NATO members agree to new cyber defense policy

The United States and other North Atlantic Treaty Organization nations endorsed a new cyber defense policy Monday as part of the NATO summit in Brussels.

“Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law,” the Brussels Summit Communique released by NATO Monday read. 

As part of the new policy, a decision to invoke Article 5 of the North Atlantic Treaty, which founded NATO, would be taken on a “case-by-case basis” involving cyberattacks on NATO members.

Article 5 states that if a NATO allied nation is attacked, other members would consider it an attack against all NATO nations and consider actions to respond.

“Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack,” the communique read. 

The NATO member states, which include the United States and most European nations, agreed as part of the new policy to use NATO as a platform for information sharing and engagement on international cybersecurity concerns, and to continue to improve NATO’s cyber defenses. 

President Biden told reporters Monday that the new policy was NATO’s first new iteration of the policy in the past seven years, and stressed it will “improve the collective ability to defend against counter threats from state and non-state actors against our networks and our critical infrastructure.”

“Our alliance can still prevail against the challenges of our time,” Biden said. 

Jake Sullivan, Biden’s national security advisor, told reporters Sunday ahead of the NATO summit that the new policy would “upgrade the defense, political, and intelligence dimensions of cyber across the Alliance.”

Sullivan noted that the full policy would not be a “public document,” and reaffirmed that Article 5 would be invoked on a “case-by-case” basis. 

The new policy comes amid growing international pressure to take action to curb the increase in major cyberattacks on the U.S. and other nations. 

In recent months, the SolarWinds hack by Russian government hackers compromised nine U.S. federal agencies, while recent ransomware attacks on Colonial Pipeline and JBS USA posed major disruptions to critical U.S. supply chains. 

Internationally, ransomware attacks have become a growing problem as well, particularly on healthcare systems during the COVID-19 pandemic. 

Ireland’s health care system is still struggling to get back to normal operations following a ransomware attack last month, and hackers released stolen data from a separate attack on New Zealand’s health care system in May.  

In response, Group of Seven (G-7) leaders on Sunday announced an agreement to fight ransomware attacks, and Biden is expected to address cybersecurity concerns with Russian President Vladimir Putin when they meet later this week.

“If he chooses not to cooperate and acts in a way that he has in the past relevant to cybersecurity and some other activities, then we will respond, we will respond in kind,” Biden told reporters Tuesday of the upcoming summit with Putin.