SOCRadar® Cyber Intelligence Inc. | Collective Security in Cyberspace with NATO


Jul 28, 2023
9 Mins Read

Collective Security in Cyberspace with NATO

The North Atlantic Treaty Organization (NATO) is an intergovernmental military alliance formed to ensure collective defense and security for its member nations. Security concerns in today’s interconnected, digital world have grown to include not only physical threats but also those posed by the vast universe of cyberspace.

Due to the nature of cyber threats that transcend state borders and organizational boundaries, cyber defense has become an integral aspect of NATO’s core mission of deterrence and defense. NATO’s strategy for cyber defense has inevitably evolved in response to the dynamic shifts in the threat environment.

NATO’s cyber defense strategy centers on safeguarding its own networks, operating effectively in cyberspace, supporting Allies in enhancing their national resilience, and providing a platform for political consultation and collective action.

As a cornerstone of collective security, NATO highlighted Cybersecurity as one of the prominent topics of the NATO summit in Vilnius, which took place on July 11-12, 2023.

NATO’s Cybersecurity Emphasis

NATO, established in 1949, mentioned the term ‘cyber attack’ for the first time in the 2002 Prague Summit Declaration, signifying the growing recognition of cyber threats. Therefore, ‘cyber defense’ was placed on the Alliance’s political agenda during the same summit, marking the beginning of NATO’s formal response to address the emerging challenges in the cyber domain.

The cyber attacks targeting Estonia’s public and private institutions in 2007 prompted the Alliance to action, and NATO approved its first Policy on Cyber Defence in January 2008.

Since the Prague Summit Declaration of 2002, NATO has been progressively recognizing the significance of cyber attacks, with the topic increasingly featuring in its documents until the Wales Summit Declaration of 2014. The 2014 policy marked a turning point, affirming cyber defense as part of NATO’s core task of collective defense and acknowledging that cyber attacks could trigger Article 5 under certain conditions. 

At the Warsaw Summit in 2016, NATO went a step further, declaring cyberspace a new operational domain alongside air, land, and sea, thereby bolstering NATO’s capacity to protect and conduct its missions and operations. The allies approved the new Comprehensive Cyber Defence Policy, which supports NATO’s core objectives of deterrence and defense, crisis prevention and management, and cooperative security at the Brussels Summit in 2021.

The 2021 policy emphasizes a comprehensive political, military, and technical approach to combat cyber threats. It includes building Allies’ cyber-infrastructure, enhancing cyber-security and defense capacities, and establishing a Cyberspace Operations Centre.

Timeline of NATO’s cybersecurity evolution
Timeline of NATO’s cybersecurity evolution

Article 5’s Role in Cybersecurity

Since 2014, NATO has emphasized that cyber attacks can also be grounds for invoking Article 5 of NATO’s founding treaty. Article 5 is placed in NATO’s founding document, the North Atlantic Treaty, and states that an armed attack against any member nation in North America or Europe will be considered an attack against all, leading to collective self-defense measures.

While NATO has occasionally reaffirmed the possibility of invoking Article 5 in response to cyber attacks, no such incident has occurred thus far. The nature and severity of such an attack remain uncertain, and NATO refrains from speculating on the precise requirements for invoking Article 5 for nearly a decade. The alliance prefers to use ‘vagueness’ to its advantage and remains cautious not to reveal specific reaction measures in cyberspace. On the other hand, this vagueness compels threat actors to define a strategy to operate below the threshold that would trigger Article 5 against NATO.

Article 5, the cornerstone of NATO’s collective defense, has been invoked only once in the alliance’s history after the 9/11 terrorist attack, which caused immense human loss and injuries. This historical event provides insight into the extent of an event, whether physical or cyber, that could potentially trigger Article 5.

Considering this, a cyber-attack that could trigger Article 5 might involve sophisticated assaults causing damage to critical targets, such as nuclear or chemical facilities, power plants, or significant defense infrastructure, and threats to civilian life. Similarly, cyberattacks like Estonia’s experience in 2007 could also lead to the invocation of Article 5.

In 2022, Albania faced a series of cyberattacks, believed to be orchestrated by Iran, impacting government websites and the banking system. Prime Minister Edi Rama stated that Albania’s government contemplated invoking NATO’s Article 5 in response. However, in the end, Albania chose not to take that step to avoid potential escalation and the risk of antagonizing powerful allies. Once again, this incident highlights the ongoing debate surrounding whether a cyberattack will ever reach the level of seriousness necessary to trigger a full-scale NATO collective defense response.

Cybersecurity Outcomes of the Vilnius Summit

During the Vilnius summit, NATO emphasized once again that “cyberspace is contested at all times” and reaffirmed its unwavering commitment to cyber defense. In this context, NATO reiterated the following key points:

Countering Cyber Threats: NATO actively counters substantial, continuous, and increasing cyber threats.

Full Range of Capabilities: NATO is determined to employ the full range of capabilities to deter, defend against, and counter the entire spectrum of cyber threats, and it is open to considering collective responses.

Promoting a Free, Open, Peaceful, and Secure Cyberspace: NATO is committed to fostering open and secure cyberspace, respecting international law, and supporting responsible state behavior in cyberspace to enhance stability and reduce the risk of conflict.

Article 5 Invocation: NATO acknowledges that a single or cumulative set of malicious cyber activities could reach the level of an armed attack, leading to the possible invocation of Article 5 of the Washington Treaty.

In Vilnius, NATO addressed the constant challenges in cyberspace and emphasized the significance of cyber defense in ensuring collective security within the Alliance. Besides this, the communiqué announced a new approach to cybersecurity and set out several measures to strengthen NATO’s cyber defenses.

A new concept for cyber defense was endorsed to strengthen its overall deterrence and defense posture. This concept involves integrating NATO’s three cyber defense levels—political, military, and technical and fostering civil-military cooperation, including engagement with the private sector, to enhance shared situational awareness.

Furthermore, the communiqué announced an enhanced cyber defense pledge, where NATO members committed to bolstering their national cyber defenses. This includes measures such as strengthening critical infrastructure resilience, increasing investments in cybersecurity, and fostering cooperation with other nations.

Additionally, NATO launched the Virtual Cyber Incident Support Capability (VCISC), offering member states a valuable tool to respond to significant malicious cyber activities. The VCISC provides access to expertise, technical assistance, training, and information sharing for effective cyber incident responses.

NATO also highlighted its commitment to closer cooperation between civilian, military, and industry stakeholders in addressing cybersecurity. Recognizing the complexity of the cyber threat landscape, NATO believes a comprehensive approach is necessary for an effective response.

Lastly, NATO announced its plans to hold the first comprehensive NATO Cyber Defense Conference in Berlin. This conference aims to gather decision-makers from political, military, and technical realms to enhance cyber defense efforts through collaborative efforts.

Recent Cyber Attacks Against the NATO

Since the beginning of the Russia-Ukraineconflict, various threat actors have focused on organizations and governments supporting Ukraine, notably targeting NATO and its affiliates.

As cyber conflicts escalate globally, the notorious hacker group known as KillNet has announced its intention to launch a series of high-impact Distributed Denial of Service (DDoS) attacks targeting NATO’s critical infrastructure. In April KillNet officially declared war on NATO in a video message posted to their official Telegram channel and requests from partners to join using the same hashtag. 

KillNet claims to have breached 40% of NATO’s electronic infrastructure through DDoS attacks, disrupting account logins. They also assert successful attacks on key NATO institutions, including infiltrating the NCI Agency and stealing personal data from its staff.

KillNet telegram post about NATO leak
KillNet telegram post about NATO leak

NATO countries and organizations have faced cyber threats from multiple actors, including NoName, UserSec, Anonymous Sudan, and KVAZAR DDoS, in addition to KillNet.

UserSec, NoName, Anonymous Sudan attacks against NATO countries
UserSec, NoName, Anonymous Sudan attacks against NATO countries

A sophisticated phishing campaign was uncovered before the NATO Summit in Lithuania. Ukraine’s Computer Emergency Response Team (CERT-UA) reported on a fake website impersonating the Ukrainian World Congress. The attackers created a replica of the Ukrainian World Congress website using the “.info” domain instead of the legitimate “.org” domain and hosted deceptive documents. Through this malicious website, the attackers distributed lobbying documents purportedly urging NATO to invite Ukraine, but the documents concealed malicious payloads. These malicious documents leveraged a recently disclosed zero-day vulnerability (CVE-2023-36884) affecting multiple Windows and Office products.

Throughout the Vilnius summit, NATO experienced ongoing cyber attacks, particularly focusing on Lithuania, the summit’s host country. Despite the cyber threats and attempts, the summit proceeded without major incidents. The cybersecurity measures in place helped mitigate the impact of the attacks, and authorities were able to deal with most of them effectively.

NoName DDoS attacks against Lithuanian websites, NATO
NoName DDoS attacks against Lithuanian websites


NATO’s cybersecurity evolution demonstrates a proactive and collaborative approach to addressing the growing cyber threats in the modern digital landscape.

NATO’s commitment to countering cyber threats is evident through its endorsement of a new concept to enhance cyber defense contributions to overall deterrence and defense postures. Integrating political, military, and technical cyber defense levels, civil-military cooperation, and private-sector engagement highlights the Alliance’s dedication to enhancing situational awareness and response capabilities.

Moreover, the enhanced cyber defense pledge and the commitment to cooperate more closely between civilian, military, and industry stakeholders reflect NATO’s recognition of the multi-faceted nature of cyber threats.

NATO’s continued efforts to navigate and promote collective security in cyberspace and proactive measures in mitigating cyber risks and fortifying cyber defenses align with the cyber threat intelligence approach. Organizations can strengthen their cybersecurity posture in alignment with NATO’s core mission of deterrence and defense by leveraging comprehensive cyber threat intelligence solutions.