One night, just before Christmas in 2015, the power went out across Kiev. As apartments rapidly chilled in the sub-zero temperatures and water pipes began to freeze, Ukrainian engineers raced to turn the power back on. A year later, exactly the same thing happened again. The power was only off for a few hours each time, but a point had been made. Anonymous fingers had set off a weapon that, in the depths of a Ukrainian winter, could be every bit as deadly as a precision-guided missile.
This is just one of many cyber attacks in recent years, including many on Nato allies. Hackers have attempted to influence elections in the US, France and Germany.
In 2017, disruption caused by the NotPetya attack cost Maersk, the world’s largest shipping company, over $200m. Last year’s WannaCry ransomware attack caused disruption to dozens of NHS hospitals. These incidents have increased public awareness of cyber attacks. Nato has been working to combat them for a lot longer.
For almost seven decades, we at Nato have ensured the defence of our nations. Today, that means protecting 29 countries and almost 1bn people. During the cold war, our focus was on guarding against conventional and nuclear conflict. Today, a cyber attack can be as destructive as a conventional attack, and practically every conflict has a cyber dimension. So being able to defend ourselves in cyber space is just as important as defending ourselves on land, at sea and in the air.
In 2016, Nato leaders pledged to invest more in cyber defence. This is part of the biggest reinforcement of our collective defence since the cold war, in response to a more unpredictable security environment. Since then almost every ally has improved its cyber capabilities. In Europe, the UK is leading the way, investing £1.9bn through its National Cyber Security Strategy. Its CyberFirst Girls Competition, aimed at encouraging more young people into a career in cyber security, has had more than 12,500 participants.
The UK is not alone. Nato’s cyber rapid reaction teams are on standby 24 hours a day to help any ally. National cyber capabilities are being integrated into Nato operations and we will set up a new Cyber Operations Centre as part of a revamped Nato command structure. This will allow military commanders to integrate cyber fully into our planning and operations.
I am often asked how significant a cyber attack would need to be to trigger Article 5. My answer is: we will see
We are also helping allies to pool their resources, knowledge and expertise. In Estonia, itself the victim of a large cyber attack in 2007, the Nato Centre of Excellence for Cyber Defence co-ordinates research and training in cyber defence across the alliance. It also organises large-scale cyber exercises such as Locked Shields, the world’s biggest live-fire cyber exercise, held annually, allowing participants to test their skills against world-class opponents.
Nato works closely with partners, such as Ukraine and Moldova, helping them improve their national cyber defences. We work with the EU on training and research, participating in each other’s cyber exercises. We share information on cyber attacks in real time with the EU, governments and private companies, as we did during the WannaCry attack.
Private companies are often the first line of defence against cyber attacks. That is why we launched the Nato Industry Cyber Partnership in 2014. During the WannaCry attack, the information provided by industry partners was critical for getting the most up-to-date picture of a rapidly evolving and complex situation.
The cornerstone of our collective defence is Article 5 of Nato’s founding treaty. It states that an attack on one ally is an attack on all allies. Previously, only physical attacks could trigger Article 5. Now, following agreement by Nato leaders in 2014, this includes a cyber attack.
I am often asked how significant a cyber attack would need to be to trigger an Article 5 response. My answer is: we will see. The principles of deterrence dictate that this must remain deliberately vague or we risk inviting attacks at a level immediately below that threshold.
The nature of any response must also remain undefined, but it could include diplomatic and economic sanctions, cyber responses, or even the use of conventional forces, depending on the nature and consequences of the attack. Whatever our response, Nato will continue to follow the principle of restraint and act in accordance with international law.
This week, Nato leaders are meeting in Brussels. We are strengthening our defences, including our cyber defences. We are making sure that our armed forces can fulfil their missions without being paralysed by cyber attacks. We are helping our allies and partners to be more resilient through the exchange of knowledge, intelligence and training.
The digital revolution has improved our lives in many ways. But if we are to fully enjoy the opportunities, we must also guard against the risks. Nato is taking the necessary steps to keep our nations and our people safe.
The writer is secretary-general of Nato