NATO Cyber Defence Policy: An adaptation to the emerging threats of the 21st century, or the...
Transcript of NATO Cyber Defence Policy: An adaptation to the emerging threats of the 21st century, or the...
NATO Cyber Defence Policy An adaptation to the emerging threats of the 21st century, or the
resurgence of Cold War logic in the “fifth battlefield”?
MA in the Department of International Politics Aberystwyth University
Justine Marie Chauvin
2014
A dissertation submitted in partial fulfillment of the requirements for the degree of Master of Arts in International Politics of the Internet.
NATO Cyber Defence Policy Justine M. Chauvin
2
TABLE OF CONTENTS
OFFICIAL STATEMENTS ................................................................................................................................................ 3
ACKNOWLEDGMENTS .................................................................................................................................................... 4
ABSTRACT ........................................................................................................................................................................... 5
NATO CYBER DEFENCE POLICY ................................................................................................................................. 6
I. Introduction .............................................................................................................................................................. 6
i. Research question ............................................................................................................................................ 8
ii. Justification .......................................................................................................................................................... 9
iii. Outline ................................................................................................................................................................ 11
II. NATO, cyber security & IR theories .............................................................................................................. 13
i. Neorealism ........................................................................................................................................................ 14
NATO as an alliance ................................................................................................................................... 14 a.
Cyber security as a new field for old conflicts ................................................................................ 17 b.
ii. Liberalist institutionalism .......................................................................................................................... 19
a. NATO as an institution ............................................................................................................................. 19
b. Cyber security as a driver for institutional transformations ................................................... 24
iii. Constructivism ................................................................................................................................................ 25
a. NATO as a norm promoter ..................................................................................................................... 25
b. Cyber security as an intersubjective and discursive framing of threat ............................... 28
III. Methodological Framework ............................................................................................................................ 32
i. Discourse analysis: theory and method ................................................................................................ 32
ii. Conceptual framework (1): Security and cyber security discourses ....................................... 34
iii. Conceptual framework (2): Cyber security discourses in practice ........................................... 38
iv. Sources ............................................................................................................................................................... 41
IV. NATO cyber defence policy .............................................................................................................................. 44
i. Chronology and overview .......................................................................................................................... 44
ii. Analysis .............................................................................................................................................................. 50
a. Cyber security issues: Risk management or threat retaliation? ............................................. 50
b. NATO’s cyber strategy: Inclusive or exclusive? ............................................................................. 59
c. Institutionalization of NATO’s cyber defence policy ................................................................... 67
V. Conclusion ............................................................................................................................................................... 73
BIBLIOGRAPHY .............................................................................................................................................................. 78
NATO Cyber Defence Policy Justine M. Chauvin
3
OFFICIAL STATEMENTS
The word length of this dissertation is 14’988.
DECLARATION
This work has not previously been accepted in substance for any degree and is not
being concurrently submitted in candidature for any other degree.
Signed:
Date: 21st September 2014
STATEMENT 1
This work is the result of my own investigations, except where otherwise stated. Where
correction services have been used, the extent and nature of the correction is clearly
marked in a footnote(s).Other sources are acknowledged (e.g. by footnotes giving
explicit references). A bibliography is appended.
Signed:
Date: 21st September 2014
STATEMENT 2
I hereby give consent for my work, if accepted, to be available for photocopying and for
inter-library loan, and for the title and summary to be made available to outside
organisations.
Signed:
Date: 21st September 2014
NATO Cyber Defence Policy Justine M. Chauvin
4
ACKNOWLEDGMENTS
First and foremost, I would like to express my sincere gratitude to my supervisor, Dr.
Madeline Carr. Her willingness to encourage me, as well as her invaluable assistance,
support and advices contributed tremendously to this finale dissertation.
I am also grateful to the Department of International Politics for having given me the
opportunity to study in such a vibrant academic community, as well as for having
offered me a David Davies Scholarship. In addition, I would like to thank my lecturers
who have been all extremely stimulating and inspiring, in particular Dr. Berit
Bliesemann de Guevara, Dr. Jeff Bridoux, Dr. Jan Ruzicka, and Dr. Kristan Stoddart; as
well as Dr. Alistair Shepherd for his helpful insights on NATO.
It has been a great pleasure to pursue a MA at Aberystwyth University, thanks to my
wonderful fellow postgraduate students and friends. Finally, I wish to thank my parents
for their support and the confidence they have shown in me over the years.
NATO Cyber Defence Policy Justine M. Chauvin
5
ABSTRACT
The current development of a cyber defence policy by the North Atlantic Treaty
Organization (NATO) is usually seen as exemplifying the alliance’s changing scope of
intervention; as well as its broadened perception of security. From an institutional-
liberalist perspective, it is said to illustrate the transformation of NATO from a defensive
alliance into a security management institution. However, others have pointed out that
NATO cyber defence policy has been developed with regard to seminal events, such as
the cyber-attacks on Estonia in 2007 and on Georgia in 2008, and mirrors the persisting
cold war logic in NATO current policy.
This dissertation aims to investigate if NATO’s cyber agenda exemplifies the alliance’s
transformation into a security management institution; or rather if it displays the
continuity of NATO’s self-perception as a defensive alliance. In order to address these
questions properly, this dissertation is based on an interpretative approach, using
discourse analysis as a method, and a theoretical framework drawing on constructivist
accounts, as well as on various liberal institutionalist concepts.
The results of this analysis displayed mixed elements. However, it ultimately seems that
NATO cyber defence policy exemplifies the continuous prevalence of NATO’s self-
perception as an alliance, designed to defend its members against an external threat.
Indeed, the analysis highlights that developments in NATO cyber defence policy are
generally conceived as new facets of NATO’s original role – demanding adjusting
NATO’s strategy and operational capacities. Yet, NATO cyber defence policy does not
seem to represent a fundamental shift in NATO’s perception of its own purpose.
This analysis also highlights the need for further research including additional variables,
such as the differentiation between different types of cyber security threats that NATO
faces.
NATO Cyber Defence Policy Justine M. Chauvin
6
NATO CYBER DEFENCE POLICY AN ADAPTATION TO THE EMERGING THREATS OF THE 21ST CENTURY, OR THE
RESURGENCE OF COLD WAR LOGIC IN THE “FIFTH BATTLEFIELD”?
I. INTRODUCTION
This dissertation aims to pose a few relatively under-examined issues in the field of
cyber security. In particular, it focuses on the importance of perceptions in the
establishment of norms and practices at the international level, using as a case study the
cyber defence policy of the North Atlantic Treaty Organization (NATO). Particularly, its
purpose is to investigate the assumptions and discursive codes governing the logic
behind the emergence and the developments of NATO cyber defence policy; notably
how the nature and origins of cyber threats, as well as the role of state members and
NATO itself, are conceived. In order to properly address these questions, this
dissertation is based on an interpretative approach, using discourse analysis as a
method, and a theoretical framework drawing on several constructivist accounts, as
well as on liberal institutionalist concepts. This perspective seems to be particularly
interesting, given the way actors perceive cyberspace, and the related threats arising
from it, is deemed to be correlated with the development of their “capacities, craft
policies, and ultimately [the manner they] decide to act on cyber issues.”1
NATO’s nature and purpose has been widely discussed amongst IR theorists, especially
since the end of the Cold War, which has been seen by many as the vanishing of NATO’s
initial raison d’être. In particular, many scholars (especially liberal institutionalists)
1 David J. Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-Power (New York: Routledge, 2011), 36–37. Cited in Geoff Van Epps, “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain,” The Quarterly Journal 12, no. 4 (2013): 19. 2 These terms will be explained and discussed with regard to different IR paradigms in the next chapter. 3 See, e.g., Arita Holmberg, “The Changing Role of NATO: Exploring the Implications for Security
NATO Cyber Defence Policy Justine M. Chauvin
7
have claimed that NATO’s survival is due to its transformation over the past twenty
years, from a traditional alliance to a security management institution.2 From this
perspective, the development of a cyber defence policy by NATO is usually seen as
exemplifying the alliance’s changing scope of intervention, as well as its broadened
perception of security, 3 conceived in terms of diffuse risks (that is, diffuse security
problems emerging from uncertainty and private information, arguably not only from
state actors)4 instead of direct threats (understood as “a positive probability that
another state will either launch an attack or seek to threaten military force for political
reasons”).5 However, others have pointed out that NATO cyber defence policy has been
developed with regard to seminal events, such as the cyber-attacks on Estonia in 2007
and on Georgia in 2008 (detailed in Chapter IV), and mirrors the persisting cold war
logic in NATO current policy. Notably, Michael Horowitz stated that:
“Many of the cyber attacks over the last decade that have been severe enough to
motivate renewed NATO concerns about cyberspace have emanated from Russia.[6]
Given that the security challenges created by the Soviet Union drove the creation of
NATO in the first place, these cyber threats arguably represent a core mission area
2 These terms will be explained and discussed with regard to different IR paradigms in the next chapter. 3 See, e.g., Arita Holmberg, “The Changing Role of NATO: Exploring the Implications for Security Governance and Legitimacy.,” European Security 20, no. 04 (2011): 533. 4 Celeste A. Wallander and Robert O. Keohane, “Risk, Threat, and Security Institutions.,” in Imperfect Unions: Security Institutions over Time and Space, ed. Helga Haftendorn, Robert O. Keohane, and Celeste A. Wallander (New York: Oxford University Press, 1999), 25. 5 Ibid. 6 To this day, no official report or public evidence has linked the Russian government to any major cyber-attack. However, the suspicion is still strong amongst transatlantic military and political circles, and many Western commentators have accused the Kremlin of tolerating, if not sponsoring the groups involved in the attacks on Estonia and Georgia. Moscow has always denied such implication. Noah Shachtman, “Top Georgian Official: Moscow Cyber Attacked Us – We Just Can’t Prove It,” Wired, March 11, 2009, http://www.wired.com/2009/03/georgia-blames/; “Estonia Hit by ‘Moscow Cyber War,’” BBC News, May 17, 2007, http://news.bbc.co.uk/2/hi/europe/6665145.stm.
NATO Cyber Defence Policy Justine M. Chauvin
8
for NATO that returns NATO to its roots. Addressing cyber threats thus arguably
fulfils NATO’s most basic security mission.”7
Regarding the limited scope of this analysis and its aims, this supposed transformation
of NATO is interesting because it allows the spectrum of interpretation patterns to be
narrowed. What is explored here is, therefore, whether NATO cyber defence policy
exemplifies such a transformation, or if it displays continuity in the manner in which
NATO perceives its own role as an international security actor, and the security issues
that it faces.
i. RESEARCH QUESTION Some initial questions driving this dissertation could be roughly formulated as below:
- How are cyber security issues framed in NATO’s discourse?
- How does NATO perceive itself in relation with these emerging threats, and
particularly, which characteristics of NATO are emphasized to support the idea
that it is the relevant actor to deal with these issues?
- To what extent do the mechanisms, organisms, practices and policies developed
by NATO reflect its discourse?
Because the scope of this dissertation necessarily implies the formulation of a much
narrower research question, and with reference to the initial observations made in the
introduction, the focus here is on in the following:
7 Michael Horowitz, “A Common Future? NATO and the Protection of the Commons,” Transatlantic Paper Series, no. 3 (2010): 4. See, also, Stanley R. Sloan, Permanent Alliance? NATO and the Transatlantic Bargain from Truman to Obama (London: Bloomsbury Academic, 2010), 138.
NATO Cyber Defence Policy Justine M. Chauvin
9
Does NATO’s cyber agenda exemplify the alliance’s transformation into a security
management institution; or rather does it display the continuity of NATO’s self-
perception as a defensive alliance?
This dissertation certainly does not advocate that NATO’s perception falls exclusively
into one of these two categories. It seems apparent that the answer lies probably
somewhere between these two options, which are only ideal types. What is really at
stake here is to understand how NATO perceives cyber security issues, and its own role
in this field, as well as how this perception has an impact the way NATO’s cyber agenda
is conceived. Ultimately, exploring these questions is important to understand how
NATO perceived its role in the field of cyber security, and more generally in the context
of the emerging threats of the 21st century. Moreover, it also allows a valuable reflection
on what patterns this perception – and the subsequent policies established by NATO –
display, regarding the way cyber threats are currently conceived by international
security actors, and what the potential implications of such interpretations are.
ii. JUSTIFICATION NATO is currently one of the most prominent international security actors in the field of
cyber security, insofar as it is one of the few institutions which are attempting to
develop a policy specially designed to respond to cyber threats.8 However, only a
relatively few studies have been done on this particular topic. Furthermore, a
substantial part of this knowledge production concerning NATO cyber defence policy
has been conducted by NATO Cooperative Cyber Defence Centre of Excellence (CCD
8 Eneken Tikk, “Global Cybersecurity - Thinking About The Niche for NATO,” SAIS Review of International Affairs 30, no. 2 (2010): 105–19.
NATO Cyber Defence Policy Justine M. Chauvin
10
COE),9 and most of these studies respond to a problem-solving approach. Typically, they
do not engage with the onto-epistemological assumptions at the basis of NATO’s cyber
agenda and its perception of cyber threats, but rather attempt to improve its policy (this
problematic is discussed more in depth in the section devoted to clarify what primary
sources have been used in this analysis). This dissertation is valuable because it
provides an external analysis, attempting to take precisely into consideration these
assumptions underlying NATO’s knowledge and policy production.
Turning to other research that has been done by other organisms, it seems that it has
predominantly been focused on the quality or relevance of NATO’s cyber defence policy
results, such as the Tallinn Manual, and not on the process of knowledge production
itself. Furthermore, a substantial part has been done from a legal perspective, and
leaves some assumptions underlying NATO’s cyber doctrine mostly unanalyzed.10
Finally, the need for cooperation in the field of cyber security has been relentlessly
expressed by governments and experts,11 and notably in the 2001 Budapest Convention
on Cybercrime:
“The member States of the Council of Europe and the other States signatory hereto,
[…] Recognising the value of fostering co-operation with the other States parties to
this Convention; […] Convinced of the need to pursue, as a matter of priority, a
9 NATO CCDCOE, “CCD COE,” NATO CCDCOE, accessed August 5, 2014, https://www.ccdcoe.org/. 10 See, e.g., Myriam Dunn Cavelty, “Cyber-Allies,” IP Journal, May 1, 2011, https://ip-journal.dgap.org/en/ip-journal/topics/cyber-allies; Sean Lawson, “NATO & Cyber Conflict: Background & Challenges” (presented at the The Shadow NATO Summit III, Washington D.C., 2012), 7; Dieter Fleck, “Searching for International Rules Applicable to Cyber Warfare - A Critical First Assesment of the New Tallinn Manual,” Journal of Conflict & Security Law 18, no. 2 (2013): 331–51; Gergely Szentgáli, “The NATO Policy on Cyber Defence: The Road so Far,” AARMS 12, no. 1 (2013): 83–91; Nina Levarska, Regulation of Cyber-Warfare: Interpretation versus Creation, European Security Review (ISIS Europe, 2013), www.isis-europe.eu/sites/default/files/publications-downloads/esr70-cyber-warfare-Dec2013NL.pdf. 11 See, e.g., Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security 4, no. 2 (2011): 41–60.
NATO Cyber Defence Policy Justine M. Chauvin
11
common criminal policy […] by adopting appropriate legislation and fostering
international co-operation; […].”12
However, most studies have tended to be limited to the national level. In accordance
with this view that security issues arising from the cyberspace are difficult to restrain
by national borders, it seems that analyzing how cyber policy is developed within
international institutions would be valuable in order to grasp the general patterns
emerging at the international level.
As an international organisation, examining NATO’s cyber agenda seems valuable
because it could enhance our understanding of one of the few attempts to provide an
international mechanism and a doctrine in the field of cyber security, 13 as well as the
perceptions underpinning it, and their potential implications.
iii. OUTLINE This dissertation has three substantial chapters; first, the following chapter (Chapter II)
aims to provide a general review of IR literature on NATO, and on cyber security. It
focuses mainly on three different paradigms, namely, neorealism, liberal
institutionalism, and constructivism.
The third chapter is devoted to clarify how and why discourse analysis is used as
method in this analysis, as well as to explain the constructivist approach, in addition
with some post-modernist and liberal institutionalist accounts, constituting the
conceptual framework. Moreover, it also reviews the different sources used in this
analysis, their value, and their limits.
12 Council of Europe, “Convention on Cybercrime,” Council of Europe, November 23, 2001, http://conventions.coe.int/treaty/en/Treaties/Html/185.htm. 13 Tikk, “Global Cybersecurity,” 105.
NATO Cyber Defence Policy Justine M. Chauvin
12
The fourth chapter provides, firstly, a short overview of NATO cyber defence policy
from 1999 until today. Then, it is devoted to the analysis itself, divided into three
different parts; namely, does NATO view cyber security issues as threats or risks [1], to
what extent is NATO’s cyber strategy exclusive or inclusive [2], what is the degree of
institutionalization in NATO cyber defence policy [3].
In addition to this, the conclusion addresses the merits and limits of this essay, and
discusses potential further research.
NATO Cyber Defence Policy Justine M. Chauvin
13
II. NATO, CYBER SECURITY & IR THEORIES
This chapter is essentially devoted to reviewing the available literature on NATO and
cyber security from several IR perspectives. Its purpose is to make explicit the different
IR approaches regarding NATO and cyber security, in order to justify the relevance of
the theoretical framework draw in the next chapter.
From the beginning of the 1990s until today, explaining the persistence – and most
importantly the transformation – of NATO after the Cold War has been the subject of
numerous studies across the various IR schools of thought. This chapter aims to provide
a general overview of the different accounts made on this topic.
Moreover, this chapter also aims at providing theoretical insights on how each
paradigm frames cyber security. It should be noted that in general, research done on the
impact of new information and communication technologies on security, and national
security in particular have been predominantly policy and problem-solving oriented,
with little or no regard for developing or applying IR theories.14 However, some debates
among practitioners seem to reflect some fundamental theoretical discussions in the
field of IR. Consequently, it displays the importance of IR theories for improving the
general understanding of the current developments in national and international cyber
security policy, as well as their repercussions.15 With regard to the available literature,
this chapter focuses in particular on three IR paradigms, namely, neorealism, liberal
institutionalism, and constructivism.
14 Johan Eriksson and Giampiero Giacomello, “The Information Revolution, Security, and International Relations: (IR)relevant Theory?,” International Political Science Review 27, no. 3 (2006): 222. 15 Ibid., 227–228.
NATO Cyber Defence Policy Justine M. Chauvin
14
i. NEOREALISM
NATO AS AN ALLIANCE a.
Neorealism displays an approach based on three principles; (1) anarchy (i.e. the
absence of regulatory authority) characterizes the international stage, (2) states are the
only actors relevant at the international system, (3) states are functionally similar, and
act rationally in accordance with their national self-interests.16 At the core of the
neorealist vision, power (defined as military capacities) and security (defined as the
absence of threat to the survival of the state) are seen as the two driving force of
international affairs.17 From the realist perspective, states form alliances for two
reasons; they can rally other states – viewed as the most powerful – to protect their own
survival (the bandwagoning strategy), or they can unite against another power to
preserve the balance of power and ultimately, prevent the emergence of threats to their
survival (the balancing strategy).18
Alliances – defined by Glenn Snyder as, “formal associations of states for the use (or
non-use) of military force, in specified circumstances, against states outside their own
membership”19 – have been analyzed extensively through the lens of neorealism,
certainly because historically they have been limited to states and aggregation of
military capacities.20
According to Kenneth Waltz’s balance-of-power theory, states agree to form coalitions
and aggregate their capacities – even if these are limits to their freedom of action – in
16 Alex Macleod, “Le Néoréalisme,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and O’Meara Dan (Outremont: Athéna Éditions, 2010), 92–94. 17 Eriksson and Giacomello, “The Information Revolution,” 228. 18 Macleod, “Le Néoréalisme,” 95–96. 19 Glenn H. Snyder, Alliance Politics (Ithaca: Cornell University Press, 1994), 4. 20 Robert B. McCalla, “NATO’s Persistence after the Cold War,” International Organization 50, no. 03 (1996): 450.
NATO Cyber Defence Policy Justine M. Chauvin
15
order to maintain the balance of power. Consequentially, shifts in power relations are
direct variables of alliances’ emergence, cohesion, and ultimately demise.21 Stephen
Walt’s subsequent balance-of-threat approach nuanced this approach in differentiating
power from threat, stipulating that balancing alliances – but also bandwagoning
alliances – do not empirically occur automatically when a state is perceived as powerful
(i.e. with strong military capacities), but are established rather when a state is perceived
as a threat (i.e. a state which has offensive capacities and offensive intentions).22
Ultimately, neorealists stipulate that the degree of alliances’ cohesion is determined by
the duration and/or the intensity of an external threat, or a power to balance. This
argument relies on strong empirical evidences that alliances usually collapse after the
disappearance – or the modification – of such exogenous variables.23 As Ole Holsti et al.
declared, “the most widely stated proposition about alliances is that cohesion depends
upon external danger and declines as the threat is reduced.”24
From a neorealist point of view, NATO’s main purpose is embedded in Article 5 of the
constitutive treaty, stipulating that “the Parties agree that an armed attack against one
or more of them in Europe or North America shall be considered an attack against them
21 Kenneth N. Waltz, Theory of International Politics (Reading: Addison-Wesley, 1979). 22 Stephen M. Walt, The Origins of the Alliances (Ithaca: Cornell University Press, 1987); Stephen M. Walt, “Testing Theories of Alliance Formation: The Case of Southwest Asia,” International Organization 42, no. 02 (1988): 275–316. 23 George Liska, Nations in Alliance: The Limits of Interdependance (Baltimore: Johns Hopkins University Press, 1962); Stephen M. Walt, “Alliance Formation and the Balance of World Power,” International Security 9, no. 4 (1985): 3–43; Walt, The Origins; Ole R. Holsti, Terrence P. Hopmann, and John D. Sullivan, Unity and Disintegration in International Alliances: Comparative Studies (New York: John Wiley and Sons, 1973); Glenn H. Snyder, “Alliances, Balance, and Stability,” International Organization 45, no. 1 (1991): 121–42. 24 Holsti, Hopmann, and Sullivan, Unity and Disintegration, 17.
NATO Cyber Defence Policy Justine M. Chauvin
16
all [...].”25 Accordingly, the alliance’s degree of cohesion must be assessed in view of the
probability that a situation as described in Article 5 will occur.
Unsurprisingly then, the vast majority of neorealist scholars argued in the early 1990s
that NATO’s raison d’être had disappeared with the fall of the Soviet Union and the
disaggregation of the Warsaw Pact, predicting the consequent fading of the alliance.26
Moreover, even if some of them highlighted the alliance’s possible persistent utility, it
remained in the perspective of potential new external military threats.27
The failure of neorealism to predict not only NATO’s persistence, but more importantly
the alliance’s enlargement and new functions, has been underlined by many scholars.
For many of them, this is explained by the incapacity of neorealism to grasp the genuine
nature of NATO, as an institution able to serve other purposes than the strict
aggregation of military capacities for deterring an external threat, or balancing power.28
According to Zoltan Barany and Robert Rauchhaus, neorealists have applied “the wrong
set of analytic tools [...] and failed to understand that NATO was more [...] than a
traditional alliance.”29
25 NATO, The North Atlantic Treaty (Washington D.C.: NATO, April 4, 1949), 1, http://www.nato.int/nato_static/assets/pdf/stock_publications/20120822_nato_treaty_en_light_2009.pdf. 26 See, e.g., John J. Mearsheimer, “Back to the Future: Instability in Europe after the Cold War,” International Security 15, no. 1 (1990): 5–56; Kenneth N. Waltz, “The Emerging Structure of International Politics,” International Security 18, no. 2 (1993): 44–79. 27 See, e.g., Charles L. Glaser, “Why NATO Is Still Best: Future Security Arrangements for Europe,” International Security 18, no. 1 (1993): 5–50; Robert J. Art, “Why Western Europe Needs the United States and NATO,” Political Science Quarterly 111, no. 1 (1996): 1–39. 28 See, e.g., Zoltan Barany and Robert Rauchhaus, “Explaining NATO’s Resilience: Is International Relations Theory Useful?,” Contemporary Security Policy 32, no. 2 (2011): 286–307. 29 Ibid., 290.
NATO Cyber Defence Policy Justine M. Chauvin
17
Finally, Waltz subsequently explained the survival, and more importantly expansion of
NATO, “mainly because the United States wanted to.”30 In sum, he explained that the
alliance’s persistence does not rely on rational exogenous factors, or its institutions, but
rather is due to the will of a particular powerful actor. This vision of NATO’s persistence
as the result of an agent’s preferences (preferences which are, in the case of the US
pursuing NATO’s enlargement, “foolish” in Waltz’s terms),31 are contradicted by
institutionalists, who stress on the contrary the pre-eminence (over agency) of
alliances’ institutional assets to explain their formation, durability and demise.32
CYBER SECURITY AS A NEW FIELD FOR OLD CONFLICTS b.Turning to the neorealist vision of cyber threats and cyber conflicts, it could be roughly
summarized as “old wine in new bottles.”33 Indeed, even if neorealists consider threats
emerging from the new information technologies as relevant, they frame them as
basically new technological components in otherwise traditional conflicts. From this
perspective, cyber operations are seen as the latest dimensions of strategic and military
planning, and the cyberspace as “a new front to the battle”34 (notably, since 2011, it has
been officially recognized as the fifth domain of military intervention by the US
Department of Defense,35 “just as critical [...] as land, sea, air and space” 36).
30 Kenneth N. Waltz, “NATO Expansion: A Realist’s View,” Contemporary Security Policy 21, no. 2 (2000): 35. 31 Ibid., 31. 32 In particular, McCalla, “NATO’s Persistence”; Celeste A. Wallander, “Institutional Assets and Adaptability: NATO After the Cold War,” International Organization 54, no. 04 (2000): 705–35. 33 Eriksson and Giacomello, “The Information Revolution,” 229. 34 Mary McEvoy Manjikian, “From a Global Village to Virtual Battlespace: The Colonizing of the Internet and the Extension of Realpolitik,” International Studies Quarterly 54, no. 2 (2010): 386. 35 US Department of Defense, “The Cyber Domain: Security and Operations,” US Department of Defense, accessed March 11, 2014, http://www.defense.gov/home/features/2013/0713_cyberdomain/. 36 Lynn, op.cit. (2010), 101.
NATO Cyber Defence Policy Justine M. Chauvin
18
However, these technological changes do not challenge the fundamental assumptions
underpinning the conduct of military affairs, nor did it create new entities or modified
the interests of states.37 From a realist perspective, Mary McEvoy Manjikian stated that:
“From the 1980s onward, cyberspace was redefined as […] an extension of the
battlespace […]. Information warfare is a different kind of battle calling for different
strategies and tactics, but its aims and goals are the same.”38
Furthermore, she argued that:
“Realists [see] cyberspace as an avenue for insurgents and national enemies to
penetrate “real” defenses. It [is] viewed as a frontier or border requiring protection
and vigilance […].”39
Overall, neorealists display a vision of cyber security which does not question their
conceptualization of security, the prevalence of states over non-states actors at the
international level, or the conduct of interstate conflicts. Even if in the field of cyber
security, similarly to other sectors of security, neorealists have acknowledged over the
years the increasing importance of non-state actors, such as terrorist groups, they still
rely on a Westphalian state-focused vision of geopolitics. 40
Turning to the notion of power, Daniel Kuehl’s notion of cyber power is certainly the
most widely used in a realist perspective, as “the ability to use cyberspace to create
advantages and influence events in all the operational environments [land, air, sea and
37 McEvoy Manjikian, “From a Global Village,” 385. 38 Ibid., 385–386. 39 Ibid., 390. 40 Eriksson and Giacomello, “The Information Revolution,” 229.
NATO Cyber Defence Policy Justine M. Chauvin
19
outer space] and across the instruments of power.”41 Kuehl’s conceptualization of cyber
power is not a zero-sum game, as he stated that, “one of the oft-cited attributes of
cyberspace is its ability to augment and empower many users simultaneously”.42
However, it remains strongly focused on states’ interests and military capacities.
Overall, even if it has been acknowledged that cyber capacities are indeed a new form of
power, this cyberpower is relevant insofar as it serves strategic purposes for the ends of
policy, which is still viewed in realist terms.43
ii. LIBERALIST INSTITUTIONALISM
a. NATO AS AN INSTITUTION
The institutionalist approach of liberalism stipulates that the deviant behaviours of
international society (such as war and other forms of conflicts emerging from a lack of
cooperation)44 could be adjusted through regulatory mechanisms, established by
international institutions. In line with other liberalist approaches, liberal
institutionalists affirm that states are important – but not unique – actors at the
international stage, and focus on a broader set of issues (especially economic ones) than
neorealists. In particular, they highlight the role of institutions as mechanisms that
allow cooperation amongst states.45
41 Daniel T Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” in Cyberpower and National Security, ed. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz (Dulles: Potomac Books, 2010), 38. 42 Ibid. [footnote 42], 568. 43 John B. Sheldon, “Deciphering Cyberpower: Strategic Purpose in Peace and War,” Strategic Studies Quarterly 5, no. 2 (2011): 95–112. 44 Dan O’Meara and Stéphane Roussel, “Le Libéralisme Classique,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and Dan O’Meara (Outremont: Athéna Éditions, 2006), 135. 45 Ibid., 137; Eriksson and Giacomello, “The Information Revolution,” 229–230.
NATO Cyber Defence Policy Justine M. Chauvin
20
In opposition to neorealist accounts, liberal institutionalists consider that alliances “are
not always merely aggregations of national power”,46 and that sometimes their purpose
goes beyond deterrence or defence. More generally, Robert Keohane stipulated that
“alliances are institutions”,47 which he defined as a “related complex of rules and
norms, identifiable in space and time.”48 Hence, he stated that “both their durability
and strength (the degree to which states are committed to alliances, even when
costs are entailed) may depend in part on their institutional characteristics.”49
Starting from this account, Celeste Wallander slightly nuanced Keohane’s approach,
stating that not every single alliance is an institution, but instead, that alliances “can be
more than simply pieces of paper or aggregation of military power: as explicit,
persistent, and connected set of rules that prescribe behavioral roles and constrain
activity, sometimes alliances are institutions.”50 From this perspective, Wallander
presented the institutional theory as an efficient approach to grasp the evolution of this
sort of alliance, and the effects that they have on security relations.51 In particular, she
highlighted that what she defined as “security institutions” (understood as highly
institutionalized alliances, addressing a variety of security issues in addition to
deterring external threats),52 are more likely to persist in a changing security
environment than a less institutionalized security coalition, other things being equal.53
46 Wallander, “Institutional Assets,” 705. 47 Robert O. Keohane, International Institutions and State Power: Essays in International Relations Theory. (Boulder: Westview, 1989), 15. Emphasis original. 48 Ibid., 383. 49 Ibid., 15. Emphasis original. 50 Wallander, “Institutional Assets,” 706. 51 Ibid., 705. 52 Ibid., 706. 53 Ibid., 707.
NATO Cyber Defence Policy Justine M. Chauvin
21
In parallel, Robert McCalla stressed the value of international institutionalist
approaches to understand the special case of NATO’s persistence; as unless a
traditional alliance, NATO has developed “norms and procedures beyond mutual
defense.”54 Interestingly, he claimed that the neorealists’ inability to grasp NATO’s
persistence otherwise than as a “deviant case”55 (drawing on Arend Lijphart’s
approach),56 displays strong incentives to analyze NATO’s case in taking into
account additional variables:57 in particular, the “variations in the density and depth
of alliance structures and processes [as well as] the internal dynamics of states
comprising alliances”,58 which have been underplayed by neorealists in “over-
simplify[ing] NATO’s historic mission.”59
Liberal institutionalism highlights the variety of purposes that NATO have had since
its establishment: not only military ones, as described in Article 5, but also political
ones, 60 such as in Article 2 (“The Parties will contribute toward the further
development of peaceful and friendly international relations by strengthening their free
institutions, by bringing about a better understanding of the principles upon which
these institutions are founded, […]”).61
From this perspective, NATO’s persistence is substantially explained by its unusually
high level of institutionalisation (Wallander underscored that NATO “is an organization
of hundreds of daily interactions and procedures [...][which] has bureaucracies with
54 McCalla, “NATO’s Persistence,” 462. See, also, Wallander and Keohane, “Risk.” 55 McCalla, “NATO’s Persistence,” 447. 56 Arend Lijphart, “Comparative Politics and the Comparative Method.,” American Political Science Review 65, no. 03 (1971): 682–93. 57 Ibid., 692. Cited in McCalla, “NATO’s Persistence,” 447. 58 McCalla, “NATO’s Persistence,” 446. 59 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 300. 60 Zoltan Barany, “NATO at Sixty,” Journal of Democracy 20, no. 02 (2009): 110. 61 NATO, The North Atlantic Treaty, 1.
NATO Cyber Defence Policy Justine M. Chauvin
22
practices and procedures staffed by civilians from many countries who work
together”).62 This has allowed the alliance to persist after the Cold War – a substantial
change in the security environment. By relying on initial highly-developed general
assets (understood as devices “for political consultation and decision making, and for
military planning, coordination, and implementation”),63 which in turn, permitted the
creation of innovative specific ones to cope with new security concerns, NATO has
ultimately stayed pertinent in the current security environment.
This leads to Wallander and Keohane’s typology of security institutions. According to
them, NATO has transformed itself from a defensive alliance, which is an “exclusive
security institution, designed principally to deal with threats from non-members”,64 into
a security management institution, understood as “an inclusive, risk-oriented
arrangement with highly institutionalized practices.”65
From their perspective, the three main dimensions differentiating a defensive alliance
from a security management institution are, namely, “the degree to which they are
institutionalized [1], whether they are organized exclusively or inclusively [2], and
whether they are designed to cope with threats or risks [3].”66 Wallander and Keohane’s
typologies of security institutions are used as a part of the conceptual framework of this
dissertation, and further insights concerning its modalities are provided in the next
chapter.
62 Wallander, “Institutional Assets,” 724. 63 Ibid., 731. 64 Wallander and Keohane, “Risk,” 23. 65 Ibid., 22, 28. 66 Ibid., 22.
NATO Cyber Defence Policy Justine M. Chauvin
23
In addition to this, Arita Holmberg – following Wallander and Keohane’s argument –
highlighted that the new role of NATO, as a security management institution, “engaged
in managing challenges to security on a large scale” rather than strictly being, “focused
on territorial defence”,67 has led to new legitimacy considerations. In particular, it has
led to the necessity for NATO to be perceived as a legitimate actor (defined as an actor
“considered appropriate by an audience”)68 – both within and outside the organisation –
by a range of actors “to some extent different if NATO is viewed on as a security
organisation as compared to a defence organization.”69
However, Anand Menon and Jennifer Welsh criticized institutionalist theory, arguing
notably that this approach underestimates the importance of agency and political power
in institutional stability or change, as well as focusing on the persistence and
adaptability of institutions, equalizing implicitly these with continuous sustainability
and effectiveness, which is not automatically the case.70
Nevertheless, the strong argument developed by institutionalists in the early 1990s,
considering NATO not only as a defensive alliance, but rather as a genuine institution,
remains useful regarding the aims of this dissertation. Indeed, it allows an analysis of
NATO cyber defence policy which considers NATO as an international actor in itself,
with its own particular set of perceptions and norms. Yet, the institutionalist approach
seems not well suited to address the questions related to the construction of shared
67 Holmberg, “The Changing Role,” 529. 68 Katharina P. Coleman, International Organisations and Peace Enforcement: The Politics of International Legitimacy (New York: Cambridge University Press, 2007), 20–21. Cited in Holmberg, “The Changing Role,” 530. 69 Holmberg, “The Changing Role,” 538. 70 Anand Menon and Jennifer Welsh, “Understanding NATO’s Sustainability: The Limits of Institutionalist Theory,” Global Governance 17, no. 1 (2011): 85.
NATO Cyber Defence Policy Justine M. Chauvin
24
meanings, perceptions and norms that are at the basis of institutional transformations.
For this reason, after a short overview of liberal accounts on cyber security, the next
section is devoted to explain the constructivist approach, which seems more relevant
regarding these interrogations.
b. CYBER SECURITY AS A DRIVER FOR INSTITUTIONAL TRANSFORMATIONS
Turning to cyber security, liberalism emphasizes the economical dimension of cyber
threats and highlights the dilution of the dichotomy between public and private actors,
as well as between military and civilian sectors.71 Generally speaking, the Internet is
seen as an extraterritorial space falling outside direct national sovereignty (or in other
terms, as a collective good or “global common”),72 and “should be the focus of
international efforts to preserve it.”73
Other scholars have pointed out the implications of new technologies regarding the
notion of power. In particular, Joseph S. Nye, after his seminal concept of “soft power”,74
developed a notion of “cyber power”, as a new domain of power.75 According to him,
from a behavioural perspective, cyber power is, “the ability to obtain preferred
outcomes [inside or outside the cyberspace] through the use of the electronically inter-
connected information resources of the cyberdomain”.76 He stated that cyber power
tends to simultaneously diffuse power towards a multitude of states and non-states
71 Marshall McLuhan and Quentin Fiore, War and Peace in the Global Village (New York: Simon & Schuster Inc., 1974), 134. 72 Horowitz, “A Common Future?” 73 McEvoy Manjikian, “From a Global Village,” 384. 74 Joseph S. Nye, Soft Power: The Means to Success in World Politics (New York: PublicAffairs, 2004). 75 Joseph S. Nye, Cyber Power (Harvard Kennedy School: Belfer Center for Science and International Affairs, 2010); Joseph S. Nye, The Future of Power (New York: PublicAffairs, 2011). 76 Ibid.
NATO Cyber Defence Policy Justine M. Chauvin
25
actors, but “does not mean equality of power”,77 as states remains powerful players with
incomparable cyber capacities. Importantly, regarding cyber security, he argued that
“providing security is a classic function of government, and […] that [the] increasing
[need of] cyber security will lead to an increased role for governments in cyberspace.”78
Overall, liberalists underscore more the dynamics and implications of cyber security
and power in terms of institutional changes, than they examine the perceptions
underpinning such transformations.79 For instance, if Nye recognizes that cyber security
issues are becoming more salient in world politics, he does not address the perceptions
at the basis of such increase. For this reason, the next section is dedicated to an
approach of IR which seems better suited for these questions, namely, constructivism.
iii. CONSTRUCTIVISM
a. NATO AS A NORM PROMOTER
Constructivism supposes that the best way to understand international relations is to
deconstruct the intersubjective structures – understood as the set of rules, norms, and
shared meanings – which shape the world of international politics. The focus on the
social identities of actors and their dynamics is seen as fundamental to grasp both their
interests and their behaviour. Moreover, constructivism postulates that structure and
agency are not two distinct levels, but rather that they influence and co-constitute each
other.80
77 Ibid., 150. 78 Nye, Cyber Power, 15. 79 Eriksson and Giacomello, “The Information Revolution,” 231–232. 80 Dan O’Meara, “Le Constructivisme,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and Dan O’Meara (Outremont: Athéna Éditions, 2006), 243.
NATO Cyber Defence Policy Justine M. Chauvin
26
Constructivism conceives international politics in examining the socially-constructed
aspects of reality, their dynamics and interpretations. Overall, constructivism is
interested by “the dynamic interplay between social factors such as norms, identities,
interests, and institutions.”81
Constructivism shares some similar observations with institutionalism, also viewing
NATO more as an institution than an alliance. However, constructivists are more
interested in analysing “how international institutions help teach norms and change
state preferences” 82 than examining the institutional structures of institutions
themselves. Notably, they emphasized the importance of international institutions as
agents of socialization (understood as the process by which an actor is incorporated
into “organized patterns of interaction”,83 which in turn modify behaviour in “expected
ways of thinking, feeling, and acting”).84 In the case of NATO, constructivists have been
more interested in analyzing how the alliance has “spread norms, facilitated learning,
and changed state preferences”,85 and how it has acted as a socialization agent for the
new adherents, than predicting its future behaviour. Moreover, it should be noted that
in the 1990s constructivism was not as developed as the neorealism and liberal
institutionalism approaches were, which could explain why fewer predictions about
NATO have been made from this perspective.86 However, its relatively recent character
81 Eriksson and Giacomello, “The Information Revolution,” 233. 82 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 291. 83 Sheldon Stryker and Anne Statham, “Symbolic Interaction and Role Theory,” in The Handbook of Social Psychology, ed. Gardner Lindzey and Elliot Aronson, vol. 1 (New York: Random House, 1985), 325. 84 Alastair I. Johnston, “Treating International Institutions as Social Environments,” International Studies Quarterly 45, no. 04 (2001): 494. On NATO as a agent of socialisation, see, e.g., Alexandra Gheciu, NATO in the “New Europe”: The Politics of International Socialization After the Cold War (Palo Alto: Stanford University Press, 2005); Alexandra Gheciu, Securing Civilization? The EU, NATO and the OSCE in the Post-9/11 World (Oxford: Oxford University Press, 2008). 85 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 292. 86 Ibid.
NATO Cyber Defence Policy Justine M. Chauvin
27
does not limit its value in the context of this dissertation and has not prevented
constructivists to articulate some arguments about NATO’s role after the Cold War.
In particular, from a constructivist approach NATO is viewed as a security community,
sharing some similar values and diffusing a particular set of norms.87 Its persistence and
enlargement are considered to be unsurprising in view of this fundamental purpose,
shaping states’ preferences via its socialization function which in turn, reinforce its own
position as an international security community, embodying these values and
preferences.88
In their analysis of NATO, Michael Williams and Iver Neumann stated that:
“Institutions such as NATO are [...] not just sites for the coordination of interests or
the reduction of transaction costs, as rationalist theories tend to stress. Institutions
are also, and more fundamentally, sites for the production of identity, for the
accumulation and retention of form of capital, and for the exercise of cultural and
symbolic power.”89
Moreover, Williams and Neumann argued that constructivism relies on a dynamic vision
of interests, identity and perception, which varies according to the context. Currently,
NATO can be seen as being in a situation where its policy to tackle emerging cyber
87 Emanuel Adler, “The Spread of Security Communities: Communities of Practice, Self-Restraint, and NATO’s Post-Cold War Transformation,” European Journal of International Relations 14, no. 02 (2008): 195–230; Gheciu, NATO in the “New Europe.” 88 Frank Schimmelfennig, The EU, NATO, and the Integration of Europe: Rules, and Retoric (New York: Cambridge University Press, 2003); Gheciu, Securing Civilization?; Trine Flockhart, “‘Masters and Novices’: Socialization and Social Learning through the NATO Parliamentary Assembly,” International Relations 18, no. 03 (2004): 361–80; Thomas Risse-Kappen, “Collective Identity in a Democratic Community: The Case of NATO,” in The Culture of National Security, ed. Peter Katzenstein (New York: Columbia University Press, 1996), 357–99. 89 Iver B. Neumann and Michael C. Williams, “From Alliance to Security Community - NATO,” in Culture And Security, by Michael C. Williams, Routledge (London, 2007), 62.
NATO Cyber Defence Policy Justine M. Chauvin
28
threats is relatively recent, and still in its experimental phase. Along Williams and
Neumann’s reflection, what is at stake, to understand what kind of policies NATO will
pursue in this domain, is related to the prevailing identity of NATO itself.90 In particular:
“[...] a period of transformation involves a struggle over the forms of identity and
action which will be regarded as legitimate within the emerging order. In such a
situation, the directions taken by actors will be a reflection of struggles exemplifying
the symbolic resources available to them for the (re)construction of their identities
and of their abilities to have those identities recognized by others.”91
It is notably for this reason that this dissertation examines how NATO conceives its
cyber agenda in relation to how NATO conceived itself.
b. CYBER SECURITY AS AN INTERSUBJECTIVE AND DISCURSIVE FRAMING OF THREAT
Regarding cyber security, several constructivist approaches worth being pointed out.
First of all, securitization theory, as developed by the “Copenhagen school”92 offers
meaningful insights concerning the importance of the discursive dimension (through
“speech acts”) in the formation of security issues. From this perspective, “the
intersubjective establishment [through discourses] of an existential threat with a
saliency sufficient to have substantial political effects”93 is what brings particular issues
in the realm of security, and ultimately, the military sector. However, in 1998, the
Copenhagen school explicitly dismissed cyber security as a potential new sector of
90 Ibid., 69. 91 Ibid., 70. 92 See, e.g., Ole Wæver et al., Identity, Migration and the New Security Agenda in Europe (London: Pinter, 1993); Ole Wæver, “Securitization and Desecuritization,” in On Security, ed. Ronnie Lipschutz (New York: Columbia University Press, 1995), 46–86; Barry Buzan, Ole Wæver, and Jaap De Wilde, Security: A New Framework For Analysis (Boulder: Reinner, 1998); Barry Buzan and Ole Wæver, Regions and Powers: The Structure of International Security (Cambridge: Cambridge University Press, 2003); Barry Buzan, People, States & Fear: An Agenda for International Security Studies in the Post-Cold War Era (Colchester: ECPR Press, 2007). 93 Buzan, Wæver, and De Wilde, Security, 25.
NATO Cyber Defence Policy Justine M. Chauvin
29
securitization, arguing that discourses framing cyber issues as existential threats can
have repercussions “within the computer field but with no cascading effects on security
issues”,94 such as military, economic, or societal ones. In 2001, Ralf Bendrath
demonstrated that the US government attempted to do a securitizing move (that is, “a
discourse that takes the form of presenting something as an existential threat to a
referent object”,95 but which fails to legitimize emergency measures in the view of
relevant audiences). This move aimed to increase the private-public partnerships in the
sector of cyber security, and especially the protection of national critical infrastructures,
largely owned by the private sector.96 However, according to Bendrath, this attempt of
securitization largely failed, as the perception of the private sector remains focused on
cyber threat “as consisting primarily of a local, technical problem or as economic costs”
and not as a matter of national security.97
Nonetheless, in 2009, Lene Hansen and Helen Nissenbaum displayed strong evidence
that the situation evolved, in highlighting how cyber security has been successfully
securitized through particular “security grammars”, analogies and interpretations of
cyberspace.98 Other scholars, such as Myriam Dunn Cavelty,99 have also displayed
strong evidences that cyber security has been definitely brought in the realm of security
through particular forms of discourses, with varying degree of success.
94 Ibid. 95 Ibid. 96 Ralf Bendrath, “The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection,” Information and Security 7 (2001): 95. 97 Ibid., 97. 98 Lene Hansen and Helen Nissenbaum, “Digital Disaster, Cyber Security, and the Copenhagen School,” International Studies Quarterly 53, no. 4 (2009): 1155–75. 99 Myriam Dunn Cavelty, “Cyber-Terror – Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate,” Journal of Information Technology & Politics 4, no. 1 (2007): 19–36.
NATO Cyber Defence Policy Justine M. Chauvin
30
Other constructivist scholars have analyzed how the framing of cyber security issues
influences the perception of which actor is responsible for coping with these threats,
what is their origins, and what kind of solutions are pertinent. Along this line, particular
actors could frame cyber security threats in particular ways to picture themselves as
relevant to deal with them, to reinforce their position in a specific sector or to gain
acceptance and legitimacy among relevant audiences.100
Finally, constructivists have also analyzed the use and the significance of analogies,
images, and symbols in the construction of cyber security issues. James Der Derian
notably displayed the idea that the reality of war has been blurred by the military
sector, presenting new technological innovations as allowing the conduct of a bloodless
– almost virtual – war.101 At the same time, widely used analogies, such as the alarmist
predictions of an “electronic Pearl Harbor” or a “cyber 9/11”,102 could easily be seen as
examples of “symbolic politics” (“the use and abuse of symbols for manipulating
political discourse and influencing public opinion”). 103 This last approach was
developed by several scholars104 long before the emergence of current cyber security
issues, but still seems relevant nowadays. Indeed, when it comes to cyber security,
100 Ralf Bendrath, “The American Cyber-Angst and the Real World - Any Link?,” in Bombs and Bandwidth: The Emerging Relationship Between Information Technology and Security, ed. Robert Latham (New York: New Press, 2003), 49–73; Bendrath, “The Cyberwar Debate”; Johan Eriksson, “Cyberplagues, IT and Security: Threat Politics in the Information Age,” Journal of Contingencies and Crisis Management 9, no. 4 (2001): 211–22; Johan Eriksson, “Securizing IT,” in Threat Politics: New Perspectives on Security, Risk, and Crisis Management, by Johan Eriksson (Aldershot: Ashgate, 2001). 101 James Der Derian, “Virtuous War/Virtual Theory,” International Affairs 76, no. 4 (2000): 771–88. 102 See, e.g., the allocution of the US Secretary of Defense, Leon Panetta, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security” (New York, 11 October 2012). 103 Eriksson and Giacomello, “The Information Revolution,” 235. 104 See, e.g., Richard M. Merelman, Language, Symbolism, and Politics (Boulder: Westview, 1993); Murray Edelman, Political Language: Words That Succeed and Policies That Fail (New York: Academic Press, 1977), Political Language; Murray Edelman, The Symbolic Uses of Politics: With a New Afterword (Urbana: University of Illinois Press, 1985); Murray Edelman, Constructing the Political Spectacle (Chicago: Chicago University Press, 1988).
NATO Cyber Defence Policy Justine M. Chauvin
31
because of the inherently high level of abstraction and technological complexity of this
field, analogies with “the real world” appear to be particularly meaningful to convey
particular ideas and norms. In this sense, Johan Eriksson and Giampietro Giacomello
pointed out that “the Internet could be seen as the vast new global arena for symbolic
politics par excellence.”105
Moreover, they claimed that, “constructivism seems apt for analyzing the symbolic,
rhetorical, and identity-based aspects of digital-age security.”106 This argument, with
regard to the aims of this dissertation, justifies that in the next chapter, the theoretical
framework mainly draws on the several constructivist accounts reviewed above.
105 Eriksson and Giacomello, “The Information Revolution,” 235. 106 Ibid., 236.
NATO Cyber Defence Policy Justine M. Chauvin
32
III. METHODOLOGICAL FRAMEWORK
This chapter is devoted to clarifying the theoretical framework, the method of analysis,
the concepts, and the range of sources which are used in this analysis. In order to
provide a clear explanation of all these elements, this chapter is divided in four different
parts; first, it establishes that, regarding the aims of this dissertation, discourse analysis
is the most suitable approach from a theoretical and methodological point of view.
Second, the concepts of security and cyber security discourses are defined, in
accordance with the constructivist literature reviewed above, and additional post-
modernist accounts. Third, the usefulness of Wallander and Keohane’s typology of
security institutions – in relation to the concepts developed in the second part – is
explained, as well as Wagnsson’s views on NATO, which provide additional accounts on
possible concurrent narratives and logics within a single institution. The pertinence of
merging these institutionalists’ insights with a constructivist approach is discussed,
with regard notably to the possible discrepancies between NATO’s discourses and
practices in the field of cyber security. Finally, the choices made regarding the primary
sources collection are discussed and justified.
i. DISCOURSE ANALYSIS: THEORY AND METHOD This dissertation analyzes NATO’s perception of cyber security issues, the goals of its
cyber defence policy, and its own perceived role in this security field, through the lens of
constructivism. Because constructivism grants a substantial importance to speech acts
and the use of particular rhetoric embedded in, and simultaneously reinforcing, shared
NATO Cyber Defence Policy Justine M. Chauvin
33
meanings;107 this dissertation focuses on the rhetorical use of analogies, metaphors, and
images, and uses discourse analysis as a logical consequence.108
Discourse analysis as a theory conceives “discourses as relatively rule-bound set of
statements, which impose limits on what gives meaning”,109 and, “allows the mapping of
struggles over meaning and the process by which meanings become conventionalized
and “natural”.”110 Because discourses fix and structure the social space around
dominant meanings, they simultaneously bring out certain elements, and reduce the
field of discursively in excluding others.111
As it has been already said above, constructivism takes into account the co-construction
of agency and structure through intersubjective processes.112 In parallel, discourse
analysis reflects the reciprocity – or reflexivity – between the language and the “reality”,
stipulating that “language simultaneously reflects reality (“the way things are”) and
constructs (construes) it to be a certain way.”113 Therefore, what is at stake here is to use
discourse analysis to examine how NATO’s is viewing cyber security; assuming in
accordance with the elements above that the particular meanings and problems
attached to these views have a significant impact on the way NATO is responding to it.
107 O’Meara, “Le Constructivisme,” 248. 108 David Barnard-Wills and Debi Ashenden, “Securing Virtual Space: Cyber War, Cyber Terror, and Risk,” Space and Culture 15, no. 2 (2012): 115. 109 Michel Foucault, Security, Territory, Population: Lectures at the Collège de France, 1977-1978 (Houndmill: Palgrave, 2007). Cited in Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 110 Louise J. Philips and Marianne W. Jørgensen, Discourse Analysis as Theory and Method (London: SAGE, 2002), 13. Cited in Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 111 Niels Åkerstrøm Andersen, Discursive Analytical Strategies: Understanding Foucault, Koselleck, Laclau, Luhmann (Bristol: Policy Press, 2003); Ernesto Laclau and Chantal Mouffe, Hegemony and Socialist Strategy (London: Verso, 1985). 112 O’Meara, “Le Constructivisme,” 243. 113 James Paul Gee, Discourse Analysis: Theory and Method (London: Routledge, 1999), 82. Emphasis in original.
NATO Cyber Defence Policy Justine M. Chauvin
34
However, this does not mean that discourses always reflect practices. Discourses could
be indications of a particular actor’s intentions to picture itself or something else in a
certain way, in order to reach certain effects, but does not always signify that it will be
translated into practice, or that practice matches discourse. This could be also explained
by the different audiences an actor is speaking to, which do not necessarily have the
same perceptions and interests.114 The conceptual framework explained in the next two
sections is articulated around this recognition of discourse and practice as correlated,
but not necessarily similar.
ii. CONCEPTUAL FRAMEWORK (1): SECURITY AND CYBER SECURITY
DISCOURSES Choosing constructivism as a theoretical framework supposes that this dissertation
relies on an ontological argument distinguishing between material and social reality.115
Accordingly, the structure of the international system (such as anarchy at the global
level) is not seen as a cause but rather as an open process constituting and constituted
by social agents. For example, from this perspective and as Wendt put it, “anarchy is
what states make of it.”116 Accordingly, this dissertation relies on an interpretative
approach based on the assumption that discourses are significant to grasp institutions’
perceptions of themselves and of their purposes, and which, in turn, have a substantial
impact on the establishment of particular practices and policies. In sum, NATO cyber
defence policy is seen in this dissertation as influenced by the meanings that social
114 See, e.g., Thierry Balzacq, Securitization Theory: How Security Problems Emerge and Dissolve (London: Routledge, 2011); Thierry Balzacq, “The Three Faces of Securitization: Political Agency, Audience and Context,” European Journal of International Relations 11, no. 2 (2005): 171–201; Holmberg, “The Changing Role.” 115 Eriksson and Giacomello, “The Information Revolution,” 233. 116 Alexander Wendt, “Anarchy Is What States Make of It: The Social Construction of Power Politics,” International Organization 46, no. 2 (April 1, 1992): 391–425.
NATO Cyber Defence Policy Justine M. Chauvin
35
agents attach to it, which in turn, reinforces NATO members’ particular understandings
of cyber security, and subsequently their behaviour.
In addition to the different constructivist approaches reviewed above, David Campbell’s
analysis of “the modes of representation through which danger [is] interpreted and
understood [in the case of the US foreign policy], and the manifest political
consequences of these modes of representation”117 seems also relevant for this
conceptual framework; even if he is commonly qualified as a post-modernist rather
than constructivist scholar. Indeed, his attempt “to investigate the codes governing and
the logic behind contemporary declarations about the new dangers […] facing [the
US]”118 seems insightful beyond his initial case-study, and his analysis’ objectives are
altogether similar to the aims of this dissertation.
Moreover, acknowledging critics regarding discursive and interpretative post-
modernist approaches as inadequate, because supposedly “divorced from the real
world”,119 he underscored that he does not recuse the existence of an “external
reality”120, but stated instead that:
“What is denied is not that […] objects exist externally to thought, but the rather
different assertion that they could constitute themselves as objects outside of any
discursive condition of emergence.”121
117 David Campbell, Writing Security: United States Foreign Policy and the Politics of Security, Revised Edition (Manchester: Manchester University Press, 1998), 137. 118 Ibid., 191–192. 119 Ibid., 193. 120 Ibid., 7. 121 Ibid., 137.
NATO Cyber Defence Policy Justine M. Chauvin
36
Furthermore, the concept of security (and by extension, the concept of cyber security) is
defined here as an intersubjective and socially constructed process, in accordance with
both David Campbell122 and other constructivist scholars, such as the Copenhagen
School.123 In this perspective, a threat or risk falling into the realm of security is an issue
that has been identified and qualified as such particular actors, using particular modes
of representation. In accordance with this conceptualization, the aim of this dissertation
is fundamentally to address the assumptions underpinning NATO’s cyber defence policy
(regarding the meanings of cyber security threats, their nature, origins and
implications), in deconstructing the discursive modes of representation used by NATO.
Drawing on Mitchell Dean’s work on governmentality,124 David Barnard-Wills and Debi
Ashenden stated that fundamentally, governing is a collective activity of “bodies of
knowledge, opinions, and beliefs.”125 In this sense, to govern does not necessarily
involve a direct control, but is instead an “attempt to shape […] aspects of our behaviour
according to particular sets of norms and for a variety of ends.”126 More importantly,
they argued that this approach allows the displaying that “the way that a problem
becomes understood as being a problem is politically important, with implications for
the types of solutions and responses that are directed toward that problem.”127
Regarding cyber security discourses, they claimed that:
122 Ibid., 199. 123 Buzan, Wæver, and De Wilde, Security, 23–25. 124 Mitchell Dean, Governementality: Power and rule in modern society (London: SAGE, 2010). 125 Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 126 Dean, Governementality, 18. 127 Barnard-Wills and Ashenden, “Securing Virtual Space,” 115.
NATO Cyber Defence Policy Justine M. Chauvin
37
“We should pay attention to the way that cyber security is understood as a problem
of government, the particular vocabularies and discourses that construct this
problem and the solutions those problematizations privilege.”128
Furthermore, Barnard-Wills and Ashenden defined cyber security discourse as:
“The working term for a set of concepts and ways of thinking, […] with continuity,
and certain presumptions and axioms. […] It is fundamentally a security discourse,
with an orientation toward the securing of virtual space.”129
This definition seems to be especially relevant, insofar as it highlights the role of
discourses as constituting the way cyber security issues are understood, and
consequentially what solutions to these are privileged. For these reasons, the analysis
below is ultimately based on this particular characterization of cyber security discourse.
These conceptualizations, which show the pertinence of discourse analysis as a method,
also demonstrates that the different arguments above share some commons views with
the previously reviewed constructivist accounts, at least regarding the aims of this
dissertation. This explains fundamentally why this dissertation, while focusing on a
constructivist approach, also includes the particular accounts cited above, even if they
have been formulated by scholars not usually labelled as constructivists. Furthermore,
Barnard-Wills and Ashenden showed in their analysis that merging different
approaches seems to be a “powerful tool”130 for analyzing cyber security discourses,
especially with the inherent abstraction of this field of security, and the current lack of
consensus on its fundamental nature.
128 Ibid. 129 Ibid., 116. 130 Ibid., 114.
NATO Cyber Defence Policy Justine M. Chauvin
38
iii. CONCEPTUAL FRAMEWORK (2): CYBER SECURITY DISCOURSES IN
PRACTICE With regards to the research question articulated in the introduction, to what extent
NATO’s cyber policy matches a vision of NATO as a defensive alliance, or as a security
management institution, presupposes the definition of these two forms of institutions.
In order to provide a clear conceptualisation of these, Wallander and Keohane’s
typology of security institutions is used.131 In particular, this analysis relies on the three
main dimensions identified by Wallander and Keohane (already mentioned above) for
assessing if an institution is conceived as a defencive alliance or a security management
institution.
From this perspective, risk and threat are two forms of security issues that can have the
same kind of effects on state security, however, “their sources are qualitatively
different”,132 and consequentially, “dealing with them requires different policies and
institutional mechanisms.”133 Indeed, Wallander and Keohane stipulate that:
“Institutions meant to cope with security threats will have rules, norms, and
procedures to enable the members to identify threats and retaliate effectively
against them. Institutions meant to cope with security risks will have rules, norms,
and procedures to enable the members to provide and obtain information and to
manage disputes in order to avoid generating security dilemmas.”134
Moreover, they stated that:
131 Wallander and Keohane, “Risk,” 22. 132 Wallander, “Institutional Assets,” 710. 133 Ibid. 134 Wallander and Keohane, “Risk,” 26.
NATO Cyber Defence Policy Justine M. Chauvin
39
“Exclusive strategies seem better suited to coping with threats, while inclusive
strategies appear to be better able to cope with and manage risks.”135
The main hypothesis here is that, if NATO cyber defence policy is indeed an example of
NATO’s transformation into a security management institution, some noticeable trends
will display that NATO deals with cyber security issues from a security risk
management, rather than threat retaliation perspective; and that accordingly, NATO’s
cyber defence policy is inclusive and highly institutionalized. 136
This typology has nonetheless one very striking downside, in the sense that it focuses
primarily on risks and threats emerging from interstates relations. Yet, in the case of
cyber security, the importance of security problems emerging from non-states actors is
commonly acknowledged, along with the recurrent problem of attribution, and the
potential opportunities that this gives to states to avoid responsibility (not even
speaking about the problem of states using state-sponsored proxies, or deliberately
ignoring reprehensible cyber activities within their borders).137 Nonetheless, this
typology provides indicators based on institutional policy responses rather than on the
nature of the security challenges that one institution can face (and in this sense, seems
compatible with the constructivist approach discussed above). Therefore, it could be
viewed reasonably as able to cover security issues related to non-state actors or
situations where determining the identity of the attackers is difficult because the focus
here is not on the nature of security issues but rather on the response that institutions
choose to develop to these.
135 Ibid. 136 Ibid., 25. 137 Alexander Klimburg, “Mobilising Cyber Power,” Survival: Global Politics and Strategy 53, no. 1 (2011): 41–60.
NATO Cyber Defence Policy Justine M. Chauvin
40
The main advantage of merging a constructivist approach with Wallander and
Keohane’s typology is to allow the analysis of potential discrepancies between NATO’s
discourses and practices in the field of cyber security. Indeed, a strict discursive analysis
of NATO’s cyber defence policy would provide some interesting insights on how NATO
frames the emerging cyber security issues, and what kind of solutions it privileges to
respond to these; but not addressing the extent to which this discourse is applying – or
not – in practice would severely undermine the potential usefulness of this dissertation,
as it has been noted above that discourses and practices are correlated, but not
necessarily consistent with each other.
Furthermore, this dissertation proposes to go a step further and posits that it may be
possible to find within a particular security institution – and especially a highly
institutionalized one as NATO – diverse functions, organisms and mechanisms which
present distinct features, each of them corresponding to different interpretations of
NATO’s raison d’être. Yet this possibility has not been explicitly addressed by Wallander
and Keohane. For this reason, this statement is made with regards to Wagnsson’s views
that NATO (from a liberal institutionalist approach) is a composite actor, currently
performing different roles, each of them attached to different narratives (that is,
competitive constitutive stories presenting NATO alternatively as a “watchdog”, a “fire-
fighter”, a “neighbour” and a “seminar leader”).138 In her opinion, each narrative is more
or less accented for each NATO’s domains of action, and depends on NATO’s particular
readings of threats, as well as its perception of geography and history.139
138 Charlotte Wagnsson, “NATO’s Role in the Strategic Concept Debate: Watchdog, Fire-Fighter, Neighbour or Seminar Leader?,” Cooperation and Conflict 46, no. 4 (2011): 483–484. 139 Ibid., 485.
NATO Cyber Defence Policy Justine M. Chauvin
41
In particular, she argued that NATO’s action in the field of cyber security is focused on a
strong deterrence logic (corresponding to the “watchdog” narrative) – rooted in the
security logic prevailing during the Cold War – and concluded that NATO’s perception of
itself remains embedded in a traditional Westphalian vision of world politics. According
to her, while attempting to adapt its old strategies to the emerging cyber security
challenges that it faces, NATO persists in conceiving cyber threats from a traditional
deterrence logic, focusing on a state-centric vision and problem-solving – rather that
structural – solutions.140 In this sense, she did not agree with Wallander and Keohane
regarding the overall transformation of NATO into a security management institution,
or at least not in the field of cyber security. Accordingly, this analysis is interesting also
because it examines a question –what kind of institution is NATO with regard to its
cyber defence policy – which is definitely not consensual.
iv. SOURCES Accordingly with the theoretical framework above, a discourse analysis seems to be the
most suitable approach to assess if NATO’s cyber agenda (understood as the whole
range of practices, policies, procedures, norms and knowledge production, as well as,
critically, discourses related to cyber security issues) illustrates its transformation into
a security management instruction, or if other patterns emerge.
In order to analyze NATO’s cyber security discourses and practices, this dissertation is
centred on the textual analysis of several types of official documents released by NATO
(including summit transcripts, reports, as well as speeches, briefings and press
releases). In addition to this, codified norms and procedures are also examined, in order
140 Ibid., 486–487.
NATO Cyber Defence Policy Justine M. Chauvin
42
to assess how NATO’s cyber security discourses are translated into practice. The
collection of these primary sources will be made directly on NATO’s official websites.
One of the striking limits of this analysis, in choosing NATO as a case study to analyze
cyber security discourses, is that numerous documents remain classified,141 which has
consequentially an impact on the findings. However, more often than not, studying
cyber security discourses from an IR perspective means analyzing states’ policy or
particular national institutions’ discourses. In this sense, choosing another case-study
would not allow to bypass such limitation, as cyber issues are commonly viewed as
falling into the realm of military and intelligence offices, where the access to numerous
information and procedures is also restricted.
Another difficulty that could bias this analysis is that, as mentioned in the first chapter, a
great part of the documents assessing the cyber security issues facing NATO is produced
by the CCD COE. This centre is an organism created by NATO (but funded by the
member states themselves). Its core task is “to enhance the capability, cooperation and
information sharing among NATO, NATO nations, and partners in cyber defence by
virtue of education, research and development, lessons learned and consultation”, and it
aims at being “the main source of expertise in the field of cooperative cyber defence.”142
However, it should be noted that, “it is not an operational centre, and does not fall
141 Olivier Kempf, L’OTAN et La Cyberdéfense (Chaire de Cyberdéfense et Cybersécurité: Ministère français de la Défense, 2013), 2, http://www.st-cyr.terre.defense.gouv.fr/index.php/content/download/5741/39535/file/Article%20n%C2%B07%20-%20Chaire%20cyberd%C3%A9fense%20-%20Kempf.pdf. 142 NATO CCDCOE, “Mission and Vision,” NATO CCDCOE, accessed November 27, 2013, http://www.ccdcoe.org/11.html.
NATO Cyber Defence Policy Justine M. Chauvin
43
within the NATO command structure.” 143 Nonetheless, this particular environment, the
arguable reasons why this centre has been established, and the connection between
researchers and NATO, displays convincing indications that the CCD COE knowledge
production should better be understood as part of NATO’s cyber security discourse, or
at least cannot be interpreted as entirely independent of NATO’s perceptions and
interests.
143 NATO CCDCOE, “Institutional Status,” NATO CCDCOE, accessed December 1, 2013, http://www.ccdcoe.org/38.html.
NATO Cyber Defence Policy Justine M. Chauvin
44
IV. NATO CYBER DEFENCE POLICY
This fourth chapter is devoted to the analysis of NATO’s cyber security discourses and
practices, in accordance with to the conceptual framework and the different sources
reviewed above. It is constituted into four different parts: first, a short overview of
NATO cyber defence policy’s development – from 1999 to today – is provided. Secondly,
the analysis aims to examine if NATO is viewing cyber security issues from a risk
perspective, or as potential threats. Thirdly, the question to what extent NATO’s cyber
strategy could be viewed as an inclusive, or exclusive, strategy, is addressed. Finally, the
degree of institutionalization of NATO’s cyber defence policy is examined.
i. CHRONOLOGY AND OVERVIEW In 1999, NATO started to recognize cyberspace as a new domain where pursuing its
missions of collective defence, after it endured its first cyber-attacks during the Kosovo
Operation Allied Force. 144 At that time, several NATO websites were attacked
subsequently by Serbian, Chinese and Russian hackers. As a result, NATO and several
governmental websites were defaced and repeatedly unavailable for significant periods.
However, the hackers did not succeed in acquiring any confidential information, or
having a significant impact on NATO operation.145
Nonetheless, NATO took these incidents seriously. As a result, in 2002, NATO adopted
the Cyber Defence Program at the Prague Summit, with notably the creation of the
NATO Computer Incident Response Capability (NCIRC) as a part of the NATO
144 Jason Healey and Leendert Van Bochoven, NATO’s Cyber Capacities: Yesterday, Today, and Tomorrow, Issue Brief (Atlantic Council, 2011), 1. 145 Szentgáli, “The NATO Policy,” 83.
NATO Cyber Defence Policy Justine M. Chauvin
45
Communication and Information Service Agency.146 At that time, the main task of this
technical centre was to protect NATO own networks, while the protection of allies’
national computer systems fell strictly into the responsibility of state members.147
Moreover, in 2006, NATO expressed its will “to work to develop a NATO Network
Enabled Capability to share information, data and intelligence reliably, securely and
without delay in Alliance operations, while improving protection of [its] key
information systems against cyber attack.”148
However, beyond this declaration, NATO cyber defence policy did not substantially
change from 2002 until the cyber-attacks on Estonia in 2007, which are regarded by
many as the real trigger for the subsequent developments in NATO’s cyber defence
policy. 149 On April 27th, following the decision to relocate the Bronze Soldier of Tallinn
(a Soviet World War II memorial), Estonia faced a three-week wave of massive cyber-
attacks – presumably imputed to Russian nationalist hackers – targeting governmental
and private companies’ websites. At that time, the Estonian Foreign Minister, Urmas
Paet, stated that the direct involvement of the Kremlin in these attacks was likely.
However, NATO officials were reluctant to officially accuse Russia and no proof of any
direct governmental implication has been found to this day.150
At that time, Estonia requested NATO emergency assistance but the organization had no
procedure regarding attacks on cyber assets. As a result, NATO decided to develop a
146 Healey and Van Bochoven, NATO’s Cyber Capacities, 1. 147 Szentgáli, “The NATO Policy,” 83. 148 NATO, Riga Summit Declaration (Riga, Latvia: North Atlantic Council, November 29, 2006), http://www.nato.int/docu/pr/2006/p06-150e.htm. 149 Dunn Cavelty, “Cyber-Allies,” 12. 150 Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” The Guardian, May 17, 2007, http://www.theguardian.com/world/2007/may/17/topstories3.russia; Tony Halpin, “Estonia Accuses Russia of ’ Waging Cyber War’,” The Times, May 17, 2007, http://www.thetimes.co.uk/tto/news/world/europe/article2595189.ece.
NATO Cyber Defence Policy Justine M. Chauvin
46
cyber-doctrine and a comprehensive cyber strategy allowing NATO to respond more
effectively to cyber-attacks on state members.151 This will to enhance NATO cyber
strategy and capacities has been reinforced after the conflict between Russia and
Georgia in 2008, due to the scope and the disruptive effect of cyber-attacks that Georgia
faced, in addition to Russian operations on the ground. Even if Russia denied any
involvement in these cyber-attacks, it “unquestionably enjoyed strategic benefits
brought about by [these]”.152
Most importantly, the cyber-attacks on Georgia and Estonia have led to enlarge "the
scope of NATO cyber defense activities",153 from a strict focus on the NATO's own cyber
capacities to a more inclusive conception of cyber defence, including to a certain extent
members' cyber assets.154 The fact that the vast majority of this dissertation’s primary
sources are from after these events also displays “the growing importance of the cyber
issue over the past years.”155
At the Bucharest Summit on 2nd-4th April 2008,156 NATO established two major cyber
defence institutions; the CCD COE in Tallinn, to enhance NATO expert knowledge on
cyber security issues and develop a long-term cyber doctrine and strategy,157 and the
151 Rex Hughes, “NATO and Cyber Defence,” Atlantisch Perspectief 33, no. 1 (2009): 1, http://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf; Jeffrey Hunker, Cyber War and Cyber Power, Research Paper (Rome: NATO Defense College, 2010), 9. 152 Van Epps, “Common Ground,” 30. 153 Hunker, Cyber War and Cyber Power, 9. 154 Jeffrey Hunker, “NATO and Cyber Security,” in Understanding NATO in the 21st Century : Alliance Strategies, Security and Global Governance, ed. Graeme P. Herd and John Kriendler (New York: Routledge, 2013), 157. 155 Gerhard Jandl, “The Challenges of Cyber Security - A Government’s Perspective,” Human Security Perspectives 1 (2012): 29. 156 NATO, Bucharest Summit Declaration (Bucharest, Romania: North Atlantic Council, April 3, 2008), http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_8443.htm?selectedLocale=en. 157 Dunn Cavelty, “Cyber-Allies,” 13.
NATO Cyber Defence Policy Justine M. Chauvin
47
Cyber Defense Management Authority (CDMA), aiming at helping “member states to
improve [coordinate and review] their own national cyber defense capacities”, and
conducting “appropriate security risk management.”158 The CDMA is subordinated to
the Cyber Defence Management Board (CDMB). Furthermore, a Rapid Reaction Team
(RTT) was created, in charge of assisting members on a national level in case of cyber-
attacks, within the NATO Computer Incident Response Capacity Technical Centre
(NCIRC TC, set up after cyber-attacks during the Kosovo Operation Allied Force, and in
charge of the security of NATO’s networks).159 Furthermore, member states approved
the first “NATO Policy on Cyber Defence” (classified).160
In 2010, the Lisbon Summit161 especially emphasized “enhancing NATO cyber defence
capabilities.” Moreover, NATO adopted a new Strategic Concept recognizing cyber
security issues as one of the most prominent emerging security challenges.162
In August 2010, NATO also established the Emerging Security Challenges Division
(ESCD), aiming at “provid[ing] NATO with a Strategic Analysis Capability to monitor and
anticipate international developments that could affect Allied security”, 163 and notably
focusing on cyber defence.
158 Healey and Van Bochoven, NATO’s Cyber Capacities, 2. 159 Dunn Cavelty, “Cyber-Allies,” 12. 160 Kempf, L’OTAN, 2. 161 NATO, Lisbon Summit Declaration (Lisbon, Portugal: North Atlantic Council, November 20, 2010), http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_68828.htm?selectedLocale=en. 162 Michael Rühle, “NATO and Emerging Security Challenges: Beyond the Deterrence Paradigm,” American Foreign Policy Interests: The Journal of the National Committee on American Foreign Policy 33, no. 6 (2011): 281. 163 NATO, “New NATO Division to Deal with Emerging Security Challenges,” NATO, August 4, 2010, http://www.nato.int/cps/en/natolive/news_65107.htm.
NATO Cyber Defence Policy Justine M. Chauvin
48
In 2011, a second NATO cyber defence Policy, Concept, and Action Plan, was approved,
“which set out a vision for coordinated efforts in cyber defence throughout the Alliance
[…], and an associated action plan for its implementation.”164 It provided the integration
of cyber defence into the NATO Defence Planning Process (NDPP), and clarified “the
process the Alliance will use to invoke collective defense while maintaining ambiguity
about specific thresholds.”165 This document is also classified; nonetheless NATO
released documents explaining that the aims of this policy included:
“• Integrate cyber defence considerations into NATO structures and planning processes in
order to perform NATO’s core tasks of collective defence and crisis management.
• Focus on prevention, resilience and defence of critical cyber assets to NATO and Allies.
• Develop robust cyber defence capabilities and centralise protection of NATO’s own networks.
• Develop minimum requirements for cyber defence of national networks critical to NATO’s
core tasks.
• Provide assistance to the Allies to achieve a minimum level of cyber defence and reduce
vulnerabilities of national critical infrastructures.
• Engage with partners, international organisations, the private sector and academia.”166
In May 2012 at the Chicago Summit, member states emphasized developing further
NATO’s ability “to prevent, detect, defend against, and recover from cyber attacks.” They
164 NATO, “NATO and Cyber Defence,” NATO, accessed August 13, 2014, http://www.nato.int/cps/en/natolive/topics_78170.htm. 165 Healey and Van Bochoven, NATO’s Cyber Capacities, 13. 166 NATO, “Defending the Networks - The NATO Policy on Cyber Defence,” 2011, 1, http://www.nato.int/nato_static/assets/pdf/pdf_2011_08/20110819_110819-policy-cyberdefence.pdf.
NATO Cyber Defence Policy Justine M. Chauvin
49
also expressed their will “to engage with relevant partner nations […] basis and with
international organisations, […] in order to increase concrete cooperation.”167
From 2012 until today, NATO has notably achieved bringing “NATO bodies under
centralized protection”168 via the NATO Communication and Information Agency (NCIA,
created in 2012), incorporating the NCIRC TC and its RRT.169 Moreover, cyber defence
has been incorporated into the NATO Defence Planning Process (NDPP), which provides
“a framework for the harmonisation of national and Alliance defence planning activities
aimed at the timely development and delivery of all the capabilities, military and non-
military, needed to meet the agreed security and defence objectives inherent to the
Strategic Concept.”170 State members also tasked NATO with developing an enhanced
cyber defence policy “regarding collective defence, assistance to Allies, streamlined
governance, legal considerations and relations with industry.”171 Finally, it has been
endorsed by NATO Defence Ministers in June 2014, and is currently being implemented.
Another output of NATO’s attempt to tackle cyber security issues worth pointing out is
the Tallinn Manual on the International Law Applicable to Cyber Warfare.172 Its ultimate
goal is to examine the “international law governing cyber warfare”,173 in addressing the
167 NATO, Chicago Summit Declaration (Chicago, US: North Atlantic Council, May 20, 2012), para. 49, http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_87593.htm?selectedLocale=en. 168 Szentgáli, “The NATO Policy,” 86. 169 NATO, “Cyber Security,” NATO Communications and Information Agency, accessed September 1, 2014, https://www.ncia.nato.int/Our-Work/Pages/Cyber-Security.aspx. 170 NATO, “The NATO Defence Planning Process (NDPP),” NATO, accessed August 20, 2014, http://www.nato.int/cps/en/natolive/topics_49202.htm. 171 NATO, “NATO and Cyber Defence.” 172 Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013). 173 Wolff Heintchel Von Heinegg, “The Tallinn Manual and International Cyber Security Law,” Yearbook of International Humanitarian Law 15 (2012): 3.
NATO Cyber Defence Policy Justine M. Chauvin
50
applicable “jus ad bellum, jus in bello, and […] the law of neutrality.”174 It has been
produced by an “International Group of Experts”175 sponsored by CCD COE; and should
be characterized as “a consensus academic work”,176 rather than as reflecting NATO’s
doctrine (according to NATO’s official discourse).177 However, elements show that, in
practice, the Tallinn Manual has been perceived as being a NATO’s endeavour to
implement its own interpretation of international cyber security law. In particular,
criticizing the absence of experts from “anywhere outside Western Europe or North
America”178 and the resulting lack of legitimacy of such work, Russia decided essentially
to “either [ignore] or [reject] (depending on the source) the interpretations […]
represented in the Tallinn Manual.”179 For this reason, the Tallinn Manual’s content is
discussed in this analysis as a part of NATO cyber defence developments, yet restricted
to the elements reflected in NATO’s official doctrine and discourse.
ii. ANALYSIS
a. CYBER SECURITY ISSUES: RISK MANAGEMENT OR THREAT RETALIATION?
The first striking feature emerging from the analysis of NATO officials’ discourses (and
amongst these, first and foremost, NATO Secretary General Anders Fogh Rasmussen’s
speeches) is that cyber defence is often pictured as a strong example of NATO’s
174 Ibid., 4. Emphasis original. 175 Ibid., 3. 176 Ibid., 4. 177 NATO CCDCOE, “The Tallinn Manual,” NATO CCDCOE, accessed September 1, 2014, http://www.ccdcoe.org/tallinn-manual.html. 178 Van Epps, “Common Ground,” 45. 179 Eneken Tikk et al., “The Applicability of International Law in Cyberspace - From If to How?” (presented at the Georgetown University Conference on the International Law on Cyber, Georgetown University, Washington D.C., US, 2013), http://www.scholarlyinsider.com/Insider/videolist/watch/1623/the-applicability-of-international-law-in-cyberspace-from-if-to-how. See, especially, the comments of Dr. Anatoly Streltsov. Cited in Van Epps, “Common Ground,” 45.
NATO Cyber Defence Policy Justine M. Chauvin
51
persisting relevance in the 21st century. Precisely, cyber defence is seen as a new facet
of NATO’s initial mission, namely as a “part of NATO’s core task of collective defence.”180
This view is usually justified by the idea that today “it is no longer sufficient to line up
tanks along [allies’] borders to patrol and protect them, [because] Today’s threats - and
tomorrow’s – often come from the other side of the world, even from cyber space.”181
This means that from this perspective, it is to continue performing its initial role that
NATO has necessarily to take into account new forms of security challenges, among
these those coming from cyberspace. Consequently, NATO’s considerations on how it
“could assist Allies who come under cyber attack […] is [precisely] modern collective
defence.”182
The corollary of this is the recognition of cyber-attacks as having a significant impact on
NATO, as well as on member states, security. Indeed, the new 2010 Strategic Concept
highlights NATO’s vision of cyber security challenges as primordial, because “they can
reach a threshold that threatens national and Euro-Atlantic prosperity, security and
stability.”183 Moreover, the substantial importance of cyber-attacks on NATO and
member states’ cyber assets is considerably emphasized in many speeches, as a
justification of including cyber defence in NATO’s collective defence mission. For
180 Anders Fogh Rasmussen, “Press Conference” (presented at the NATO Defence Ministers Meeting, NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_110618.htm?selectedLocale=en. 181 Anders Fogh Rasmussen, “NATO: Ready, Robust, Rebalanced” (presented at the Carnegie Europe Event, Concert Noble, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_103231.htm?selectedLocale=en. 182 Ibid. Emphasis added. 183 NATO, “Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organization,” NATO, 2010, 12, http://www.nato.int/strategic-concept/pdf/Strat_Concept_web_en.pdf.
NATO Cyber Defence Policy Justine M. Chauvin
52
instance, the current Deputy Secretary-General of NATO, Alexander Vershbow, argued
that:
“[The] ability to defend against cyber attacks will be central to NATO’s role as a
collective defense alliance in the coming years, especially given the fact that cyber
attacks could have consequences for our societies on the scale of armed attacks.”184
Unsurprisingly, the 2007 cyber-attacks on Estonia are regularly invoked to display the
urge and the importance of strengthening NATO’s cyber defence capacities and strategy.
In Rasmussen’s words:
“A well-orchestrated cyber attack can shut down air traffic control. It can turn off the power in
your house, your city, your country. It can shut down banks – which means no money for
anyone. This isn’t fiction. It has happened. Our NATO-Ally Estonia suffered a few years ago from
a sustained, directed cyber attack that shut down a lot of essential services.”185
Interestingly, more often than not the emphasis is put on repercussions not only in
terms of national security, but also on the impact of cyber-attacks on individuals. This is
particularly salient comparing NATO’s cyber security discourse with other emerging
security challenges (such as terrorism, the proliferation of Weapons of Mass
Destruction (WMD), and energy security). Regarding the latter, direct invocation of
people as the target of cyber-attacks is slightly more widespread. Therein, this quote of
the then Secretary General of NATO, Jaap de Hoop Scheffer, is particularly striking:
184 Alexander Vershbow, “Challenges Facing NATO and the Transatlantic Community Post-2014” (presented at the 30th International Workshop on Global Security, Hôtel national des invalides, Paris, France, 2013), http://www.nato.int/cps/en/natolive/opinions_101606.htm?selectedLocale=en. 185 Anders Fogh Rasmussen, “Speech” (Georgetown University, Washington D.C., US, 2010), http://www.nato.int/cps/en/natolive/opinions_61566.htm?selectedLocale=en.
NATO Cyber Defence Policy Justine M. Chauvin
53
“Speak to Estonia, speak to Estonians and they can easily tell you what it means
when the whole government system or a bank or a factory or whatever, your
Internet traffic, your Internet banking will be brought to a standstill because some
people have made a decision to launch a cyber attack.”186
From a securitization perspective, Hansen and Nissenbaum have already highlighted
how cyber security has been securitized through specific ‘‘grammars’’, amongst these
everyday security practices, which focuses on “mobiliz[ing] “normal” individuals’
experiences”,187 in order to “to secure the individual’s partnership and compliance […],
and to make hypersecuritization scenarios more plausible by linking elements of the
disaster scenario to experiences familiar from everyday life.”188 According to these
initial remarks, NATO’s views on cyber defence seem to be more focused on threats
than risks, as discourses tend to stress empirical situations, as well as very practical
effects of cyber-attacks on state security – and on individuals – to display the
significance of these.
Indeed, regarding cyber-attacks, NATO displays the idea that “threat is very
clear”,189 as “attacks on industry and government websites and information systems
are already a daily occurrence […]. And while [NATO is] certainly able to do better,
[it] have a general idea of the steps [it] should take. The challenge is figuring out
how to do it.”190
186 Jaap De Hoop Scheffer, “Speech at the Annual Press Reception on the Occasion of the New Year” (NATO Headquarters, Brussels, Belgium, 2008), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_7374.htm?selectedLocale=fr. 187 Hansen and Nissenbaum, “Digital Disaster,” 1165. 188 Ibid. 189 Anders Fogh Rasmussen, “Speech on Emerging Security Risks” (Lloyd’s, London, UK, 2009), http://www.nato.int/cps/en/natolive/opinions_57785.htm?selectedLocale=en. 190 Ibid.
NATO Cyber Defence Policy Justine M. Chauvin
54
To a substantial extent these elements seem in accordance with Wallander and
Keohane’s argument that “threats pertain when there are actors that have the
capabilities to harm the security of others and that are perceived by their potential
targets as having intentions to do so.”191
Turning to the origin of this new threat, NATO has been cautious not to point the
finger192 at any government, even if during the cyber-attacks on Estonia and Georgia
officials from these two countries hold the Kremlin responsible explicitly, considering
the political context. Predominantly in its official documents, NATO recognizes that
threats emerging from the cyberspace can come from states, but also from “hacktivists
or criminal organisations, among many others.”193 Precisely, in its 2010 Strategic
Concept, NATO identified “foreign militaries and intelligence services, organised
criminals, terrorist and/or extremist groups”194 as the most likely sources of cyber-
attacks. In this sense, the inherent difficulty of identifying the perpetrators behind a
cyber-attack (and even more, to prove that a government can be hold responsible for
this)195 makes it very difficult to address cyber security issues from a traditional threat
perspective without generating or increasing geopolitical instability. Overall, the
cautiousness with which NATO refers to the sources of cyber security threats – facing
NATO and its members – could reasonably be explained, to a certain extent, by the
recurrent attribution problem.
191 Wallander and Keohane, “Risk,” 25. 192 Traynor, “Russia Accused.” 193 NATO, “Defending the Networks,” 1. 194 NATO, “Strategic Concept,” 11. 195 Klimburg, “Mobilising Cyber Power.”
NATO Cyber Defence Policy Justine M. Chauvin
55
However, since the beginning of the Russia-Ukraine crisis, and the resulting tensions
between NATO and Russia, state members are becoming more likely to explicitly blame
Russia for using cyber-activities to destabilize the Ukrainian government; 196 notably
regarding the very sophisticated virus named “Snake”, which has been detected in the
Ukrainian networks since March 2014.197 These relatively recent changes show that
depending on the future developments in Ukraine, NATO could become less hesitant in
accusing Russia of using cyberattacks or sponsoring proxy groups. Nonetheless, it
should be noted that so far, NATO has been fairly reluctant to openly accuse any
government of being directly involved in cyber-attacks on another state. Concerning
Russia in particular, until recently NATO officials often stress the constructive
developments of NATO-Russia cooperation, even if the on-going political tensions tend
to mitigate these discourses.198
In this context, the 2010 Strategic Concept considers NATO mission in the cyberdomain
as consisting in:
“develop[ing] further [its] ability to prevent, detect defend against and recover from
cyberattacks including by using the NATO planning process to enhance and
coordinate national cyber-defence capabilities, bringing all NATO bodies under
196 Philip M. Breedlove, “Opening Statement” (presented at the 171st NATO Chiefs of Defence meeting, NATO Headquarters , Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_110223.htm?selectedLocale=en. 197 Steven Erlanger and David E. Sanger, “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government,” The New York Times, March 8, 2014, www.nytimes.com/2014/03/09/world/europe/suspicion-falls-on-russia-as-snake-cyberattacks-target-ukraines-government.html. 198 See, e.g., in comparison, Anders Fogh Rasmussen, “Future NATO” (Chatham House, London, UK, 2014), http://www.nato.int/cps/en/natolive/opinions_111132.htm?selectedLocale=en; Anders Fogh Rasmussen, “NATO – Delivering Security in the 21st Century” (Chatham House, London, UK, 2012), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_88886.htm?selectedLocale=fr.
NATO Cyber Defence Policy Justine M. Chauvin
56
centralized cyber protection, and better integrating NATO cyber awareness,
warning and response with member nations.”199
The details on NATO Policy on Cyber Defence openly released further emphasized that
“NATO cyber defence efforts are based on the overarching principles of prevention and
resilience […].”200
It should be noted that NATO cyber defence policy focus primarily “on the protection of
NATO networks and on cyber defence requirements related to national networks that
NATO relies upon to carry out its core tasks: collective defence and crisis
management.”201 This focus on NATO’s own networks, while underscoring state
responsibility for its national cyber assets is regularly reiterated.202 However, in 2013
NATO broadened its mission (notably in including cyber defence in the NDPP), in order
“to ensure that Allies have the basic organisation, capabilities, and interoperability to
assist each other in the event of cyber attacks.”203
Wallander and Keohane stipulated that:
“Institutions meant to cope with security threats will have rules, norms, and
procedures to enable the members to identify threats and retaliate effectively
199 NATO, “Strategic Concept,” 16–17. 200 NATO, “Defending the Networks,” 2. 201 Ibid. 202 Rasmussen, “Press Conference,” 2014; Anders Fogh Rasmussen, “Press Conference Following the Meeting of the North Atlantic Council in Defence Ministers Session” (NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_104257.htm?selectedLocale=en; Anders Fogh Rasmussen, “Press Conference Following the NATO Defence Ministers Meeting” (NATO Headquarters, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_101151.htm?selectedLocale=en; Rasmussen, “NATO – Delivering Security.” 203 Anders Fogh Rasmussen, “Future NATO: Towards the 2014 Summit - Secretary General’s Annual Report 2013” (NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_106247.htm?selectedLocale=en.
NATO Cyber Defence Policy Justine M. Chauvin
57
against them. Institutions meant to cope with security risks will have rules, norms,
and procedures enable members to provide and obtain information and to manage
disputes in order to avoid generating security dilemmas.”204
In accordance with this perspective, NATO cyber defence policy seems – regarding its
purpose – more concerned about threats that risks, regarding the fact that a significant
part of what has been done concerns the protection of NATO’s networks, and more
recently state members’ networks, rather than managing conflict per se.
Furthermore, the use of terms such as “cyber warfare” in NATO officials’ discourses205
and in the Tallinn Manual206 tends to reinforce the view that NATO is viewing at cyber
security issues from a threat perspective. The existence of any “cyberwar”, as well as the
relevance and implications of this term is still far from being consensual amongst
scholars and practitioners;207 even if it tends to become omnipresent in military circles,
especially in the US.208 What is important here is to note that linking cyber-attacks with
204 Wallander and Keohane, “Risk,” 29. 205 Alexander Vershbow, “Looking towards the Wales Summit” (NATO Defense College, Rome, Italy, 2014), http://www.nato.int/cps/en/natolive/opinions_111056.htm?selectedLocale=en; Anders Fogh Rasmussen, “Switzerland and NATO : Partners in Security” (Churchill Symposium, Zürich, Switzerland, 2012), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_91490.htm?selectedLocale=en; Anders Fogh Rasmussen, “Building Security in an Age of Austerity” (presented at the 2011 Munich Security Conference, Hotel Bayerischer, Munich, Germany, 2011), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_70400.htm?selectedLocale=fr. 206 Schmitt, Tallinn Manual. 207 See, e.g., Thomas Rid, Cyber War Will Not Take Place (London: Hurst & Company, 2013); John Stone, “Cyber War Will Take Place!,” Journal of Strategic Studies 36, no. 1 (2013): 101–8; Myriam Dunn Cavelty, “The Militarisation of Cyberspace: Why Less May Be Better” (presented at the International Conference on Cyber Conflict Proceedings, CCD COE,Tallinn, 2012); Mary Ellen O’Connell, “Cyber Security without Cyber War,” Journal of Conflict & Security Law 17, no. 2 (2012): 187–209; James Lewis, “The Fog of Cyberwar,” International Relations and Security Network, 2009, http://isnblog.ethz.ch/intelligence/isn-weekly-theme-the-fog-of-cyberwar; John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” in Athena’s Camp: Preparing for Conflict in the Information Age, ed. John Arquilla and David Ronfeldt (Santa Monica: RAND, 1997), 23–60. 208 See, e.g., Sean Lawson, “Putting the ‘War’ in Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the United States.,” First Monday 17, no. 7 (2012), http://firstmonday.org/ojs/index.php/fm/article/view/3848/3270; Ryan Singel, “White House Cyber
NATO Cyber Defence Policy Justine M. Chauvin
58
the notion of warfare is not trivial, and denotes a certain vision of cyber security issues
undoubtedly focused on a threat perspective rather than on risk management.
Moreover, NATO cyber security discourses display a vision of cyber security as
undoubtedly falling into the responsibility of governments and particularly, military
circles.209 This particular vision is currently shared by many governments and has been
outlined repeatedly by scholars.210 Form a discursive perspective, Dunn Cavelty argued
that, “the stronger the link between cyberspace and a threat of strategic dimensions
becomes, the more natural it seems that the keeper of the peace in the cyberspace
should be the military.”211 In definitive, this shows that NATO’s narrative is participating
to the constitution of this widespread vision of cyber threats as falling into the scope of
military issues; which, simultaneously, reinforces its own legitimacy, as a military
alliance, in this security field.
As a conclusion, the recurrent evocations in NATO’s discourses and official documents
of the significant impact of cyber-attacks on national security, as well as on individuals,
along with a policy centred on protection of NATO and state members’ networks, and
the semantic use of military-centred terms such as “cyberwarfare”, display significant
elements demonstrating that NATO is viewing at cyber security from a threat
perspective, in accordance with Wallander and Keohane’s definition.
Czar: ‘There Is No Cyberwar,” Wired, March 4, 2010, http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/; Mike McConnell, “How to Win the Cyber-War We’re Losing,” The Washington Post, February 28, 2010, http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html; William Lynn, “Defending a New Domain,” Foreign Affairs 89, no. 5 (2010): 97–108; Bendrath, “The Cyberwar Debate.” 209 Rasmussen, “Press Conference,” 2013. 210 See, footnote n°214. 211 Myriam Dunn Cavelty, “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse,” International Studies Review 15, no. 1 (2013): 119.
NATO Cyber Defence Policy Justine M. Chauvin
59
b. NATO’S CYBER STRATEGY: INCLUSIVE OR EXCLUSIVE?
NATO’s discourse on cyber defence abundantly stresses the importance of international
cooperation and partnerships in this domain; usually in relation to the broad
recognition that new global threats, such as cyber threats, bypass borders and demand
“a global perspective.”212 In parallel, what is usually underscored by NATO’s officials is
that NATO is a “unique forum”213 where states can “develop new common approaches
to new common challenges – such as terrorism, proliferation, and cyber warfare –”214
which are complex and request “a high degree of consultation, coordination, and
cooperation.”215 This narrative was defined by Wagnsson as “the seminar leader”, that
is, the idea that NATO is picturing itself as a “powerful ‘security hub’ in the global
arena.”216 Focused on partnerships with partners sharing common interests and based
on the idea that “transnational threats […] demand a comprehensive approach and joint
action by many different actors”,217 it emphasises on NATO as a “forum for global
consultation”,218 if not a “worldwide security provider.”219
In particular, Rasmussen stated that because cyber-attacks are inherently transcending
state borders, a successful cyber defence policy “need[s] sustained international
212 Rasmussen, “Switzerland and NATO.” 213 Anders Fogh Rasmussen, “NATO – Value for Security” (Bratislava, Slovakia, 2011), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_74522.htm?selectedLocale=fr. 214 Ibid. 215 Rasmussen, “NATO – Delivering Security.” 216 Wagnsson, “NATO’s Role,” 493. 217 Ibid. 218 Anders Fogh Rasmussen, “NATO in the 21st Century: Towards Global Connectivity” (presented at the Munich Security Conference, Hotel Bayerischer Hof, Munich, Germany, 2010), http://www.nato.int/cps/en/natolive/opinions_61395.htm; Anders Fogh Rasmussen, “On Alliance Solidarity in the 21st Century” (Tallinn, Estonia, 2010), http://www.nato.int/cps/en/natolive/opinions_62699.htm; Anders Fogh Rasmussen, “Speech” (presented at the Strategic Concept Seminar, Helsinki, Finland, 2010), http://www.nato.int/cps/en/natolive/opinions_61891.htm. 219 Rob de Wijk, “Speech on NATO’s New Strategic Concept” (MCCS, Lisbon, 2009), http://www.nato.int/cps/en/natolive/opinions_58107.htm?selectedLocale=en.
NATO Cyber Defence Policy Justine M. Chauvin
60
cooperation, between countries that trust each other. And that certainly includes
NATO.”220 In definitive, “an effective response to today’s complex challenges requires
the right connections [for NATO] with other nations and organisations, wherever they
may be located on the globe.”221 In this context, officials’ discourses emphasises on
NATO’s expertise and added value that it can share with state members and partners.222
For instance, in 2011, NATO adopted a “more efficient and flexible partnership
policy”,223 identifying cyber defence as a key sector.224 According to Ioanna-Nikoletta
Zyga, “this increasing emphasis on partnership mirrors a realization among Allies that
partners are a vital factor in addressing the threats and challenges that shape today’s
security landscape.”225 It should also be noted that NATO annual cyber defence
exercises integrate several partners, namely, in 2013, five non-NATO nations (Austria,
Finland, Ireland, Sweden and Switzerland), as well as New Zealand and the European
Union (which both have observer status).226
Similarly to what has been said in the previous section, NATO’s justification of its
broader conception of security, as well as its will to provide security on a global scale, is
based on the idea that new security challenges require intrinsically a global approach.
However, this does not suppose changing the ultimate goal of the Alliance, namely,
220 Rasmussen, “Speech (Georgetown University).” 221 Rasmussen, “Future NATO (Chatham House).” 222 Rasmussen, “Speech (Lloyd’s)”; De Hoop Scheffer, “Speech at the Annual Press Reception.” 223 NATO, “Active Engagement in Cooperative Security: A More Efficient and Flexible Partnership Policy,” 2011, http://www.nato.int/nato_static/assets/pdf/pdf_2011_04/20110415_110415-partnership-policy.pdf. 224 NATO, “Partnerships: A Cooperative Approach to Security,” NATO, accessed August 23, 2014, http://www.nato.int/cps/en/natolive/topics_84336.htm. 225 Ioanna-Nikoletta Zyga, “Emerging Security Challenges: A Glue for NATO and Partners?,” Research Divison - NATO Defense College, Rome, no. 85 (2012): 3. 226 NATO, “NATO Holds Annual Cyber Defence Exercise,” NATO, November 26, 2013, http://www.nato.int/cps/en/natolive/news_105205.htm?selectedLocale=en.
NATO Cyber Defence Policy Justine M. Chauvin
61
collective security.227 On the contrary, it is precisely because NATO’s core mission has
not changed, but that the global environment has, that NATO has to evolve in order to
maintain its relevance, according to NATO officials’ discourses.
Interestingly, when it comes to NATO’s fundamental mission, the emphasis on shared
values is very present in NATO officials’ discourses. Rasmussen notably stated that
“NATO’s essential mission remains the same: to ensure that the Alliance remains a
strong community of freedom, peace, security and shared values.”228 Moreover, he
claimed that “NATO is more than a military Alliance, […] [it is] a community of values,
[…] namely individual liberty, democracy, the rule of law and human rights.”229
This emphasis on NATO as the receptacle of particular values is very interesting
regarding the constructivist literature on NATO, notably the emphasis that several
scholars have put on NATO’s role as a norm promoter.230 Moreover, Rasmussen also
displays elements that can be connected with NATO’s role as a socialization agent,
which can modify state preferences.231 For instance, he stated that:
“Throughout Central and Eastern Europe, NATO membership has been a powerful
incentive for reform. Countries aspiring to membership have restructured their
armed forces and brought them under democratic control. They have enhanced
accountability and transparency. And strengthened the rule of law.”232
227 Rasmussen, “Future NATO (Chatham House).” 228 Ibid. 229 Ibid. 230 See, e.g., Gheciu, Securing Civilization?; Gheciu, NATO in the “New Europe”; Helene Sjursen, “On the Identity of NATO,” International Affairs 80, no. 4 (2004): 687–703; Risse-Kappen, “Collective Identity.” 231 As mentioned in chapter II, see, e.g., Adler, “The Spread”; Flockhart, “‘Masters and Novices’”; Schimmelfennig, The EU, NATO. 232 Rasmussen, “NATO – Delivering Security.”
NATO Cyber Defence Policy Justine M. Chauvin
62
This vision of NATO, as focused on partnerships and conveying norms and values tends
to accredit the idea that NATO is indeed an inclusive alliance: regarding the global
security issues that it face nowadays, it is currently broadening its cooperation in order
to tackle effectively the emerging security challenges of the 21st century, amongst others
cyber security. As Ivo Daalder and James Goldgeier observed:
“If the point of the alliance is no longer territorial defense but bringing together
countries with similar values and interests to combat global problems, then NATO
no longer needs to have an exclusively transatlantic character.”233
Williams and Neumann underscore that with this emphasis on partnerships, NATO has
transformed “its own identity and its portrayal of conditions of security”,234 which in
turn, helped to shape a shared understanding reinforcing NATO’s legitimacy in this
changing security landscape.235
However, several other insights tend to mitigate this first impression. First of all, a
community of shared values is founded on the recognition of on one hand, states
entitled to these values, and on the other hand, states that are considered as not
committed to these values. This first and fundamental division explain why NATO’s
partnerships are selective.236
Regarding partnerships with other actors than states, while NATO, “recognising the
truly global nature of cyberspace and its associated threats,”237 stresses the importance
of “work[ing] with partners, international organisations, academia and the private
233 Ivo Daalder and James Goldgeier, “Global NATO,” Foreign Affairs 85, no. 5 (2006): 109. 234 Neumann and Williams, “From Alliance,” 75. 235 Ibid., 90. 236 Daalder and Goldgeier, “Global NATO,” 111. 237 NATO, “Defending the Networks,” 2.
NATO Cyber Defence Policy Justine M. Chauvin
63
sector”;238 it remains that cyber security is a national responsibility for all allies,
individually and together under the auspices of NATO.239
Furthermore, in practice, NATO partnerships in the domain of cyber defence are still
limited and quite exclusive.240 If NATO’s members have indeed increased their
cooperation within NATO, as well as via subsidiary organisations, such as the
Multinational Cyber Defence Capability Development (MNCD2, aiming at developing
cooperation “in order to effectively and efficiently develop and acquire capabilities for
national use”241), more often than not these initiatives still exclude non-state members;
even if a potential participation of “partner nations” is starting to be discussed.242 The
same rules are applied by the CCD COE.243 Moreover, as it has been noticed above, the
fact that experts who worked on the Tallinn Manual were predominantly from NATO
nations has not gone unnoticed by other countries, which deplored the exclusive
character of such work.244
According to US lieutenant colonel Geoff Van Epps:
“NATO policy essentially forbids cooperating on cybersecurity with any countries
outside the Alliance except for a select group of its closest partners,[245] requiring
238 Ibid. 239 Rasmussen, “Press Conference,” 2013. 240 Van Epps, “Common Ground,” 41. 241 MNCD2, “Multinational Cyber Defence Capability Development,” MNCD2, accessed August 26, 2014, https://mncd2.ncia.nato.int/Pages/default.aspx. 242 Ibid. 243 NATO CCDCOE, “CCD COE.” 244 Van Epps, “Common Ground,” 45. 245 i.e., the non-NATO nations participating to the NATO Holds Annual Cyber Defence Exercise, as seen above. Jandl, “The Challenges,” 36.
NATO Cyber Defence Policy Justine M. Chauvin
64
either a change to current policy or case-by-case exceptions to forge any real cyber
partnership.”246
From his perspective, the exclusive character of NATO cyber defence policy is imbedded
in the defiance of former Warsaw Pact Members or Soviet republics towards Russia, and
more generally towards non-NATO nations. For these countries, cooperation on
cybersecurity is a heresy, and nearly unthinkable. As unanimity is required for all NATO
decisions, “without their consent, no change is possible […].”247
It should be noted that his dissertation tends to examine NATO as a unitary actor,
mainly because the scope of this research does not allow further investigations on
NATO internal tensions. Nevertheless, it does not claim that such tensions do not exist
or are insignificant. On the opposite, regarding NATO partnerships on cyber security, it
seems that the events in Estonia and Georgia have had more an impact on Eastern
European countries for understandable geopolitical reasons, that they are more worried
about Russia’s intentions, and consequently keener on engaging NATO in collective
cyber defence.248 In accordance with this, the declarations of national top-officials
during the cyber-attacks on Estonia and Georgia are enlightening.249
Besides, at the time of writing NATO-Russia partnership is currently suspended because
of the crisis between Ukraine and Russia, which has led to the condemnation by NATO
members of “Russia’s illegal military intervention in Ukraine and Russia’s violation of
246 Van Epps, “Common Ground,” 41. 247 Ibid. 248 Zyga, “Emerging Security Challenges,” 4. 249 Shachtman, “Top Georgian Official”; Traynor, “Russia Accused”; Halpin, “Estonia Accuses Russia.”
NATO Cyber Defence Policy Justine M. Chauvin
65
Ukraine’s sovereignty and territorial integrity.”250 The current situation and its future
developments will certainly have a substantial impact on NATO’s perception of Russia’s
intentions, in the cyberdomain and beyond. However, even before these events, NATO’s
discourse on Russia seemed “somewhat schizophrenic”;251 simultaneously stressing the
idea that Russia is not a threat for NATO,252 but acknowledging that some member
states remained concerned about Russia.253
Additionally, it seems clear regarding the elements mentioned above that NATO’s
perception on cyber threats conceives these as emanating from outside the Alliance. In
parallel, Wallander and Keohane stipulated that from their perspective, “collective
security arrangements are inclusive, since they are designed to deal with threats among
members; alliances are exclusive because they […] defend against external threats.”254
Here, NATO discourse clearly emphasizes the external character of cyber threats, while
the partnerships’ main purpose is to increase the effectivity of NATO’s response and
resilience to these. This core mission of protecting the Alliance, and its members, via a
coordination of their cyber defence policy and capacities, along with the strong
emphasis in NATO’s discourse on enhancing the protection if their cyber assets, tend to
accredit the vision of NATO as an alliance as Wallander and Keohane stated that:
250 NATO, “NATO’s Relations with Russia,” NATO, accessed August 26, 2014, http://www.nato.int/cps/en/natolive/topics_50090.htm? 251 Wagnsson, “NATO’s Role,” 491. 252 Rasmussen, “NATO – Delivering Security.” 253 Anders Fogh Rasmussen, “NATO at 60 – Traditional Values and New Threats” (presented at the 14th International NATO Conference, Budapest, Hungary, 2009), http://www.nato.int/cps/en/natolive/opinions_59297.htm; Anders Fogh Rasmussen, “Speech” (presented at the NATO Parliamentary Assembly meeting, Edinburgh, UK, 2009), http://www.nato.int/cps/en/natolive/opinions_59214.htm. 254 Wallander and Keohane, “Risk,” 26.
NATO Cyber Defence Policy Justine M. Chauvin
66
“Alliances and alignments […] need effectively to aggregate the military capabilities
of their members in order to pose credible deterrence threats or efficient
instruments of defence. In contrast, security management institutions do not need
to mount credible deterrents and effective defences against adversaries. They need
to provide for transparency, consultation, and incentives for cooperative strategies
among members.”255
Nevertheless, as noted above, NATO members do not necessarily rank their priorities in
a similar way, and this could lead to internal disagreements.256 In this sense, enhancing
NATO cyber defence policy can also be viewed as a way to reaffirm solidarity amongst
members, especially towards NATO nations formerly under the Soviet Union’s sphere of
influence. Indeed, regarding the empirical record and the public requests from these
nations,257 they are commonly perceived as the allies who could be the most probably
attacked, and consequentially emphasize more on the applicability and importance of
NATO’s obligation of collective defence in the cyberdomain. 258 Overall, officials’
discourse underscore that it is important for NATO to assist nations requesting
assistance in case of cyber-attacks, also because “this would show [NATO’s] solidarity as
an Alliance.”259
In conclusion, NATO cyber defence policy is to some extent becoming more inclusive
(which is particularly emphasized in NATO officials’ discourses), but substantial
255 Ibid., 33. 256 David S. Yost, “NATO’s Evolving Purposes and the next Strategic Concept,” International Affairs 86, no. 2 (2010): 519. 257 Ibid., 495. 258 Anders Fogh Rasmussen and Taavi Roivas, “Opening Remarks - Joint Press Point” (Tallinn, Estonia, 2014), http://www.nato.int/cps/en/natolive/opinions_109662.htm?selectedLocale=en. 259 Anders Fogh Rasmussen, “Opening Remarks in Defence Ministers Session” (presented at the North Atlantic Council, NATO Headquarters, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_101100.htm?selectedLocale=en.
NATO Cyber Defence Policy Justine M. Chauvin
67
limitations remain regarding the scope of cooperation, and the choice of partners.
Moreover, the inclusion of non-NATO nations is not described as a change in NATO’s
core mission (from defending against an external threat, in opposition with managing
an internal threat in reducing uncertainty), but rather as a necessary strategy implied
by the emergence of global security threats.
Even if on this particular topic, there is some dissention among NATO members
regarding the level of threat, the perception of cyber threats facing NATO – as arising
from outside the Alliance – seem shared to a great extent. Overall, even if NATO cyber
defence policy enhancement has been justified as a demonstration of NATO’s collective
solidarity, which reinforces NATO’s internal coherence;260 ultimately, it seems that this
does not put into question the prevalence of the vision of NATO cyber defence policy as
aiming at defending allies against an external threat.
c. INSTITUTIONALIZATION OF NATO’S CYBER DEFENCE POLICY
As it has been reviewed above, NATO established several organizational units in charge
of coping with cyber security challenges. While some of them are technical and focus
primarily on the protection of NATO’s networks, such as NATO Communication and
Information Agency (NCIA),261 others, for instance NATO Defence Planning Process
(NDPP),262 are in charge of harmonizing national capacities and policy of member
states, in accordance with NATO’s Strategic Concept. Altogether, these organizations are
focused on NATO allies’ – individually and together – operational capacity. In parallel,
the NATO CCD COE has been established to advance “the development of long-term
260 Michael Horowitz notably states that the emergence of cyberspace as a global common may present opportunities for renewed cooperation within NATO.” Horowitz, “A Common Future?,” 5. 261 NATO, “Cyber Security.” 262 NATO, “NDPP.”
NATO Cyber Defence Policy Justine M. Chauvin
68
NATO cyberdefense doctrine and strategy, seeking to be ‘the main source of expertise in
the field of cooperative cyberdefense.’”263
While the exact set-up and endowments of these organizational units are difficult to
assess because of the lack of public information, the considerable amount of money and
the managerial effort dedicated to implement NATO cyber defence system have not
gone unnoticed.264 Moreover, the fact that NATO cyber defence institutional system is
combining “political, military, industrial, and technological approaches to
cybersecurity”265 displays strong evidences that NATO cyber defence policy is indeed
becoming greatly institutionalized, accrediting the thesis of NATO’s transformation into
a security management institution “with highly institutionalized practices.”266
Turning to NATO’s discourses, noticeable trends illustrate NATO’s emphasis on the need
of approaching cyber defence from multiple angles (and translated into institutionalized
practices) to be effective. In Rasmussen’s own words:
“NATO’s fundamental responsibility in this domain is to defend our own systems,
while nations defend theirs. But under the new policy, we will enhance information
sharing and mutual assistance between Allies. We will improve NATO’s cyber
defence training and exercises. And we will boost our cooperation with industry.”267
263 Dunn Cavelty, “Cyber-Allies,” 13. 264 Kempf, L’OTAN, 5; Dunn Cavelty, “Cyber-Allies,” 13; Healey and Van Bochoven, NATO’s Cyber Capacities, 4. 265 Tikk, “Global Cybersecurity,” 112. 266 Wallander and Keohane, “Risk,” 28. 267 Rasmussen, “Press Conference,” 2013.
NATO Cyber Defence Policy Justine M. Chauvin
69
NATO officials also repeatedly declared that institutionalizing NATO cyber defence is
the most suitable way to protect every link in the chain of NATO cyber defence,268
providing a suitable response in case of cyber-attacks on NATO or allies’ networks,269
and taking advantage of NATO’s added value in this security field.270
However, these first remarks have to be nuanced with regards to other elements of
NATO cyber defence policy; in particular the application to cyber-attacks of the Articles
4 and 5 of its constitutive treaty, and the conclusions of the Tallinn Manual.
Regarding the application of Articles 4 and 5, in 2010, a group of experts has been
nominated to assist the Secretary General in drafting the new Strategic Concept. Their
report was officially agreed by Allies at the Lisbon Summit in November 2010.271 It
stipulates that cyber-assaults are amongst “the most probable threats to Allies in the
coming decade”272, and that they “may or may not reach the level of an Article 5
attack.”273 In this context, NATO collective defence mechanism of Article 5 has to be
determined on case-by-case basis, accordingly with “the nature, source, scope, and
other aspects of the particular security challenge.”274 Importantly, the report stresses
268 Rasmussen, “Press Conference,” 2014. 269 Rasmussen, “Speech (Georgetown University).” 270 De Hoop Scheffer, “Speech at the Annual Press Reception.” 271 NATO, “NATO 2020: Assured Security; Dynamic Engagement,” NATO, accessed September 1, 2014, http://www.nato.int/cps/en/natolive/topics_85961.htm. 272 NATO, “NATO 2020: Assured Security; Dynamic Engagement - Analysis and Recommendations of the Group of Experts on a New Strategic Concept for NATO,” May 17, 2010, 18, http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf. 273 Ibid., 10. 274 Ibid., 21.
NATO Cyber Defence Policy Justine M. Chauvin
70
that, “NATO should assume that serious threats will in fact materialize”,275 emphasizing
on calibrating accordingly “detection, deterrence and response”.276
The notion of deterrence, largely conceptualized and applied during the Cold War,277 is
usually remarkably absent of NATO’s official discourses. This can be viewed as NATO’s
clear will to detach itself form its initial mission during the Cold War, in order not to
appear as a relic from the past. However, the presence of such word in official
documents, agreed by the allies, displays also evidence that such logic did not totally
disappear NATO’s policy. On a subsidiary basis, it should be noted that this report has
been directed by Madeleine K. Albright, former US ambassador. Or, in opposition with
NATO’s official discourse, since many years US officials’ discourses and documents have
recurrently applied the concept of deterrence to cyberspace,278 which has been
criticized for being both inaccurate and counter-productive.279
Paradoxically, this illustrates, on the one hand, that examining NATO as a single actor
can limit our understanding concerning the effects of the unequal influence of each
member on NATO policy. Nonetheless, on the other hand, it shows that NATO – at least
275 Ibid. 276 Ibid. Emphasis added. 277 Lawson, “Putting the ‘War.’” 278 US Department of Defense, “Department of Defense Cyberspace Policy Report,” US Department of Defense, 2011, http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf; Barack Obama, “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” The White House, May 29, 2009, http://www.whitehoU.S.e.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure; US Department of Homeland Security, “National Strategy to Secure Cyberspace,” US Department of Homeland Security, 2003, http://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf; US Department of Defense, “The Cyber Domain.” 279 Dunn Cavelty, “The Militarisation”; Noah Shachtman and Peter W. Singer, “The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive,” Brookings, August 15, 2011, http://www.brookings.edu/research/articles/2011/08/15-cybersecurity-singer-shachtman; Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica: RAND Corporation, 2009); Martin C. Libicki, Defending Cyberspace and Other Metaphors (Washington D.C.: US Government Printing Office, 1997).
NATO Cyber Defence Policy Justine M. Chauvin
71
in the field of cyber defence – does not completely replicate its allies’ national policy
(not even the US, which is arguably the most influential one), as deterrence is a concept
barely evocated in NATO cyber defence policy. Consequentially it also illustrates the
merits of a holistic approach.
Returning to the report, its most important conclusion is that: “the risk of a large-scale
attack on NATO’s command and control systems or energy grids could readily warrant
consultations under Article 4 and could possibly lead to collective defence measures
under Article 5.”280 In substance, it states that NATO could not be restrained form
applying Article 5, depending on the context, but does not provide any further
clarifications on what could require this application. Accordingly, if the
institutionalization of NATO cyber defence, as reviewed above, “has given clarity to the
process the Alliance will use to invoke collective defense”,281 it maintains “ambiguity
about specific thresholds”282 with the appreciation on a case-by-case basis.
In parallel, it could be viewed that if NATO has made substantial institutional
improvements regarding the protection of its cyber-assets and its capacity to assist
member states in case of cyber-attacks; however, regarding the Tallinn Manual, the
institutionalization of NATO’s response in case of cyber-attacks which could be
categorized as armed attacks (in accordance with the international law of armed
conflict) is still fundamentally flexible. For instance, the experts have not been able to
280 NATO, “NATO 2020 [report],” 46. 281 Healey and Van Bochoven, NATO’s Cyber Capacities, 3. 282 Ibid.
NATO Cyber Defence Policy Justine M. Chauvin
72
reach a consensus on evaluating the threshold of a cyber armed attack, the notion of
self-defence, and the notion of organized armed groups in the cyberspace.283
In conclusion, if several institutional mechanisms have been established by NATO to
manage and mitigate the effects of cyber-attacks of law intensity and scale (which are
the one commonly experienced by NATO), the attempt to institutionalize practices in
case of a cyber-attack reaching the definition of use of force is still in its infancy (notably
because the empirical records regarding this type of attacks, and the potentiality of their
future occurrence, is to a certain extent still debated). With regard to the Tallinn Manual
and the different public releases on NATO policy on cyber defence, it is noticeable that
beyond a consensus on several rules of law reflecting the international law of armed
conflicts, a flexible response on a case-by-case application of either Article 4 or 5 is still
privileged.
On the one hand, the cyber security issues facing NATO on a daily basis, which are
limited in scope, have led to several institutional developments that can illustrate
NATO’s transformation into a security management institution. On the other hand, these
elements display the idea that NATO’s perception of cyber defence, at the highest level,
is still embedded in the vision of itself as an Alliance designed to assure collective
defence against threats, which demands flexibility in choosing the adequate response, in
opposition with a truly security management institution designed to reduce
uncertainty.284
283 Kempf, L’OTAN, 7. 284 Wallander and Keohane, “Risk,” 30.
NATO Cyber Defence Policy Justine M. Chauvin
73
V. CONCLUSION
At first glance, this dissertation displays mixed results: On the one hand, it has been
indicated that NATO is currently establishing significant institutional practices, aiming
at protecting NATO’s own cyber assets (and to a lesser extent, state members’ national
networks) in developing cooperative processes, and in sharing information and best
practices. Moreover, to a certain extent, the development of NATO cyber defence policy
can be seen as responding to internal logic of preserving NATO’s coherence and
solidarity amongst its members.
On the other hand, NATO seems to clearly perceive cyber security issues from a threat
perspective. Its partnerships, although discursively emphasized by NATO officials, are
still quite limited and exclusive, and ultimately do not presuppose a change in NATO’s
core mission, namely, the collective defence of its members. Furthermore, the
institutionalization of NATO cyber defence policy seems to concern in priority a certain
type of cyber-attacks, namely the most commonly experimented by NATO, which are
typically clearly beyond the threshold of the use of force. If NATO has sponsored
academic research aiming at examining the international law applicable to more
significant cyber-assaults, via the Tallinn Manual, the conclusions has been essentially
advocating for applying Articles 4 and 5 on a case-by-case basis, while the criteria
determining such application are still matter to debate.
Ultimately, it seems that NATO cyber defence policy exemplifies the continuous
prevalence of NATO’s self-perception as an alliance, designed to defend its members
against an external threat. Indeed, this analysis has displayed that most NATO
institutional developments, including the modification of its partnership policy, the
NATO Cyber Defence Policy Justine M. Chauvin
74
establishment of several specialised institutional units, and its knowledge production
on cyber security issues, are discursively justified as required for enabling NATO to
continue to perform its core mission. Overall, they are conceived as new facets of
NATO’s original role – demanding adjusting NATO’s strategy and operational capacities.
Yet, NATO cyber defence policy does not seem to represent a fundamental shift in
NATO’s perception of its own purpose.
Moreover, this analysis indicates that NATO is addressing cyber security from a
military-centred perspective, thus legitimizing its own role, and reinforcing the
dominant perception articulating cyber-threats as the matter of military prerogatives.
This analysis is valuable because having showed this; it illustrates the dominance of a
certain discursive construction of cyber security, considering an international
institution (as it has been already studied in the case of several national cyber
policies).285 This construction is based on axioms presented as indisputable (for
instance, that cyber security is a national security issue) and a particular rhetoric (using
metaphors and terms referring to warfare and especially, the Cold War). Highlighting
the premises on which such perception is grounded, and its discursive mechanisms can
“help to understand that it is neither natural nor inevitable that cyber-security should
be presented in terms of power-struggles, war-fighting, and military action […].” In the
long run, this can also be worthwhile to assess further questions regarding the
pertinence of NATO’s self-proclaimed role in this domain.
285 See, e.g.,Barnard-Wills and Ashenden, “Securing Virtual Space”; Dunn Cavelty, “The Militarisation”; Lawson, “Putting the ‘War’”; O’Connell, “Cyber Security”; Dunn Cavelty, “Cyber-Terror.”
NATO Cyber Defence Policy Justine M. Chauvin
75
Regarding the limits of this dissertation, it has already been discussed that examining
NATO from a holistic approach entailed both merits and biases. In particular, cyber
security does not seem to be perceived completely similarly amongst allies; and further
research taking more into account these internal dissensions, as well as the uneven
influential power of each ally, would certainly enhance our understanding of NATO
cyber defence policy as implemented nowadays. In parallel, this dissertation is centred
on cyber security and has the merit to highlight distinctive trends of NATO’s discourse
regarding this particular security field. However, it goes without saying that the global
security landscape that NATO faces, and its own perception in this context, has
interconnected repercussions on every of its domain of action.
More importantly, the results of this analysis tend to reveal another important factor
that has not been explicitly addressed in this research: the fact that cyber-attacks are
not all equivalent in terms of scope and effects. Indeed, the conceptual framework
stipulated that NATO could potentially transform itself more or less into a security
management institution depending on its domains of action.286 However, it did not
address the possibility that NATO cyber defence policy and discourses can be viewed as
exemplifying NATO as a defensive alliance or a security management institution,
depending on the degree of severity of a particular cyber-attack. In particular, NATO’s
narrative picturing itself as a security institution, and adapting its institutional assets in
order to manage effectively cyber security challenges, seems to consider only the
recurrent cyber threats that NATO faces on a daily basis, which are usually limited in
term of scope and impact. Yet, when the possibility of a cyber-attack powerful enough to
286 Wagnsson, “NATO’s Role.”
NATO Cyber Defence Policy Justine M. Chauvin
76
destabilize an ally is evoked (one that could be qualified as a use of force), NATO
discourse and policy displays strong elements considering NATO fundamentally as a
defensive alliance, which would not be reluctant to use all means, including Article 5, to
accomplish its mission.
At first glance, such distinction is not easily analysable using a discursive approach, as
the primary sources examined in this dissertation usually evoke “cyber-attacks” in
generic terms. This is not utterly surprising form a constructivist approach (and
especially from a securitization perspective), as it has been already demonstrated by
several scholars that one of the distinctive features of discourses on cyber security is the
discursive linkage between a whole range of threats directed to multiple referent
objects, from individual to national security.287
However, the fact that NATO does not explicitly make a distinction between different
types of cyber-attacks or referent objects (and focus its knowledge production on cyber-
attacks that can be categorized as use of force, notwithstanding the fact that this kind of
attacks are definitely highly unusual, and does not represent the cyber security issues
that NATO faces on a daily basis), displays the idea that NATO’s cyber security discourse
reinforces this discursive rhetoric viewing cyber security as an unclear continuum of
threats. In turn, this allows NATO picturing itself as a pertinent security actor for a
whole range of threats, and increases its general legitimacy in this security field. In
parallel, it eludes a clarification regarding the different security actors that could me
more relevant depending on which kind of cyber security issues occur. In conclusion, in
287 Hansen and Nissenbaum, “Digital Disaster,” 1162–1163. See also, Barnard-Wills and Ashenden, “Securing Virtual Space”; Dunn Cavelty, “Cyber-Terror.”
NATO Cyber Defence Policy Justine M. Chauvin
77
the field of cyber security, NATO allows itself to evaluate what are its responsibilities
and potential means of actions, according to its own criteria and assessment (on a case-
by-case basis) of any situation, which displays strong evidences that NATO still
considers itself primary as an Alliance, including in the cyberspace.
NATO Cyber Defence Policy Justine M. Chauvin
78
BIBLIOGRAPHY
Adler, Emanuel. “The Spread of Security Communities: Communities of Practice, Self-Restraint, and NATO’s Post-Cold War Transformation.” European Journal of International Relations 14, no. 02 (2008): 195–230.
Andersen, Niels Åkerstrøm. Discursive Analytical Strategies: Understanding Foucault, Koselleck, Laclau, Luhmann. Bristol: Policy Press, 2003.
Arquilla, John, and David Ronfeldt. “Cyberwar Is Coming!” In Athena’s Camp: Preparing for Conflict in the Information Age, edited by John Arquilla and David Ronfeldt, 23–60. Santa Monica: RAND, 1997.
Art, Robert J. “Why Western Europe Needs the United States and NATO.” Political Science Quarterly 111, no. 1 (1996): 1–39.
Balzacq, Thierry. Securitization Theory: How Security Problems Emerge and Dissolve. London: Routledge, 2011.
———. “The Three Faces of Securitization: Political Agency, Audience and Context.” European Journal of International Relations 11, no. 2 (2005): 171–201.
Barany, Zoltan. “NATO at Sixty.” Journal of Democracy 20, no. 02 (2009): 108–22. Barany, Zoltan, and Robert Rauchhaus. “Explaining NATO’s Resilience: Is International Relations
Theory Useful?” Contemporary Security Policy 32, no. 2 (2011): 286–307. Barnard-Wills, David, and Debi Ashenden. “Securing Virtual Space: Cyber War, Cyber Terror,
and Risk.” Space and Culture 15, no. 2 (2012): 110–23. Bendrath, Ralf. “The American Cyber-Angst and the Real World - Any Link?” In Bombs and
Bandwidth: The Emerging Relationship Between Information Technology and Security, edited by Robert Latham, 49–73. New York: New Press, 2003.
———. “The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection.” Information and Security 7 (2001): 80–103.
Betz, David J., and Tim Stevens. Cyberspace and the State: Toward a Strategy for Cyber-Power. New York: Routledge, 2011.
Breedlove, Philip M. “Opening Statement.” NATO Headquarters , Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_110223.htm?selectedLocale=en.
Buzan, Barry. People, States & Fear: An Agenda for International Security Studies in the Post-Cold War Era. Colchester: ECPR Press, 2007.
Buzan, Barry, and Ole Wæver. Regions and Powers: The Structure of International Security. Cambridge: Cambridge University Press, 2003.
Buzan, Barry, Ole Wæver, and Jaap De Wilde. Security: A New Framework For Analysis. Boulder: Reinner, 1998.
Campbell, David. Writing Security: United States Foreign Policy and the Politics of Security. Revised Edition. Manchester: Manchester University Press, 1998.
Coleman, Katharina P. International Organisations and Peace Enforcement: The Politics of International Legitimacy. New York: Cambridge University Press, 2007.
Council of Europe. “Convention on Cybercrime.” Council of Europe, November 23, 2001. http://conventions.coe.int/treaty/en/Treaties/Html/185.htm.
Daalder, Ivo, and James Goldgeier. “Global NATO.” Foreign Affairs 85, no. 5 (2006): 105–13. Dean, Mitchell. Governementality: Power and rule in modern society. London: SAGE, 2010. De Hoop Scheffer, Jaap. “Speech at the Annual Press Reception on the Occasion of the New Year.”
NATO Headquarters, Brussels, Belgium, 2008. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_7374.htm?selectedLocale=fr.
Deibert, Ronald J., and Rafal Rohozinski. “Risking Security: Policies and Paradoxes of CyberspacevSecurity.” International Political Sociology 4, no. 1 (2010): 15–32.
Der Derian, James. “Virtuous War/Virtual Theory.” International Affairs 76, no. 4 (2000): 771–88.
NATO Cyber Defence Policy Justine M. Chauvin
79
De Wijk, Rob. “Speech on NATO’s New Strategic Concept.” MCCS, Lisbon, 2009. http://www.nato.int/cps/en/natolive/opinions_58107.htm?selectedLocale=en.
Dunn Cavelty, Myriam. “Cyber-Allies.” IP Journal, May 1, 2011. https://ip-journal.dgap.org/en/ip-journal/topics/cyber-allies.
———. “Cyber-Terror – Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate.” Journal of Information Technology & Politics 4, no. 1 (2007): 19–36.
———. “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse.” International Studies Review 15, no. 1 (2013): 105–22.
———. “The Militarisation of Cyberspace: Why Less May Be Better.” CCD COE,Tallinn, 2012. Edelman, Murray. Constructing the Political Spectacle. Chicago: Chicago University Press, 1988. ———. Political Language: Words That Succeed and Policies That Fail. New York: Academic
Press, 1977. Political Language. ———. The Symbolic Uses of Politics: With a New Afterword. Urbana: University of Illinois Press,
1985. Eriksson, Johan. “Cyberplagues, IT and Security: Threat Politics in the Information Age.” Journal
of Contingencies and Crisis Management 9, no. 4 (2001): 211–22. ———. “Securizing IT.” In Threat Politics: New Perspectives on Security, Risk, and Crisis
Management, by Johan Eriksson. Aldershot: Ashgate, 2001. Eriksson, Johan, and Giampiero Giacomello. “The Information Revolution, Security, and
International Relations: (IR)relevant Theory?” International Political Science Review 27, no. 3 (2006): 221–44.
Erlanger, Steven, and David E. Sanger. “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government.” The New York Times, March 8, 2014. www.nytimes.com/2014/03/09/world/europe/suspicion-falls-on-russia-as-snake-cyberattacks-target-ukraines-government.html.
“Estonia Hit by ‘Moscow Cyber War.’” BBC News, May 17, 2007. http://news.bbc.co.uk/2/hi/europe/6665145.stm.
Fleck, Dieter. “Searching for International Rules Applicable to Cyber Warfare - A Critical First Assesment of the New Tallinn Manual.” Journal of Conflict & Security Law 18, no. 2 (2013): 331–51.
Flockhart, Trine. “‘Masters and Novices’: Socialization and Social Learning through the NATO Parliamentary Assembly.” International Relations 18, no. 03 (2004): 361–80.
Foucault, Michel. Security, Territory, Population: Lectures at the Collège de France, 1977-1978. Houndmill: Palgrave, 2007.
Gee, James Paul. Discourse Analysis: Theory and Method. London: Routledge, 1999. Gheciu, Alexandra. NATO in the “New Europe”: The Politics of International Socialization After the
Cold War. Palo Alto: Stanford University Press, 2005. ———. Securing Civilization? The EU, NATO and the OSCE in the Post-9/11 World. Oxford: Oxford
University Press, 2008. Glaser, Charles L. “Why NATO Is Still Best: Future Security Arrangements for Europe.”
International Security 18, no. 1 (1993): 5–50. Halpin, Tony. “Estonia Accuses Russia of ’ Waging Cyber War’.” The Times, May 17, 2007.
http://www.thetimes.co.uk/tto/news/world/europe/article2595189.ece. Hansen, Lene, and Helen Nissenbaum. “Digital Disaster, Cyber Security, and the Copenhagen
School.” International Studies Quarterly 53, no. 4 (2009): 1155–75. Healey, Jason, and Leendert Van Bochoven. NATO’s Cyber Capacities: Yesterday, Today, and
Tomorrow. Issue Brief. Atlantic Council, 2011. Herzog, Stephen. “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational
Responses.” Journal of Strategic Security 4, no. 2 (2011): 41–60. Holmberg, Arita. “The Changing Role of NATO: Exploring the Implications for Security
Governance and Legitimacy.” European Security 20, no. 04 (2011): 529–46. Holsti, Ole R., Terrence P. Hopmann, and John D. Sullivan. Unity and Disintegration in
International Alliances: Comparative Studies. New York: John Wiley and Sons, 1973.
NATO Cyber Defence Policy Justine M. Chauvin
80
Horowitz, Michael. “A Common Future? NATO and the Protection of the Commons.” Transatlantic Paper Series, no. 3 (2010): 1–18.
Hughes, Rex. “NATO and Cyber Defence.” Atlantisch Perspectief 33, no. 1 (2009). http://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf.
Hunker, Jeffrey. Cyber War and Cyber Power. Research Paper. Rome: NATO Defense College, 2010.
———. “NATO and Cyber Security.” In Understanding NATO in the 21st Century : Alliance Strategies, Security and Global Governance, edited by Graeme P. Herd and John Kriendler, 154–75. New York: Routledge, 2013.
Jandl, Gerhard. “The Challenges of Cyber Security - A Government’s Perspective.” Human Security Perspectives 1 (2012): 26–37.
Johnston, Alastair I. “Treating International Institutions as Social Environments.” International Studies Quarterly 45, no. 04 (2001): 487–515.
Kempf, Olivier. L’OTAN et La Cyberdéfense. Chaire de Cyberdéfense et Cybersécurité: Ministère français de la Défense, 2013. http://www.st-cyr.terre.defense.gouv.fr/index.php/content/download/5741/39535/file/Article%20n%C2%B07%20-%20Chaire%20cyberd%C3%A9fense%20-%20Kempf.pdf.
Keohane, Robert O. International Institutions and State Power: Essays in International Relations Theory. Boulder: Westview, 1989.
Klimburg, Alexander. “Mobilising Cyber Power.” Survival: Global Politics and Strategy 53, no. 1 (2011): 41–60.
Kuehl, Daniel T. “From Cyberspace to Cyberpower: Defining the Problem.” In Cyberpower and National Security, edited by Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, 24–42. Dulles: Potomac Books, 2010.
Laclau, Ernesto, and Chantal Mouffe. Hegemony and Socialist Strategy. London: Verso, 1985. Lawson, Sean. “NATO & Cyber Conflict: Background & Challenges,” 7. Washington D.C., 2012. ———. “Putting the ‘War’ in Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the
United States.” First Monday 17, no. 7 (2012). http://firstmonday.org/ojs/index.php/fm/article/view/3848/3270.
Levarska, Nina. Regulation of Cyber-Warfare: Interpretation versus Creation. European Security Review. ISIS Europe, 2013. www.isis-europe.eu/sites/default/files/publications-downloads/esr70-cyber-warfare-Dec2013NL.pdf.
Lewis, James. “Rethinking Cybersecurity - A Comprehensive Approach.” Sasakawa Peace Foundation, Tokyo, Japan, 2011. http://csis.org/files/publication/110920_Japan_speech_2011.pdf.
———. “The Cyber War Has Not Begun.” Center for Strategic and International Studies, March 2010. http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf.
———. “The Fog of Cyberwar.” International Relations and Security Network, 2009. http://isnblog.ethz.ch/intelligence/isn-weekly-theme-the-fog-of-cyberwar.
Libicki, Martin C. Cyberdeterrence and Cyberwar. Santa Monica: RAND Corporation, 2009. ———. Defending Cyberspace and Other Metaphors. Washington D.C.: US Government Printing
Office, 1997. Lijphart, Arend. “Comparative Politics and the Comparative Method.” American Political Science
Review 65, no. 03 (1971): 682–93. Liska, George. Nations in Alliance: The Limits of Interdependance. Baltimore: Johns Hopkins
University Press, 1962. Lynn, William. “Defending a New Domain.” Foreign Affairs 89, no. 5 (2010): 97–108. Macleod, Alex. “Le Néoréalisme.” In Théories Des Relations Internationales - Contestations et
Résistances, edited by Alex Macleod and O’Meara Dan, 87–114. Outremont: Athéna Éditions, 2010.
McCalla, Robert B. “NATO’s Persistence after the Cold War.” International Organization 50, no. 03 (1996): 445–75.
NATO Cyber Defence Policy Justine M. Chauvin
81
McConnell, Mike. “How to Win the Cyber-War We’re Losing.” The Washington Post, February 28, 2010. http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html.
McEvoy Manjikian, Mary. “From a Global Village to Virtual Battlespace: The Colonizing of the Internet and the Extension of Realpolitik.” International Studies Quarterly 54, no. 2 (2010): 381–401.
McLuhan, Marshall, and Quentin Fiore. War and Peace in the Global Village. New York: Simon & Schuster Inc., 1974.
Mearsheimer, John J. “Back to the Future: Instability in Europe after the Cold War.” International Security 15, no. 1 (1990): 5–56.
Menon, Anand, and Jennifer Welsh. “Understanding NATO’s Sustainability: The Limits of Institutionalist Theory.” Global Governance 17, no. 1 (2011): 81–94.
Merelman, Richard M. Language, Symbolism, and Politics. Boulder: Westview, 1993. MNCD2. “Multinational Cyber Defence Capability Development.” MNCD2. Accessed August 26,
2014. https://mncd2.ncia.nato.int/Pages/default.aspx. NATO. “Active Engagement in Cooperative Security: A More Efficient and Flexible Partnership
Policy,” 2011. http://www.nato.int/nato_static/assets/pdf/pdf_2011_04/20110415_110415-partnership-policy.pdf.
———. Bucharest Summit Declaration. Bucharest, Romania: North Atlantic Council, April 3, 2008. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_8443.htm?selectedLocale=en.
———. Chicago Summit Declaration. Chicago, US: North Atlantic Council, May 20, 2012. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_87593.htm?selectedLocale=en.
———. “Cyber Security.” NATO Communications and Information Agency. Accessed September 1, 2014. https://www.ncia.nato.int/Our-Work/Pages/Cyber-Security.aspx.
———. “Defending the Networks - The NATO Policy on Cyber Defence,” 2011. http://www.nato.int/nato_static/assets/pdf/pdf_2011_08/20110819_110819-policy-cyberdefence.pdf.
———. Lisbon Summit Declaration. Lisbon, Portugal: North Atlantic Council, November 20, 2010. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_68828.htm?selectedLocale=en.
———. “NATO 2020: Assured Security; Dynamic Engagement.” NATO. Accessed September 1, 2014. http://www.nato.int/cps/en/natolive/topics_85961.htm.
———. “NATO 2020: Assured Security; Dynamic Engagement - Analysis and Recommendations of the Group of Experts on a New Strategic Concept for NATO,” May 17, 2010. http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf.
———. “NATO and Cyber Defence.” NATO. Accessed August 13, 2014. http://www.nato.int/cps/en/natolive/topics_78170.htm.
———. “NATO Holds Annual Cyber Defence Exercise.” NATO, November 26, 2013. http://www.nato.int/cps/en/natolive/news_105205.htm?selectedLocale=en.
———. “NATO’s Relations with Russia.” NATO. Accessed August 26, 2014. http://www.nato.int/cps/en/natolive/topics_50090.htm?
———. “New NATO Division to Deal with Emerging Security Challenges.” NATO, August 4, 2010. http://www.nato.int/cps/en/natolive/news_65107.htm.
———. “Partnerships: A Cooperative Approach to Security.” NATO. Accessed August 23, 2014. http://www.nato.int/cps/en/natolive/topics_84336.htm.
———. Riga Summit Declaration. Riga, Latvia: North Atlantic Council, November 29, 2006. http://www.nato.int/docu/pr/2006/p06-150e.htm.
NATO Cyber Defence Policy Justine M. Chauvin
82
———. “Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organization.” NATO, 2010. http://www.nato.int/strategic-concept/pdf/Strat_Concept_web_en.pdf.
———. “The NATO Defence Planning Process (NDPP).” NATO. Accessed August 20, 2014. http://www.nato.int/cps/en/natolive/topics_49202.htm.
———. The North Atlantic Treaty. Washington D.C.: NATO, April 4, 1949. http://www.nato.int/nato_static/assets/pdf/stock_publications/20120822_nato_treaty_en_light_2009.pdf.
NATO CCDCOE. “CCD COE.” NATO CCDCOE. Accessed August 5, 2014. https://www.ccdcoe.org/. ———. “Institutional Status.” NATO CCDCOE. Accessed December 1, 2013.
http://www.ccdcoe.org/38.html. ———. “Mission and Vision.” NATO CCDCOE. Accessed November 27, 2013.
http://www.ccdcoe.org/11.html. ———. “The Tallinn Manual.” NATO CCDCOE. Accessed September 1, 2014.
http://www.ccdcoe.org/tallinn-manual.html. Neumann, Iver B., and Michael C. Williams. “From Alliance to Security Community - NATO.” In
Culture And Security, by Michael C. Williams, 62–91, Routledge. London, 2007. Nye, Joseph S. Cyber Power. Harvard Kennedy School: Belfer Center for Science and
International Affairs, 2010. ———. Soft Power: The Means to Success in World Politics. New York: PublicAffairs, 2004. ———. The Future of Power. New York: PublicAffairs, 2011. Obama, Barack. “Remarks by the President on Securing Our Nation’s Cyber Infrastructure.” The
White House, May 29, 2009. http://www.whitehoU.S.e.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure.
O’Connell, Mary Ellen. “Cyber Security without Cyber War.” Journal of Conflict & Security Law 17, no. 2 (2012): 187–209.
O’Meara, Dan. “Le Constructivisme.” In Théories Des Relations Internationales - Contestations et Résistances, edited by Alex Macleod and Dan O’Meara, 243–66. Outremont: Athéna Éditions, 2006.
O’Meara, Dan, and Stéphane Roussel. “Le Libéralisme Classique.” In Théories Des Relations Internationales - Contestations et Résistances, edited by Alex Macleod and Dan O’Meara, 131–51. Outremont: Athéna Éditions, 2006.
Panetta, Leon. “Remarks on Cybersecurity.” New York, 2012. Pawlak, Patryk, and Cécile Wendling. “Trends in Cyberspace: Can Governments Keep Up?”
Environment Systems and Decisions 33, no. 4 (2013): 536–43. Philips, Louise J., and Marianne W. Jørgensen. Discourse Analysis as Theory and Method. London:
SAGE, 2002. Rasmussen, Anders Fogh. “Building Security in an Age of Austerity.” Hotel Bayerischer, Munich,
Germany, 2011. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_70400.htm?selectedLocale=fr.
———. “Future NATO.” Chatham House, London, UK, 2014. http://www.nato.int/cps/en/natolive/opinions_111132.htm?selectedLocale=en.
———. “Future NATO: Towards the 2014 Summit - Secretary General’s Annual Report 2013.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_106247.htm?selectedLocale=en.
———. “NATO at 60 – Traditional Values and New Threats.” Budapest, Hungary, 2009. http://www.nato.int/cps/en/natolive/opinions_59297.htm.
———. “NATO – Delivering Security in the 21st Century.” Chatham House, London, UK, 2012. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_88886.htm?selectedLocale=fr.
———. “NATO in the 21st Century: Towards Global Connectivity.” Hotel Bayerischer Hof, Munich, Germany, 2010. http://www.nato.int/cps/en/natolive/opinions_61395.htm.
NATO Cyber Defence Policy Justine M. Chauvin
83
———. “NATO: Ready, Robust, Rebalanced.” Concert Noble, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_103231.htm?selectedLocale=en.
———. “NATO – Value for Security.” Bratislava, Slovakia, 2011. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_74522.htm?selectedLocale=fr.
———. “On Alliance Solidarity in the 21st Century.” Tallinn, Estonia, 2010. http://www.nato.int/cps/en/natolive/opinions_62699.htm.
———. “Opening Remarks in Defence Ministers Session.” NATO Headquarters, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_101100.htm?selectedLocale=en.
———. “Press Conference.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_110618.htm?selectedLocale=en.
———. “Press Conference Following the Meeting of the North Atlantic Council in Defence Ministers Session.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_104257.htm?selectedLocale=en.
———. “Press Conference Following the NATO Defence Ministers Meeting.” NATO Headquarters, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_101151.htm?selectedLocale=en.
———. “Speech.” Edinburgh, UK, 2009. http://www.nato.int/cps/en/natolive/opinions_59214.htm.
———. “Speech.” Georgetown University, Washington D.C., US, 2010. http://www.nato.int/cps/en/natolive/opinions_61566.htm?selectedLocale=en.
———. “Speech.” Helsinki, Finland, 2010. http://www.nato.int/cps/en/natolive/opinions_61891.htm.
———. “Speech on Emerging Security Risks.” Lloyd’s, London, UK, 2009. http://www.nato.int/cps/en/natolive/opinions_57785.htm?selectedLocale=en.
———. “Switzerland and NATO : Partners in Security.” Churchill Symposium, Zürich, Switzerland, 2012. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_91490.htm?selectedLocale=en.
Rasmussen, Anders Fogh, and Taavi Roivas. “Opening Remarks - Joint Press Point.” Tallinn, Estonia, 2014. http://www.nato.int/cps/en/natolive/opinions_109662.htm?selectedLocale=en.
Rid, Thomas. Cyber War Will Not Take Place. London: Hurst & Company, 2013. Risse-Kappen, Thomas. “Collective Identity in a Democratic Community: The Case of NATO.” In
The Culture of National Security, edited by Peter Katzenstein, 357–99. New York: Columbia University Press, 1996.
Rühle, Michael. “NATO and Emerging Security Challenges: Beyond the Deterrence Paradigm.” American Foreign Policy Interests: The Journal of the National Committee on American Foreign Policy 33, no. 6 (2011): 278–82.
Schimmelfennig, Frank. The EU, NATO, and the Integration of Europe: Rules, and Retoric. New York: Cambridge University Press, 2003.
Schmitt, Michael N., ed. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press, 2013.
Shachtman, Noah. “Top Georgian Official: Moscow Cyber Attacked Us – We Just Can’t Prove It.” Wired, March 11, 2009. http://www.wired.com/2009/03/georgia-blames/.
Shachtman, Noah, and Peter W. Singer. “The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive.” Brookings, August 15, 2011. http://www.brookings.edu/research/articles/2011/08/15-cybersecurity-singer-shachtman.
Sheldon, John B. “Deciphering Cyberpower: Strategic Purpose in Peace and War.” Strategic Studies Quarterly 5, no. 2 (2011): 95–112.
Singel, Ryan. “White House Cyber Czar: ‘There Is No Cyberwar.” Wired, March 4, 2010. http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/.
NATO Cyber Defence Policy Justine M. Chauvin
84
Sjursen, Helene. “On the Identity of NATO.” International Affairs 80, no. 4 (2004): 687–703. Sloan, Stanley R. Permanent Alliance? NATO and the Transatlantic Bargain from Truman to
Obama. London: Bloomsbury Academic, 2010. Snyder, Glenn H. Alliance Politics. Ithaca: Cornell University Press, 1994. ———. “Alliances, Balance, and Stability.” International Organization 45, no. 1 (1991): 121–42. Stone, John. “Cyber War Will Take Place!” Journal of Strategic Studies 36, no. 1 (2013): 101–8. Stryker, Sheldon, and Anne Statham. “Symbolic Interaction and Role Theory.” In The Handbook
of Social Psychology, edited by Gardner Lindzey and Elliot Aronson, 1:311–78. New York: Random House, 1985.
Szentgáli, Gergely. “The NATO Policy on Cyber Defence: The Road so Far.” AARMS 12, no. 1 (2013): 83–91.
Tikk, Eneken. “Global Cybersecurity - Thinking About The Niche for NATO.” SAIS Review of International Affairs 30, no. 2 (2010): 105–19.
Tikk, Eneken, Wolff Heintchel Von Heinegg, Anatoly Streltsov, and László Deák. “The Applicability of International Law in Cyberspace - From If to How?” Georgetown University, Washington D.C., US, 2013. http://www.scholarlyinsider.com/Insider/videolist/watch/1623/the-applicability-of-international-law-in-cyberspace-from-if-to-how.
Traynor, Ian. “Russia Accused of Unleashing Cyberwar to Disable Estonia.” The Guardian. May 17, 2007. http://www.theguardian.com/world/2007/may/17/topstories3.russia.
US Department of Defense. “Department of Defense Cyberspace Policy Report.” US Department of Defense, 2011. http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf.
———. “The Cyber Domain: Security and Operations.” US Department of Defense. Accessed March 11, 2014. http://www.defense.gov/home/features/2013/0713_cyberdomain/.
US Department of Homeland Security. “National Strategy to Secure Cyberspace.” US Department of Homeland Security, 2003. http://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.
Van Epps, Geoff. “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain.” The Quarterly Journal 12, no. 4 (2013): 15–50.
Vershbow, Alexander. “Challenges Facing NATO and the Transatlantic Community Post-2014.” Hôtel national des invalides, Paris, France, 2013. http://www.nato.int/cps/en/natolive/opinions_101606.htm?selectedLocale=en.
———. “Looking towards the Wales Summit.” NATO Defense College, Rome, Italy, 2014. http://www.nato.int/cps/en/natolive/opinions_111056.htm?selectedLocale=en.
Von Heinegg, Wolff Heintchel. “The Tallinn Manual and International Cyber Security Law.” Yearbook of International Humanitarian Law 15 (2012): 3–18.
Wæver, Ole. “Securitization and Desecuritization.” In On Security, edited by Ronnie Lipschutz, 46–86. New York: Columbia University Press, 1995.
Wæver, Ole, Barry Buzan, Morten Kelstrup, and Pierre Lemaitre. Identity, Migration and the New Security Agenda in Europe. London: Pinter, 1993.
Wagnsson, Charlotte. “NATO’s Role in the Strategic Concept Debate: Watchdog, Fire-Fighter, Neighbour or Seminar Leader?” Cooperation and Conflict 46, no. 4 (2011): 482–501.
Wallander, Celeste A. “Institutional Assets and Adaptability: NATO After the Cold War.” International Organization 54, no. 04 (2000): 705–35.
Wallander, Celeste A., and Robert O. Keohane. “Risk, Threat, and Security Institutions.” In Imperfect Unions: Security Institutions over Time and Space, edited by Helga Haftendorn, Robert O. Keohane, and Celeste A. Wallander, 21–47. New York: Oxford University Press, 1999.
Walt, Stephen M. “Alliance Formation and the Balance of World Power.” International Security 9, no. 4 (1985): 3–43.
NATO Cyber Defence Policy Justine M. Chauvin
85
———. “Testing Theories of Alliance Formation: The Case of Southwest Asia.” International Organization 42, no. 02 (1988): 275–316.
———. The Origins of the Alliances. Ithaca: Cornell University Press, 1987. Waltz, Kenneth N. “NATO Expansion: A Realist’s View.” Contemporary Security Policy 21, no. 2
(2000): 23–38. ———. “The Emerging Structure of International Politics.” International Security 18, no. 2
(1993): 44–79. ———. Theory of International Politics. Reading: Addison-Wesley, 1979. Wendt, Alexander. “Anarchy Is What States Make of It: The Social Construction of Power
Politics.” International Organization 46, no. 2 (April 1, 1992): 391–425. Yost, David S. “NATO’s Evolving Purposes and the next Strategic Concept.” International Affairs
86, no. 2 (2010): 489–522. Zyga, Ioanna-Nikoletta. “Emerging Security Challenges: A Glue for NATO and Partners?”
Research Divison - NATO Defense College, Rome, no. 85 (2012): 1–8.