the Bronze Soldier Monument from the USSR period in the capital city Tallinn to a military cemetery, the Russian minority in Estonia did not only reacted to this but also deactivated all key information systems of Estonia on the night of 27 April. Estonian Russians continued these attacks for one month with the support they received not only from Russia, but also from a hundred different locations in the world. Ultimately, the NATO failed to offer timely assistance to Estonia, a NATO ally, being exposed to such an attack.
5. Bucharest Summit (24th April 2008) and Beyond
Although the superstructure is strong in Estonia, the infrastructural problems threw the country into a grave crisis. Lessons learned from the specific case Estonia which could not get sufficient external assistance during the crisis, despite being a member of the NATO, placed the cyber defence issue as the most important matter of debate at the Bucharest Summit of the NATO in 2008. Through the 47th article of the Summit’s Declaration, cyber defence became one of the primary defence areas of the NATO.
In the same year, following the Bucharest Summit, two important decisions towards cyber defence were taken. First, the Cyber Defence Management Authority (CDMA) was established in order to administer cyber defence from a single centre in Brussels where the NATO headquarters is situated; later on, in Tallinn, the Cooperative Cyber Defence Centre of Excellence (CCDCOE) came into operation.
The most important duty of the CDMA, which is managed by the Cyber Defence Board responsible to administer cyber defence policies of the NATO, is to coordinate assistance and collaboration in case of a cyber attack against member countries, according to the Article 5 of NATO Agreement. The duties of the CCDCOE, established simultaneously with the CDMA in 2008 in Tallinn, are to support the NATO and member countries towards cyber defence policy making; carry out scientific research, develop strategy, carry out training activities, perform military exercises and to follow current affairs.
There are three big projects that the CCDCOE has so far carried out. The first is Tallinn Manual on the International Law Applicable to Cyber Warfare prepared for fulfilling the legal gap to some extent with respect to cyberspace. Other projects are International Conference on Cyber Conflict and International Locked Shields Exercises organised every year since 2010 among NATO member countries.
6. Cyber Attacks against Georgia (1st August – 1st September 2008)
A cyber attack similar to the scenario in Estonia in 2007 happened in Georgia only after a year. The deficiencies in the informatics infrastructure of the Georgian Government were detected by hackers through the Distributed Denial of Service (DDoS) method; and Georgia was exposed to heavy attacks. These cyber attacks were organised not only from Russia but from different regions in the world.
The NATO could not provide direct assistance to Georgia, since it is not a member state of the NATO. However, due to increased attacks, a group of experts was sent to Georgia thanks to the Estonian government’s initiative. With the support of these experts, information system in the country has been normalised only recently after the prolonged cyber attacks. These attacks that Georgia was exposed to were one of the important topics during the Lisbon Summit of the NATO in 2010.
7. Lisbon Summit (19 – 20 November 2010) and Beyond
In 2010 at the Lisbon Summit, it was realised that the NATO still had significant deficiencies in the area of cyber defence which the NATO members had been trying to address for a long time. Especially, the inability to provide assistance to an aspiring member like Georgia during asymmetrical attacks was extensively debated among the member states. Consequently, in the same year defence ministers of the NATO members agreed on a new cyber defence policy and founded Rapid Reaction Teams in order to respond to probable cyber attacks in the fastest way possible.
In 2012 at the Chicago Summit, it was realised that there were still important coordination failures among the member states. For this reason, in 2013, five NATO member states (Denmark, Holland, Canada, Norway and Romania) initiated Multinational Cyber Defence Capability Development Project for further cooperation and coordination. However, this project was not very efficient as it was supported only by these five countries.
8. Newport Summit (4 – 5 September 2014)
Since 2010, new dynamics in global politics compelled the NATO to be present in many frontiers and prioritise other issues. Particularly, the overburden on the NATO manifested itself in 2014 at Newport Summit. The Summit focused on the Ukrainian Crisis and the ISIS terror organisation, while cyber defence policy was not a prominent theme.
Despite the overburden of NATO, cyber defence policy was considered under ‘fighting with new threats’ agenda. In this sense, it was discussed in relation to five priority areas determined before the Newport Summit (Ukrainian Crisis, the future of Afghanistan, fighting with new threats, increased support for the armed forces, empowering cooperation among member states). At the Summit, as a result of the limited discussions regarding this subject, Enhanced Cyber Defence Policy was accepted. Thereby, another new step was taken, in the name of improvement of cyber security policy of the NATO. At the final declaration of the Summit, important decisions were taken regarding cyber threats and security as stated in four articles (64, 72, 73 and 104): further cooperation among the member states, since the scope and number of cyber threats will increase in the future; additional coordination to address the major deficiencies in international law with respect to cyber space; member states should strengthen their policies towards cyber security; the relations with institutions like the European Union that have already made attempts on cyber security ought to be developed and the connections with companies operating in cyber space sector have to be intensified.
With the end of the cold war at the beginning of 1990s, many problems have come into existence. Particularly, cyber security, which is at the junction of the issues and areas considered under the new security approach, is one of the most important issues that challenged the NATO. The rapid developments in cyber space make cyber security the most important topic to be discussed and thought over in the middle and long terms. The volatile nature of cyber threats, the unknown sources of threats and major legal deficiency in the international legal framework point to a challenging period for the NATO and its member states. As a consequence, the NATO and the member states are obliged to empower their policy towards cyber security without losing time, because in case of an extensive cyber attack, it would be difficult to create a solution to these attacks.
H. Mehmet Boyraz, Head of Academic Council, Platform of Students in the Centre for Strategic Research
Please cite this publication as follows:
Boyraz, H.M. (December, 2015), “NATO’s Cyber Security Policy: The Historical Process and Critical Junctures” Vol. IV, Issue 12, pp.32-40, Centre for Policy and Research on Turkey (Research Turkey), London, Research Turkey (http://researchturkey.org/?p=10236)
 Bilal Karabulut, 2009. Küreselleşme Sürecinde Güvenlik Alanında Değişimler: Karadeniz’in Güvenliğini Yeniden Düşünme (Changes in the Field of Security in Globalisation: Rethinking Black Sea Security), Karadeniz Araştırmaları, 6:23, p. 2.
 Bilal Karabulut, ibid., p. 2.
 Bilal Karabulut, ibid., p.7.
 Hasan Çiftçi, 2013. Her Yönüyle Siber Savaş (Every Aspect of Cyber War), TÜBİTAK Popüler Bilim Kitapları, p. 6.
 Oxford Dictionary, Cyber Threat, [Accessed on 5 October 2015], Available at:
 Hasan Çiftçi, ibid., p. 4
 Salih Bıçakçı, 2012. Yeni Savaş ve Siber Güvenlik Arasında NATO’nun Yeniden Doğuşu (The Rebirth of NATO Between New War and Cyber Security), Uluslararası İlişkiler, 9: 34, p. 209
 Yavuz Yener, İlk Siber Savaş Örneği Olarak Kosova (As a First Example of the Cyber War Kosova), Siber Bülten, [Accessed on 5 October 2015], Available at:
 Emre Bakır, Beşinci Boyutta Savaş: Siber Savaşlar – I (War in the Fifth Dimension: Cyber Wars – I), TÜBİTAK BİLGEM, [Accessed on 5 October 2015], Available at:
 Salih Bıçakçı, 2014. NATO’nun Gelişen Tehdit Algısı: 21. Yüzyılda Siber Güvenlik (NATO’s Developing Threat Perception: Cyber Security in the 21th Century), Uluslararası İlişkiler, 10: 40, p. 118
 Author’s interview with Associate Professor Salih Bıçakçı via Skype on 11th May 2015. [Accessed on 5 October 2015], Available at:
 Mehmet Meral, NATO ve Siber Savunma (NATO and Cyber Defence), [Accessed on 5 October 2015], Available at:
 NATO Wales Summit Declaration, [Accessed on 5 October 2015], Available at: