NATO Cyber Defence Policy: An adaptation to the emerging threats of the 21st century, or the...

NATO Cyber Defence Policy An adaptation to the emerging threats of the 21st century, or the

resurgence of Cold War logic in the “fifth battlefield”?

MA in the Department of International Politics Aberystwyth University

Justine Marie Chauvin

2014

A dissertation submitted in partial fulfillment of the requirements for the degree of Master of Arts in International Politics of the Internet.

NATO Cyber Defence Policy Justine M. Chauvin

2

TABLE OF CONTENTS

OFFICIAL STATEMENTS ................................................................................................................................................ 3

ACKNOWLEDGMENTS .................................................................................................................................................... 4

ABSTRACT ........................................................................................................................................................................... 5

NATO CYBER DEFENCE POLICY ................................................................................................................................. 6

I. Introduction .............................................................................................................................................................. 6

i. Research question ............................................................................................................................................ 8

ii. Justification .......................................................................................................................................................... 9

iii. Outline ................................................................................................................................................................ 11

II. NATO, cyber security & IR theories .............................................................................................................. 13

i. Neorealism ........................................................................................................................................................ 14

NATO as an alliance ................................................................................................................................... 14 a.

Cyber security as a new field for old conflicts ................................................................................ 17 b.

ii. Liberalist institutionalism .......................................................................................................................... 19

a. NATO as an institution ............................................................................................................................. 19

b. Cyber security as a driver for institutional transformations ................................................... 24

iii. Constructivism ................................................................................................................................................ 25

a. NATO as a norm promoter ..................................................................................................................... 25

b. Cyber security as an intersubjective and discursive framing of threat ............................... 28

III. Methodological Framework ............................................................................................................................ 32

i. Discourse analysis: theory and method ................................................................................................ 32

ii. Conceptual framework (1): Security and cyber security discourses ....................................... 34

iii. Conceptual framework (2): Cyber security discourses in practice ........................................... 38

iv. Sources ............................................................................................................................................................... 41

IV. NATO cyber defence policy .............................................................................................................................. 44

i. Chronology and overview .......................................................................................................................... 44

ii. Analysis .............................................................................................................................................................. 50

a. Cyber security issues: Risk management or threat retaliation? ............................................. 50

b. NATO’s cyber strategy: Inclusive or exclusive? ............................................................................. 59

c. Institutionalization of NATO’s cyber defence policy ................................................................... 67

V. Conclusion ............................................................................................................................................................... 73

BIBLIOGRAPHY .............................................................................................................................................................. 78


3

OFFICIAL STATEMENTS

The word length of this dissertation is 14’988.

DECLARATION

This work has not previously been accepted in substance for any degree and is not

being concurrently submitted in candidature for any other degree.

Signed:

Date: 21st September 2014

STATEMENT 1

This work is the result of my own investigations, except where otherwise stated. Where

correction services have been used, the extent and nature of the correction is clearly

marked in a footnote(s).Other sources are acknowledged (e.g. by footnotes giving

explicit references). A bibliography is appended.

Signed:


STATEMENT 2

I hereby give consent for my work, if accepted, to be available for photocopying and for

inter-library loan, and for the title and summary to be made available to outside

organisations.

Signed:



4

ACKNOWLEDGMENTS

First and foremost, I would like to express my sincere gratitude to my supervisor, Dr.

Madeline Carr. Her willingness to encourage me, as well as her invaluable assistance,

support and advices contributed tremendously to this finale dissertation.

I am also grateful to the Department of International Politics for having given me the

opportunity to study in such a vibrant academic community, as well as for having

offered me a David Davies Scholarship. In addition, I would like to thank my lecturers

who have been all extremely stimulating and inspiring, in particular Dr. Berit

Bliesemann de Guevara, Dr. Jeff Bridoux, Dr. Jan Ruzicka, and Dr. Kristan Stoddart; as

well as Dr. Alistair Shepherd for his helpful insights on NATO.

It has been a great pleasure to pursue a MA at Aberystwyth University, thanks to my

wonderful fellow postgraduate students and friends. Finally, I wish to thank my parents

for their support and the confidence they have shown in me over the years.


5

ABSTRACT

The current development of a cyber defence policy by the North Atlantic Treaty

Organization (NATO) is usually seen as exemplifying the alliance’s changing scope of

intervention; as well as its broadened perception of security. From an institutional-

liberalist perspective, it is said to illustrate the transformation of NATO from a defensive

alliance into a security management institution. However, others have pointed out that

NATO cyber defence policy has been developed with regard to seminal events, such as

the cyber-attacks on Estonia in 2007 and on Georgia in 2008, and mirrors the persisting

cold war logic in NATO current policy.

This dissertation aims to investigate if NATO’s cyber agenda exemplifies the alliance’s

transformation into a security management institution; or rather if it displays the

continuity of NATO’s self-perception as a defensive alliance. In order to address these

questions properly, this dissertation is based on an interpretative approach, using

discourse analysis as a method, and a theoretical framework drawing on constructivist

accounts, as well as on various liberal institutionalist concepts.

The results of this analysis displayed mixed elements. However, it ultimately seems that

NATO cyber defence policy exemplifies the continuous prevalence of NATO’s self-

perception as an alliance, designed to defend its members against an external threat.

Indeed, the analysis highlights that developments in NATO cyber defence policy are

generally conceived as new facets of NATO’s original role – demanding adjusting

NATO’s strategy and operational capacities. Yet, NATO cyber defence policy does not

seem to represent a fundamental shift in NATO’s perception of its own purpose.

This analysis also highlights the need for further research including additional variables,

such as the differentiation between different types of cyber security threats that NATO

faces.


6

NATO CYBER DEFENCE POLICY AN ADAPTATION TO THE EMERGING THREATS OF THE 21ST CENTURY, OR THE

RESURGENCE OF COLD WAR LOGIC IN THE “FIFTH BATTLEFIELD”?

I. INTRODUCTION

This dissertation aims to pose a few relatively under-examined issues in the field of

cyber security. In particular, it focuses on the importance of perceptions in the

establishment of norms and practices at the international level, using as a case study the

cyber defence policy of the North Atlantic Treaty Organization (NATO). Particularly, its

purpose is to investigate the assumptions and discursive codes governing the logic

behind the emergence and the developments of NATO cyber defence policy; notably

how the nature and origins of cyber threats, as well as the role of state members and

NATO itself, are conceived. In order to properly address these questions, this

dissertation is based on an interpretative approach, using discourse analysis as a

method, and a theoretical framework drawing on several constructivist accounts, as

well as on liberal institutionalist concepts. This perspective seems to be particularly

interesting, given the way actors perceive cyberspace, and the related threats arising

from it, is deemed to be correlated with the development of their “capacities, craft

policies, and ultimately [the manner they] decide to act on cyber issues.”1

NATO’s nature and purpose has been widely discussed amongst IR theorists, especially

since the end of the Cold War, which has been seen by many as the vanishing of NATO’s

initial raison d’être. In particular, many scholars (especially liberal institutionalists)

1 David J. Betz and Tim Stevens, Cyberspace and the State: Toward a Strategy for Cyber-Power (New York: Routledge, 2011), 36–37. Cited in Geoff Van Epps, “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain,” The Quarterly Journal 12, no. 4 (2013): 19. 2 These terms will be explained and discussed with regard to different IR paradigms in the next chapter. 3 See, e.g., Arita Holmberg, “The Changing Role of NATO: Exploring the Implications for Security


7

have claimed that NATO’s survival is due to its transformation over the past twenty

years, from a traditional alliance to a security management institution.2 From this

perspective, the development of a cyber defence policy by NATO is usually seen as

exemplifying the alliance’s changing scope of intervention, as well as its broadened

perception of security, 3 conceived in terms of diffuse risks (that is, diffuse security

problems emerging from uncertainty and private information, arguably not only from

state actors)4 instead of direct threats (understood as “a positive probability that

another state will either launch an attack or seek to threaten military force for political

reasons”).5 However, others have pointed out that NATO cyber defence policy has been

developed with regard to seminal events, such as the cyber-attacks on Estonia in 2007

and on Georgia in 2008 (detailed in Chapter IV), and mirrors the persisting cold war

logic in NATO current policy. Notably, Michael Horowitz stated that:

“Many of the cyber attacks over the last decade that have been severe enough to

motivate renewed NATO concerns about cyberspace have emanated from Russia.[6]

Given that the security challenges created by the Soviet Union drove the creation of

NATO in the first place, these cyber threats arguably represent a core mission area

2 These terms will be explained and discussed with regard to different IR paradigms in the next chapter. 3 See, e.g., Arita Holmberg, “The Changing Role of NATO: Exploring the Implications for Security Governance and Legitimacy.,” European Security 20, no. 04 (2011): 533. 4 Celeste A. Wallander and Robert O. Keohane, “Risk, Threat, and Security Institutions.,” in Imperfect Unions: Security Institutions over Time and Space, ed. Helga Haftendorn, Robert O. Keohane, and Celeste A. Wallander (New York: Oxford University Press, 1999), 25. 5 Ibid. 6 To this day, no official report or public evidence has linked the Russian government to any major cyber-attack. However, the suspicion is still strong amongst transatlantic military and political circles, and many Western commentators have accused the Kremlin of tolerating, if not sponsoring the groups involved in the attacks on Estonia and Georgia. Moscow has always denied such implication. Noah Shachtman, “Top Georgian Official: Moscow Cyber Attacked Us – We Just Can’t Prove It,” Wired, March 11, 2009, http://www.wired.com/2009/03/georgia-blames/; “Estonia Hit by ‘Moscow Cyber War,’” BBC News, May 17, 2007, http://news.bbc.co.uk/2/hi/europe/6665145.stm.


8

for NATO that returns NATO to its roots. Addressing cyber threats thus arguably

fulfils NATO’s most basic security mission.”7

Regarding the limited scope of this analysis and its aims, this supposed transformation

of NATO is interesting because it allows the spectrum of interpretation patterns to be

narrowed. What is explored here is, therefore, whether NATO cyber defence policy

exemplifies such a transformation, or if it displays continuity in the manner in which

NATO perceives its own role as an international security actor, and the security issues

that it faces.

i. RESEARCH QUESTION Some initial questions driving this dissertation could be roughly formulated as below:

- How are cyber security issues framed in NATO’s discourse?

- How does NATO perceive itself in relation with these emerging threats, and

particularly, which characteristics of NATO are emphasized to support the idea

that it is the relevant actor to deal with these issues?

- To what extent do the mechanisms, organisms, practices and policies developed

by NATO reflect its discourse?

Because the scope of this dissertation necessarily implies the formulation of a much

narrower research question, and with reference to the initial observations made in the

introduction, the focus here is on in the following:

7 Michael Horowitz, “A Common Future? NATO and the Protection of the Commons,” Transatlantic Paper Series, no. 3 (2010): 4. See, also, Stanley R. Sloan, Permanent Alliance? NATO and the Transatlantic Bargain from Truman to Obama (London: Bloomsbury Academic, 2010), 138.


9

Does NATO’s cyber agenda exemplify the alliance’s transformation into a security

management institution; or rather does it display the continuity of NATO’s self-

perception as a defensive alliance?

This dissertation certainly does not advocate that NATO’s perception falls exclusively

into one of these two categories. It seems apparent that the answer lies probably

somewhere between these two options, which are only ideal types. What is really at

stake here is to understand how NATO perceives cyber security issues, and its own role

in this field, as well as how this perception has an impact the way NATO’s cyber agenda

is conceived. Ultimately, exploring these questions is important to understand how

NATO perceived its role in the field of cyber security, and more generally in the context

of the emerging threats of the 21st century. Moreover, it also allows a valuable reflection

on what patterns this perception – and the subsequent policies established by NATO –

display, regarding the way cyber threats are currently conceived by international

security actors, and what the potential implications of such interpretations are.

ii. JUSTIFICATION NATO is currently one of the most prominent international security actors in the field of

cyber security, insofar as it is one of the few institutions which are attempting to

develop a policy specially designed to respond to cyber threats.8 However, only a

relatively few studies have been done on this particular topic. Furthermore, a

substantial part of this knowledge production concerning NATO cyber defence policy

has been conducted by NATO Cooperative Cyber Defence Centre of Excellence (CCD

8 Eneken Tikk, “Global Cybersecurity - Thinking About The Niche for NATO,” SAIS Review of International Affairs 30, no. 2 (2010): 105–19.


10

COE),9 and most of these studies respond to a problem-solving approach. Typically, they

do not engage with the onto-epistemological assumptions at the basis of NATO’s cyber

agenda and its perception of cyber threats, but rather attempt to improve its policy (this

problematic is discussed more in depth in the section devoted to clarify what primary

sources have been used in this analysis). This dissertation is valuable because it

provides an external analysis, attempting to take precisely into consideration these

assumptions underlying NATO’s knowledge and policy production.

Turning to other research that has been done by other organisms, it seems that it has

predominantly been focused on the quality or relevance of NATO’s cyber defence policy

results, such as the Tallinn Manual, and not on the process of knowledge production

itself. Furthermore, a substantial part has been done from a legal perspective, and

leaves some assumptions underlying NATO’s cyber doctrine mostly unanalyzed.10

Finally, the need for cooperation in the field of cyber security has been relentlessly

expressed by governments and experts,11 and notably in the 2001 Budapest Convention

on Cybercrime:

“The member States of the Council of Europe and the other States signatory hereto,

[…] Recognising the value of fostering co-operation with the other States parties to

this Convention; […] Convinced of the need to pursue, as a matter of priority, a

9 NATO CCDCOE, “CCD COE,” NATO CCDCOE, accessed August 5, 2014, https://www.ccdcoe.org/. 10 See, e.g., Myriam Dunn Cavelty, “Cyber-Allies,” IP Journal, May 1, 2011, https://ip-journal.dgap.org/en/ip-journal/topics/cyber-allies; Sean Lawson, “NATO & Cyber Conflict: Background & Challenges” (presented at the The Shadow NATO Summit III, Washington D.C., 2012), 7; Dieter Fleck, “Searching for International Rules Applicable to Cyber Warfare - A Critical First Assesment of the New Tallinn Manual,” Journal of Conflict & Security Law 18, no. 2 (2013): 331–51; Gergely Szentgáli, “The NATO Policy on Cyber Defence: The Road so Far,” AARMS 12, no. 1 (2013): 83–91; Nina Levarska, Regulation of Cyber-Warfare: Interpretation versus Creation, European Security Review (ISIS Europe, 2013), www.isis-europe.eu/sites/default/files/publications-downloads/esr70-cyber-warfare-Dec2013NL.pdf. 11 See, e.g., Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security 4, no. 2 (2011): 41–60.


11

common criminal policy […] by adopting appropriate legislation and fostering

international co-operation; […].”12

However, most studies have tended to be limited to the national level. In accordance

with this view that security issues arising from the cyberspace are difficult to restrain

by national borders, it seems that analyzing how cyber policy is developed within

international institutions would be valuable in order to grasp the general patterns

emerging at the international level.

As an international organisation, examining NATO’s cyber agenda seems valuable

because it could enhance our understanding of one of the few attempts to provide an

international mechanism and a doctrine in the field of cyber security, 13 as well as the

perceptions underpinning it, and their potential implications.

iii. OUTLINE This dissertation has three substantial chapters; first, the following chapter (Chapter II)

aims to provide a general review of IR literature on NATO, and on cyber security. It

focuses mainly on three different paradigms, namely, neorealism, liberal

institutionalism, and constructivism.

The third chapter is devoted to clarify how and why discourse analysis is used as

method in this analysis, as well as to explain the constructivist approach, in addition

with some post-modernist and liberal institutionalist accounts, constituting the

conceptual framework. Moreover, it also reviews the different sources used in this

analysis, their value, and their limits.

12 Council of Europe, “Convention on Cybercrime,” Council of Europe, November 23, 2001, http://conventions.coe.int/treaty/en/Treaties/Html/185.htm. 13 Tikk, “Global Cybersecurity,” 105.


12

The fourth chapter provides, firstly, a short overview of NATO cyber defence policy

from 1999 until today. Then, it is devoted to the analysis itself, divided into three

different parts; namely, does NATO view cyber security issues as threats or risks [1], to

what extent is NATO’s cyber strategy exclusive or inclusive [2], what is the degree of

institutionalization in NATO cyber defence policy [3].

In addition to this, the conclusion addresses the merits and limits of this essay, and

discusses potential further research.


13

II. NATO, CYBER SECURITY & IR THEORIES

This chapter is essentially devoted to reviewing the available literature on NATO and

cyber security from several IR perspectives. Its purpose is to make explicit the different

IR approaches regarding NATO and cyber security, in order to justify the relevance of

the theoretical framework draw in the next chapter.

From the beginning of the 1990s until today, explaining the persistence – and most

importantly the transformation – of NATO after the Cold War has been the subject of

numerous studies across the various IR schools of thought. This chapter aims to provide

a general overview of the different accounts made on this topic.

Moreover, this chapter also aims at providing theoretical insights on how each

paradigm frames cyber security. It should be noted that in general, research done on the

impact of new information and communication technologies on security, and national

security in particular have been predominantly policy and problem-solving oriented,

with little or no regard for developing or applying IR theories.14 However, some debates

among practitioners seem to reflect some fundamental theoretical discussions in the

field of IR. Consequently, it displays the importance of IR theories for improving the

general understanding of the current developments in national and international cyber

security policy, as well as their repercussions.15 With regard to the available literature,

this chapter focuses in particular on three IR paradigms, namely, neorealism, liberal

institutionalism, and constructivism.

14 Johan Eriksson and Giampiero Giacomello, “The Information Revolution, Security, and International Relations: (IR)relevant Theory?,” International Political Science Review 27, no. 3 (2006): 222. 15 Ibid., 227–228.


14

i. NEOREALISM

NATO AS AN ALLIANCE a.

Neorealism displays an approach based on three principles; (1) anarchy (i.e. the

absence of regulatory authority) characterizes the international stage, (2) states are the

only actors relevant at the international system, (3) states are functionally similar, and

act rationally in accordance with their national self-interests.16 At the core of the

neorealist vision, power (defined as military capacities) and security (defined as the

absence of threat to the survival of the state) are seen as the two driving force of

international affairs.17 From the realist perspective, states form alliances for two

reasons; they can rally other states – viewed as the most powerful – to protect their own

survival (the bandwagoning strategy), or they can unite against another power to

preserve the balance of power and ultimately, prevent the emergence of threats to their

survival (the balancing strategy).18

Alliances – defined by Glenn Snyder as, “formal associations of states for the use (or

non-use) of military force, in specified circumstances, against states outside their own

membership”19 – have been analyzed extensively through the lens of neorealism,

certainly because historically they have been limited to states and aggregation of

military capacities.20

According to Kenneth Waltz’s balance-of-power theory, states agree to form coalitions

and aggregate their capacities – even if these are limits to their freedom of action – in

16 Alex Macleod, “Le Néoréalisme,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and O’Meara Dan (Outremont: Athéna Éditions, 2010), 92–94. 17 Eriksson and Giacomello, “The Information Revolution,” 228. 18 Macleod, “Le Néoréalisme,” 95–96. 19 Glenn H. Snyder, Alliance Politics (Ithaca: Cornell University Press, 1994), 4. 20 Robert B. McCalla, “NATO’s Persistence after the Cold War,” International Organization 50, no. 03 (1996): 450.


15

order to maintain the balance of power. Consequentially, shifts in power relations are

direct variables of alliances’ emergence, cohesion, and ultimately demise.21 Stephen

Walt’s subsequent balance-of-threat approach nuanced this approach in differentiating

power from threat, stipulating that balancing alliances – but also bandwagoning

alliances – do not empirically occur automatically when a state is perceived as powerful

(i.e. with strong military capacities), but are established rather when a state is perceived

as a threat (i.e. a state which has offensive capacities and offensive intentions).22

Ultimately, neorealists stipulate that the degree of alliances’ cohesion is determined by

the duration and/or the intensity of an external threat, or a power to balance. This

argument relies on strong empirical evidences that alliances usually collapse after the

disappearance – or the modification – of such exogenous variables.23 As Ole Holsti et al.

declared, “the most widely stated proposition about alliances is that cohesion depends

upon external danger and declines as the threat is reduced.”24

From a neorealist point of view, NATO’s main purpose is embedded in Article 5 of the

constitutive treaty, stipulating that “the Parties agree that an armed attack against one

or more of them in Europe or North America shall be considered an attack against them

21 Kenneth N. Waltz, Theory of International Politics (Reading: Addison-Wesley, 1979). 22 Stephen M. Walt, The Origins of the Alliances (Ithaca: Cornell University Press, 1987); Stephen M. Walt, “Testing Theories of Alliance Formation: The Case of Southwest Asia,” International Organization 42, no. 02 (1988): 275–316. 23 George Liska, Nations in Alliance: The Limits of Interdependance (Baltimore: Johns Hopkins University Press, 1962); Stephen M. Walt, “Alliance Formation and the Balance of World Power,” International Security 9, no. 4 (1985): 3–43; Walt, The Origins; Ole R. Holsti, Terrence P. Hopmann, and John D. Sullivan, Unity and Disintegration in International Alliances: Comparative Studies (New York: John Wiley and Sons, 1973); Glenn H. Snyder, “Alliances, Balance, and Stability,” International Organization 45, no. 1 (1991): 121–42. 24 Holsti, Hopmann, and Sullivan, Unity and Disintegration, 17.


16

all [...].”25 Accordingly, the alliance’s degree of cohesion must be assessed in view of the

probability that a situation as described in Article 5 will occur.

Unsurprisingly then, the vast majority of neorealist scholars argued in the early 1990s

that NATO’s raison d’être had disappeared with the fall of the Soviet Union and the

disaggregation of the Warsaw Pact, predicting the consequent fading of the alliance.26

Moreover, even if some of them highlighted the alliance’s possible persistent utility, it

remained in the perspective of potential new external military threats.27

The failure of neorealism to predict not only NATO’s persistence, but more importantly

the alliance’s enlargement and new functions, has been underlined by many scholars.

For many of them, this is explained by the incapacity of neorealism to grasp the genuine

nature of NATO, as an institution able to serve other purposes than the strict

aggregation of military capacities for deterring an external threat, or balancing power.28

According to Zoltan Barany and Robert Rauchhaus, neorealists have applied “the wrong

set of analytic tools [...] and failed to understand that NATO was more [...] than a

traditional alliance.”29

25 NATO, The North Atlantic Treaty (Washington D.C.: NATO, April 4, 1949), 1, http://www.nato.int/nato_static/assets/pdf/stock_publications/20120822_nato_treaty_en_light_2009.pdf. 26 See, e.g., John J. Mearsheimer, “Back to the Future: Instability in Europe after the Cold War,” International Security 15, no. 1 (1990): 5–56; Kenneth N. Waltz, “The Emerging Structure of International Politics,” International Security 18, no. 2 (1993): 44–79. 27 See, e.g., Charles L. Glaser, “Why NATO Is Still Best: Future Security Arrangements for Europe,” International Security 18, no. 1 (1993): 5–50; Robert J. Art, “Why Western Europe Needs the United States and NATO,” Political Science Quarterly 111, no. 1 (1996): 1–39. 28 See, e.g., Zoltan Barany and Robert Rauchhaus, “Explaining NATO’s Resilience: Is International Relations Theory Useful?,” Contemporary Security Policy 32, no. 2 (2011): 286–307. 29 Ibid., 290.


17

Finally, Waltz subsequently explained the survival, and more importantly expansion of

NATO, “mainly because the United States wanted to.”30 In sum, he explained that the

alliance’s persistence does not rely on rational exogenous factors, or its institutions, but

rather is due to the will of a particular powerful actor. This vision of NATO’s persistence

as the result of an agent’s preferences (preferences which are, in the case of the US

pursuing NATO’s enlargement, “foolish” in Waltz’s terms),31 are contradicted by

institutionalists, who stress on the contrary the pre-eminence (over agency) of

alliances’ institutional assets to explain their formation, durability and demise.32

CYBER SECURITY AS A NEW FIELD FOR OLD CONFLICTS b.Turning to the neorealist vision of cyber threats and cyber conflicts, it could be roughly

summarized as “old wine in new bottles.”33 Indeed, even if neorealists consider threats

emerging from the new information technologies as relevant, they frame them as

basically new technological components in otherwise traditional conflicts. From this

perspective, cyber operations are seen as the latest dimensions of strategic and military

planning, and the cyberspace as “a new front to the battle”34 (notably, since 2011, it has

been officially recognized as the fifth domain of military intervention by the US

Department of Defense,35 “just as critical [...] as land, sea, air and space” 36).

30 Kenneth N. Waltz, “NATO Expansion: A Realist’s View,” Contemporary Security Policy 21, no. 2 (2000): 35. 31 Ibid., 31. 32 In particular, McCalla, “NATO’s Persistence”; Celeste A. Wallander, “Institutional Assets and Adaptability: NATO After the Cold War,” International Organization 54, no. 04 (2000): 705–35. 33 Eriksson and Giacomello, “The Information Revolution,” 229. 34 Mary McEvoy Manjikian, “From a Global Village to Virtual Battlespace: The Colonizing of the Internet and the Extension of Realpolitik,” International Studies Quarterly 54, no. 2 (2010): 386. 35 US Department of Defense, “The Cyber Domain: Security and Operations,” US Department of Defense, accessed March 11, 2014, http://www.defense.gov/home/features/2013/0713_cyberdomain/. 36 Lynn, op.cit. (2010), 101.


18

However, these technological changes do not challenge the fundamental assumptions

underpinning the conduct of military affairs, nor did it create new entities or modified

the interests of states.37 From a realist perspective, Mary McEvoy Manjikian stated that:

“From the 1980s onward, cyberspace was redefined as […] an extension of the

battlespace […]. Information warfare is a different kind of battle calling for different

strategies and tactics, but its aims and goals are the same.”38

Furthermore, she argued that:

“Realists [see] cyberspace as an avenue for insurgents and national enemies to

penetrate “real” defenses. It [is] viewed as a frontier or border requiring protection

and vigilance […].”39

Overall, neorealists display a vision of cyber security which does not question their

conceptualization of security, the prevalence of states over non-states actors at the

international level, or the conduct of interstate conflicts. Even if in the field of cyber

security, similarly to other sectors of security, neorealists have acknowledged over the

years the increasing importance of non-state actors, such as terrorist groups, they still

rely on a Westphalian state-focused vision of geopolitics. 40

Turning to the notion of power, Daniel Kuehl’s notion of cyber power is certainly the

most widely used in a realist perspective, as “the ability to use cyberspace to create

advantages and influence events in all the operational environments [land, air, sea and

37 McEvoy Manjikian, “From a Global Village,” 385. 38 Ibid., 385–386. 39 Ibid., 390. 40 Eriksson and Giacomello, “The Information Revolution,” 229.


19

outer space] and across the instruments of power.”41 Kuehl’s conceptualization of cyber

power is not a zero-sum game, as he stated that, “one of the oft-cited attributes of

cyberspace is its ability to augment and empower many users simultaneously”.42

However, it remains strongly focused on states’ interests and military capacities.

Overall, even if it has been acknowledged that cyber capacities are indeed a new form of

power, this cyberpower is relevant insofar as it serves strategic purposes for the ends of

policy, which is still viewed in realist terms.43

ii. LIBERALIST INSTITUTIONALISM

a. NATO AS AN INSTITUTION

The institutionalist approach of liberalism stipulates that the deviant behaviours of

international society (such as war and other forms of conflicts emerging from a lack of

cooperation)44 could be adjusted through regulatory mechanisms, established by

international institutions. In line with other liberalist approaches, liberal

institutionalists affirm that states are important – but not unique – actors at the

international stage, and focus on a broader set of issues (especially economic ones) than

neorealists. In particular, they highlight the role of institutions as mechanisms that

allow cooperation amongst states.45

41 Daniel T Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” in Cyberpower and National Security, ed. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz (Dulles: Potomac Books, 2010), 38. 42 Ibid. [footnote 42], 568. 43 John B. Sheldon, “Deciphering Cyberpower: Strategic Purpose in Peace and War,” Strategic Studies Quarterly 5, no. 2 (2011): 95–112. 44 Dan O’Meara and Stéphane Roussel, “Le Libéralisme Classique,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and Dan O’Meara (Outremont: Athéna Éditions, 2006), 135. 45 Ibid., 137; Eriksson and Giacomello, “The Information Revolution,” 229–230.


20

In opposition to neorealist accounts, liberal institutionalists consider that alliances “are

not always merely aggregations of national power”,46 and that sometimes their purpose

goes beyond deterrence or defence. More generally, Robert Keohane stipulated that

“alliances are institutions”,47 which he defined as a “related complex of rules and

norms, identifiable in space and time.”48 Hence, he stated that “both their durability

and strength (the degree to which states are committed to alliances, even when

costs are entailed) may depend in part on their institutional characteristics.”49

Starting from this account, Celeste Wallander slightly nuanced Keohane’s approach,

stating that not every single alliance is an institution, but instead, that alliances “can be

more than simply pieces of paper or aggregation of military power: as explicit,

persistent, and connected set of rules that prescribe behavioral roles and constrain

activity, sometimes alliances are institutions.”50 From this perspective, Wallander

presented the institutional theory as an efficient approach to grasp the evolution of this

sort of alliance, and the effects that they have on security relations.51 In particular, she

highlighted that what she defined as “security institutions” (understood as highly

institutionalized alliances, addressing a variety of security issues in addition to

deterring external threats),52 are more likely to persist in a changing security

environment than a less institutionalized security coalition, other things being equal.53

46 Wallander, “Institutional Assets,” 705. 47 Robert O. Keohane, International Institutions and State Power: Essays in International Relations Theory. (Boulder: Westview, 1989), 15. Emphasis original. 48 Ibid., 383. 49 Ibid., 15. Emphasis original. 50 Wallander, “Institutional Assets,” 706. 51 Ibid., 705. 52 Ibid., 706. 53 Ibid., 707.


21

In parallel, Robert McCalla stressed the value of international institutionalist

approaches to understand the special case of NATO’s persistence; as unless a

traditional alliance, NATO has developed “norms and procedures beyond mutual

defense.”54 Interestingly, he claimed that the neorealists’ inability to grasp NATO’s

persistence otherwise than as a “deviant case”55 (drawing on Arend Lijphart’s

approach),56 displays strong incentives to analyze NATO’s case in taking into

account additional variables:57 in particular, the “variations in the density and depth

of alliance structures and processes [as well as] the internal dynamics of states

comprising alliances”,58 which have been underplayed by neorealists in “over-

simplify[ing] NATO’s historic mission.”59

Liberal institutionalism highlights the variety of purposes that NATO have had since

its establishment: not only military ones, as described in Article 5, but also political

ones, 60 such as in Article 2 (“The Parties will contribute toward the further

development of peaceful and friendly international relations by strengthening their free

institutions, by bringing about a better understanding of the principles upon which

these institutions are founded, […]”).61

From this perspective, NATO’s persistence is substantially explained by its unusually

high level of institutionalisation (Wallander underscored that NATO “is an organization

of hundreds of daily interactions and procedures [...][which] has bureaucracies with

54 McCalla, “NATO’s Persistence,” 462. See, also, Wallander and Keohane, “Risk.” 55 McCalla, “NATO’s Persistence,” 447. 56 Arend Lijphart, “Comparative Politics and the Comparative Method.,” American Political Science Review 65, no. 03 (1971): 682–93. 57 Ibid., 692. Cited in McCalla, “NATO’s Persistence,” 447. 58 McCalla, “NATO’s Persistence,” 446. 59 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 300. 60 Zoltan Barany, “NATO at Sixty,” Journal of Democracy 20, no. 02 (2009): 110. 61 NATO, The North Atlantic Treaty, 1.


22

practices and procedures staffed by civilians from many countries who work

together”).62 This has allowed the alliance to persist after the Cold War – a substantial

change in the security environment. By relying on initial highly-developed general

assets (understood as devices “for political consultation and decision making, and for

military planning, coordination, and implementation”),63 which in turn, permitted the

creation of innovative specific ones to cope with new security concerns, NATO has

ultimately stayed pertinent in the current security environment.

This leads to Wallander and Keohane’s typology of security institutions. According to

them, NATO has transformed itself from a defensive alliance, which is an “exclusive

security institution, designed principally to deal with threats from non-members”,64 into

a security management institution, understood as “an inclusive, risk-oriented

arrangement with highly institutionalized practices.”65

From their perspective, the three main dimensions differentiating a defensive alliance

from a security management institution are, namely, “the degree to which they are

institutionalized [1], whether they are organized exclusively or inclusively [2], and

whether they are designed to cope with threats or risks [3].”66 Wallander and Keohane’s

typologies of security institutions are used as a part of the conceptual framework of this

dissertation, and further insights concerning its modalities are provided in the next

chapter.

62 Wallander, “Institutional Assets,” 724. 63 Ibid., 731. 64 Wallander and Keohane, “Risk,” 23. 65 Ibid., 22, 28. 66 Ibid., 22.


23

In addition to this, Arita Holmberg – following Wallander and Keohane’s argument –

highlighted that the new role of NATO, as a security management institution, “engaged

in managing challenges to security on a large scale” rather than strictly being, “focused

on territorial defence”,67 has led to new legitimacy considerations. In particular, it has

led to the necessity for NATO to be perceived as a legitimate actor (defined as an actor

“considered appropriate by an audience”)68 – both within and outside the organisation –

by a range of actors “to some extent different if NATO is viewed on as a security

organisation as compared to a defence organization.”69

However, Anand Menon and Jennifer Welsh criticized institutionalist theory, arguing

notably that this approach underestimates the importance of agency and political power

in institutional stability or change, as well as focusing on the persistence and

adaptability of institutions, equalizing implicitly these with continuous sustainability

and effectiveness, which is not automatically the case.70

Nevertheless, the strong argument developed by institutionalists in the early 1990s,

considering NATO not only as a defensive alliance, but rather as a genuine institution,

remains useful regarding the aims of this dissertation. Indeed, it allows an analysis of

NATO cyber defence policy which considers NATO as an international actor in itself,

with its own particular set of perceptions and norms. Yet, the institutionalist approach

seems not well suited to address the questions related to the construction of shared

67 Holmberg, “The Changing Role,” 529. 68 Katharina P. Coleman, International Organisations and Peace Enforcement: The Politics of International Legitimacy (New York: Cambridge University Press, 2007), 20–21. Cited in Holmberg, “The Changing Role,” 530. 69 Holmberg, “The Changing Role,” 538. 70 Anand Menon and Jennifer Welsh, “Understanding NATO’s Sustainability: The Limits of Institutionalist Theory,” Global Governance 17, no. 1 (2011): 85.


24

meanings, perceptions and norms that are at the basis of institutional transformations.

For this reason, after a short overview of liberal accounts on cyber security, the next

section is devoted to explain the constructivist approach, which seems more relevant

regarding these interrogations.

b. CYBER SECURITY AS A DRIVER FOR INSTITUTIONAL TRANSFORMATIONS

Turning to cyber security, liberalism emphasizes the economical dimension of cyber

threats and highlights the dilution of the dichotomy between public and private actors,

as well as between military and civilian sectors.71 Generally speaking, the Internet is

seen as an extraterritorial space falling outside direct national sovereignty (or in other

terms, as a collective good or “global common”),72 and “should be the focus of

international efforts to preserve it.”73

Other scholars have pointed out the implications of new technologies regarding the

notion of power. In particular, Joseph S. Nye, after his seminal concept of “soft power”,74

developed a notion of “cyber power”, as a new domain of power.75 According to him,

from a behavioural perspective, cyber power is, “the ability to obtain preferred

outcomes [inside or outside the cyberspace] through the use of the electronically inter-

connected information resources of the cyberdomain”.76 He stated that cyber power

tends to simultaneously diffuse power towards a multitude of states and non-states

71 Marshall McLuhan and Quentin Fiore, War and Peace in the Global Village (New York: Simon & Schuster Inc., 1974), 134. 72 Horowitz, “A Common Future?” 73 McEvoy Manjikian, “From a Global Village,” 384. 74 Joseph S. Nye, Soft Power: The Means to Success in World Politics (New York: PublicAffairs, 2004). 75 Joseph S. Nye, Cyber Power (Harvard Kennedy School: Belfer Center for Science and International Affairs, 2010); Joseph S. Nye, The Future of Power (New York: PublicAffairs, 2011). 76 Ibid.


25

actors, but “does not mean equality of power”,77 as states remains powerful players with

incomparable cyber capacities. Importantly, regarding cyber security, he argued that

“providing security is a classic function of government, and […] that [the] increasing

[need of] cyber security will lead to an increased role for governments in cyberspace.”78

Overall, liberalists underscore more the dynamics and implications of cyber security

and power in terms of institutional changes, than they examine the perceptions

underpinning such transformations.79 For instance, if Nye recognizes that cyber security

issues are becoming more salient in world politics, he does not address the perceptions

at the basis of such increase. For this reason, the next section is dedicated to an

approach of IR which seems better suited for these questions, namely, constructivism.

iii. CONSTRUCTIVISM

a. NATO AS A NORM PROMOTER

Constructivism supposes that the best way to understand international relations is to

deconstruct the intersubjective structures – understood as the set of rules, norms, and

shared meanings – which shape the world of international politics. The focus on the

social identities of actors and their dynamics is seen as fundamental to grasp both their

interests and their behaviour. Moreover, constructivism postulates that structure and

agency are not two distinct levels, but rather that they influence and co-constitute each

other.80

77 Ibid., 150. 78 Nye, Cyber Power, 15. 79 Eriksson and Giacomello, “The Information Revolution,” 231–232. 80 Dan O’Meara, “Le Constructivisme,” in Théories Des Relations Internationales - Contestations et Résistances, ed. Alex Macleod and Dan O’Meara (Outremont: Athéna Éditions, 2006), 243.


26

Constructivism conceives international politics in examining the socially-constructed

aspects of reality, their dynamics and interpretations. Overall, constructivism is

interested by “the dynamic interplay between social factors such as norms, identities,

interests, and institutions.”81

Constructivism shares some similar observations with institutionalism, also viewing

NATO more as an institution than an alliance. However, constructivists are more

interested in analysing “how international institutions help teach norms and change

state preferences” 82 than examining the institutional structures of institutions

themselves. Notably, they emphasized the importance of international institutions as

agents of socialization (understood as the process by which an actor is incorporated

into “organized patterns of interaction”,83 which in turn modify behaviour in “expected

ways of thinking, feeling, and acting”).84 In the case of NATO, constructivists have been

more interested in analyzing how the alliance has “spread norms, facilitated learning,

and changed state preferences”,85 and how it has acted as a socialization agent for the

new adherents, than predicting its future behaviour. Moreover, it should be noted that

in the 1990s constructivism was not as developed as the neorealism and liberal

institutionalism approaches were, which could explain why fewer predictions about

NATO have been made from this perspective.86 However, its relatively recent character

81 Eriksson and Giacomello, “The Information Revolution,” 233. 82 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 291. 83 Sheldon Stryker and Anne Statham, “Symbolic Interaction and Role Theory,” in The Handbook of Social Psychology, ed. Gardner Lindzey and Elliot Aronson, vol. 1 (New York: Random House, 1985), 325. 84 Alastair I. Johnston, “Treating International Institutions as Social Environments,” International Studies Quarterly 45, no. 04 (2001): 494. On NATO as a agent of socialisation, see, e.g., Alexandra Gheciu, NATO in the “New Europe”: The Politics of International Socialization After the Cold War (Palo Alto: Stanford University Press, 2005); Alexandra Gheciu, Securing Civilization? The EU, NATO and the OSCE in the Post-9/11 World (Oxford: Oxford University Press, 2008). 85 Barany and Rauchhaus, “Explaining NATO’s Resilience,” 292. 86 Ibid.


27

does not limit its value in the context of this dissertation and has not prevented

constructivists to articulate some arguments about NATO’s role after the Cold War.

In particular, from a constructivist approach NATO is viewed as a security community,

sharing some similar values and diffusing a particular set of norms.87 Its persistence and

enlargement are considered to be unsurprising in view of this fundamental purpose,

shaping states’ preferences via its socialization function which in turn, reinforce its own

position as an international security community, embodying these values and

preferences.88

In their analysis of NATO, Michael Williams and Iver Neumann stated that:

“Institutions such as NATO are [...] not just sites for the coordination of interests or

the reduction of transaction costs, as rationalist theories tend to stress. Institutions

are also, and more fundamentally, sites for the production of identity, for the

accumulation and retention of form of capital, and for the exercise of cultural and

symbolic power.”89

Moreover, Williams and Neumann argued that constructivism relies on a dynamic vision

of interests, identity and perception, which varies according to the context. Currently,

NATO can be seen as being in a situation where its policy to tackle emerging cyber

87 Emanuel Adler, “The Spread of Security Communities: Communities of Practice, Self-Restraint, and NATO’s Post-Cold War Transformation,” European Journal of International Relations 14, no. 02 (2008): 195–230; Gheciu, NATO in the “New Europe.” 88 Frank Schimmelfennig, The EU, NATO, and the Integration of Europe: Rules, and Retoric (New York: Cambridge University Press, 2003); Gheciu, Securing Civilization?; Trine Flockhart, “‘Masters and Novices’: Socialization and Social Learning through the NATO Parliamentary Assembly,” International Relations 18, no. 03 (2004): 361–80; Thomas Risse-Kappen, “Collective Identity in a Democratic Community: The Case of NATO,” in The Culture of National Security, ed. Peter Katzenstein (New York: Columbia University Press, 1996), 357–99. 89 Iver B. Neumann and Michael C. Williams, “From Alliance to Security Community - NATO,” in Culture And Security, by Michael C. Williams, Routledge (London, 2007), 62.


28

threats is relatively recent, and still in its experimental phase. Along Williams and

Neumann’s reflection, what is at stake, to understand what kind of policies NATO will

pursue in this domain, is related to the prevailing identity of NATO itself.90 In particular:

“[...] a period of transformation involves a struggle over the forms of identity and

action which will be regarded as legitimate within the emerging order. In such a

situation, the directions taken by actors will be a reflection of struggles exemplifying

the symbolic resources available to them for the (re)construction of their identities

and of their abilities to have those identities recognized by others.”91

It is notably for this reason that this dissertation examines how NATO conceives its

cyber agenda in relation to how NATO conceived itself.

b. CYBER SECURITY AS AN INTERSUBJECTIVE AND DISCURSIVE FRAMING OF THREAT

Regarding cyber security, several constructivist approaches worth being pointed out.

First of all, securitization theory, as developed by the “Copenhagen school”92 offers

meaningful insights concerning the importance of the discursive dimension (through

“speech acts”) in the formation of security issues. From this perspective, “the

intersubjective establishment [through discourses] of an existential threat with a

saliency sufficient to have substantial political effects”93 is what brings particular issues

in the realm of security, and ultimately, the military sector. However, in 1998, the

Copenhagen school explicitly dismissed cyber security as a potential new sector of

90 Ibid., 69. 91 Ibid., 70. 92 See, e.g., Ole Wæver et al., Identity, Migration and the New Security Agenda in Europe (London: Pinter, 1993); Ole Wæver, “Securitization and Desecuritization,” in On Security, ed. Ronnie Lipschutz (New York: Columbia University Press, 1995), 46–86; Barry Buzan, Ole Wæver, and Jaap De Wilde, Security: A New Framework For Analysis (Boulder: Reinner, 1998); Barry Buzan and Ole Wæver, Regions and Powers: The Structure of International Security (Cambridge: Cambridge University Press, 2003); Barry Buzan, People, States & Fear: An Agenda for International Security Studies in the Post-Cold War Era (Colchester: ECPR Press, 2007). 93 Buzan, Wæver, and De Wilde, Security, 25.


29

securitization, arguing that discourses framing cyber issues as existential threats can

have repercussions “within the computer field but with no cascading effects on security

issues”,94 such as military, economic, or societal ones. In 2001, Ralf Bendrath

demonstrated that the US government attempted to do a securitizing move (that is, “a

discourse that takes the form of presenting something as an existential threat to a

referent object”,95 but which fails to legitimize emergency measures in the view of

relevant audiences). This move aimed to increase the private-public partnerships in the

sector of cyber security, and especially the protection of national critical infrastructures,

largely owned by the private sector.96 However, according to Bendrath, this attempt of

securitization largely failed, as the perception of the private sector remains focused on

cyber threat “as consisting primarily of a local, technical problem or as economic costs”

and not as a matter of national security.97

Nonetheless, in 2009, Lene Hansen and Helen Nissenbaum displayed strong evidence

that the situation evolved, in highlighting how cyber security has been successfully

securitized through particular “security grammars”, analogies and interpretations of

cyberspace.98 Other scholars, such as Myriam Dunn Cavelty,99 have also displayed

strong evidences that cyber security has been definitely brought in the realm of security

through particular forms of discourses, with varying degree of success.

94 Ibid. 95 Ibid. 96 Ralf Bendrath, “The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection,” Information and Security 7 (2001): 95. 97 Ibid., 97. 98 Lene Hansen and Helen Nissenbaum, “Digital Disaster, Cyber Security, and the Copenhagen School,” International Studies Quarterly 53, no. 4 (2009): 1155–75. 99 Myriam Dunn Cavelty, “Cyber-Terror – Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate,” Journal of Information Technology & Politics 4, no. 1 (2007): 19–36.


30

Other constructivist scholars have analyzed how the framing of cyber security issues

influences the perception of which actor is responsible for coping with these threats,

what is their origins, and what kind of solutions are pertinent. Along this line, particular

actors could frame cyber security threats in particular ways to picture themselves as

relevant to deal with them, to reinforce their position in a specific sector or to gain

acceptance and legitimacy among relevant audiences.100

Finally, constructivists have also analyzed the use and the significance of analogies,

images, and symbols in the construction of cyber security issues. James Der Derian

notably displayed the idea that the reality of war has been blurred by the military

sector, presenting new technological innovations as allowing the conduct of a bloodless

– almost virtual – war.101 At the same time, widely used analogies, such as the alarmist

predictions of an “electronic Pearl Harbor” or a “cyber 9/11”,102 could easily be seen as

examples of “symbolic politics” (“the use and abuse of symbols for manipulating

political discourse and influencing public opinion”). 103 This last approach was

developed by several scholars104 long before the emergence of current cyber security

issues, but still seems relevant nowadays. Indeed, when it comes to cyber security,

100 Ralf Bendrath, “The American Cyber-Angst and the Real World - Any Link?,” in Bombs and Bandwidth: The Emerging Relationship Between Information Technology and Security, ed. Robert Latham (New York: New Press, 2003), 49–73; Bendrath, “The Cyberwar Debate”; Johan Eriksson, “Cyberplagues, IT and Security: Threat Politics in the Information Age,” Journal of Contingencies and Crisis Management 9, no. 4 (2001): 211–22; Johan Eriksson, “Securizing IT,” in Threat Politics: New Perspectives on Security, Risk, and Crisis Management, by Johan Eriksson (Aldershot: Ashgate, 2001). 101 James Der Derian, “Virtuous War/Virtual Theory,” International Affairs 76, no. 4 (2000): 771–88. 102 See, e.g., the allocution of the US Secretary of Defense, Leon Panetta, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security” (New York, 11 October 2012). 103 Eriksson and Giacomello, “The Information Revolution,” 235. 104 See, e.g., Richard M. Merelman, Language, Symbolism, and Politics (Boulder: Westview, 1993); Murray Edelman, Political Language: Words That Succeed and Policies That Fail (New York: Academic Press, 1977), Political Language; Murray Edelman, The Symbolic Uses of Politics: With a New Afterword (Urbana: University of Illinois Press, 1985); Murray Edelman, Constructing the Political Spectacle (Chicago: Chicago University Press, 1988).


31

because of the inherently high level of abstraction and technological complexity of this

field, analogies with “the real world” appear to be particularly meaningful to convey

particular ideas and norms. In this sense, Johan Eriksson and Giampietro Giacomello

pointed out that “the Internet could be seen as the vast new global arena for symbolic

politics par excellence.”105

Moreover, they claimed that, “constructivism seems apt for analyzing the symbolic,

rhetorical, and identity-based aspects of digital-age security.”106 This argument, with

regard to the aims of this dissertation, justifies that in the next chapter, the theoretical

framework mainly draws on the several constructivist accounts reviewed above.

105 Eriksson and Giacomello, “The Information Revolution,” 235. 106 Ibid., 236.


32

III. METHODOLOGICAL FRAMEWORK

This chapter is devoted to clarifying the theoretical framework, the method of analysis,

the concepts, and the range of sources which are used in this analysis. In order to

provide a clear explanation of all these elements, this chapter is divided in four different

parts; first, it establishes that, regarding the aims of this dissertation, discourse analysis

is the most suitable approach from a theoretical and methodological point of view.

Second, the concepts of security and cyber security discourses are defined, in

accordance with the constructivist literature reviewed above, and additional post-

modernist accounts. Third, the usefulness of Wallander and Keohane’s typology of

security institutions – in relation to the concepts developed in the second part – is

explained, as well as Wagnsson’s views on NATO, which provide additional accounts on

possible concurrent narratives and logics within a single institution. The pertinence of

merging these institutionalists’ insights with a constructivist approach is discussed,

with regard notably to the possible discrepancies between NATO’s discourses and

practices in the field of cyber security. Finally, the choices made regarding the primary

sources collection are discussed and justified.

i. DISCOURSE ANALYSIS: THEORY AND METHOD This dissertation analyzes NATO’s perception of cyber security issues, the goals of its

cyber defence policy, and its own perceived role in this security field, through the lens of

constructivism. Because constructivism grants a substantial importance to speech acts

and the use of particular rhetoric embedded in, and simultaneously reinforcing, shared


33

meanings;107 this dissertation focuses on the rhetorical use of analogies, metaphors, and

images, and uses discourse analysis as a logical consequence.108

Discourse analysis as a theory conceives “discourses as relatively rule-bound set of

statements, which impose limits on what gives meaning”,109 and, “allows the mapping of

struggles over meaning and the process by which meanings become conventionalized

and “natural”.”110 Because discourses fix and structure the social space around

dominant meanings, they simultaneously bring out certain elements, and reduce the

field of discursively in excluding others.111

As it has been already said above, constructivism takes into account the co-construction

of agency and structure through intersubjective processes.112 In parallel, discourse

analysis reflects the reciprocity – or reflexivity – between the language and the “reality”,

stipulating that “language simultaneously reflects reality (“the way things are”) and

constructs (construes) it to be a certain way.”113 Therefore, what is at stake here is to use

discourse analysis to examine how NATO’s is viewing cyber security; assuming in

accordance with the elements above that the particular meanings and problems

attached to these views have a significant impact on the way NATO is responding to it.

107 O’Meara, “Le Constructivisme,” 248. 108 David Barnard-Wills and Debi Ashenden, “Securing Virtual Space: Cyber War, Cyber Terror, and Risk,” Space and Culture 15, no. 2 (2012): 115. 109 Michel Foucault, Security, Territory, Population: Lectures at the Collège de France, 1977-1978 (Houndmill: Palgrave, 2007). Cited in Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 110 Louise J. Philips and Marianne W. Jørgensen, Discourse Analysis as Theory and Method (London: SAGE, 2002), 13. Cited in Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 111 Niels Åkerstrøm Andersen, Discursive Analytical Strategies: Understanding Foucault, Koselleck, Laclau, Luhmann (Bristol: Policy Press, 2003); Ernesto Laclau and Chantal Mouffe, Hegemony and Socialist Strategy (London: Verso, 1985). 112 O’Meara, “Le Constructivisme,” 243. 113 James Paul Gee, Discourse Analysis: Theory and Method (London: Routledge, 1999), 82. Emphasis in original.


34

However, this does not mean that discourses always reflect practices. Discourses could

be indications of a particular actor’s intentions to picture itself or something else in a

certain way, in order to reach certain effects, but does not always signify that it will be

translated into practice, or that practice matches discourse. This could be also explained

by the different audiences an actor is speaking to, which do not necessarily have the

same perceptions and interests.114 The conceptual framework explained in the next two

sections is articulated around this recognition of discourse and practice as correlated,

but not necessarily similar.

ii. CONCEPTUAL FRAMEWORK (1): SECURITY AND CYBER SECURITY

DISCOURSES Choosing constructivism as a theoretical framework supposes that this dissertation

relies on an ontological argument distinguishing between material and social reality.115

Accordingly, the structure of the international system (such as anarchy at the global

level) is not seen as a cause but rather as an open process constituting and constituted

by social agents. For example, from this perspective and as Wendt put it, “anarchy is

what states make of it.”116 Accordingly, this dissertation relies on an interpretative

approach based on the assumption that discourses are significant to grasp institutions’

perceptions of themselves and of their purposes, and which, in turn, have a substantial

impact on the establishment of particular practices and policies. In sum, NATO cyber

defence policy is seen in this dissertation as influenced by the meanings that social

114 See, e.g., Thierry Balzacq, Securitization Theory: How Security Problems Emerge and Dissolve (London: Routledge, 2011); Thierry Balzacq, “The Three Faces of Securitization: Political Agency, Audience and Context,” European Journal of International Relations 11, no. 2 (2005): 171–201; Holmberg, “The Changing Role.” 115 Eriksson and Giacomello, “The Information Revolution,” 233. 116 Alexander Wendt, “Anarchy Is What States Make of It: The Social Construction of Power Politics,” International Organization 46, no. 2 (April 1, 1992): 391–425.


35

agents attach to it, which in turn, reinforces NATO members’ particular understandings

of cyber security, and subsequently their behaviour.

In addition to the different constructivist approaches reviewed above, David Campbell’s

analysis of “the modes of representation through which danger [is] interpreted and

understood [in the case of the US foreign policy], and the manifest political

consequences of these modes of representation”117 seems also relevant for this

conceptual framework; even if he is commonly qualified as a post-modernist rather

than constructivist scholar. Indeed, his attempt “to investigate the codes governing and

the logic behind contemporary declarations about the new dangers […] facing [the

US]”118 seems insightful beyond his initial case-study, and his analysis’ objectives are

altogether similar to the aims of this dissertation.

Moreover, acknowledging critics regarding discursive and interpretative post-

modernist approaches as inadequate, because supposedly “divorced from the real

world”,119 he underscored that he does not recuse the existence of an “external

reality”120, but stated instead that:

“What is denied is not that […] objects exist externally to thought, but the rather

different assertion that they could constitute themselves as objects outside of any

discursive condition of emergence.”121

117 David Campbell, Writing Security: United States Foreign Policy and the Politics of Security, Revised Edition (Manchester: Manchester University Press, 1998), 137. 118 Ibid., 191–192. 119 Ibid., 193. 120 Ibid., 7. 121 Ibid., 137.


36

Furthermore, the concept of security (and by extension, the concept of cyber security) is

defined here as an intersubjective and socially constructed process, in accordance with

both David Campbell122 and other constructivist scholars, such as the Copenhagen

School.123 In this perspective, a threat or risk falling into the realm of security is an issue

that has been identified and qualified as such particular actors, using particular modes

of representation. In accordance with this conceptualization, the aim of this dissertation

is fundamentally to address the assumptions underpinning NATO’s cyber defence policy

(regarding the meanings of cyber security threats, their nature, origins and

implications), in deconstructing the discursive modes of representation used by NATO.

Drawing on Mitchell Dean’s work on governmentality,124 David Barnard-Wills and Debi

Ashenden stated that fundamentally, governing is a collective activity of “bodies of

knowledge, opinions, and beliefs.”125 In this sense, to govern does not necessarily

involve a direct control, but is instead an “attempt to shape […] aspects of our behaviour

according to particular sets of norms and for a variety of ends.”126 More importantly,

they argued that this approach allows the displaying that “the way that a problem

becomes understood as being a problem is politically important, with implications for

the types of solutions and responses that are directed toward that problem.”127

Regarding cyber security discourses, they claimed that:

122 Ibid., 199. 123 Buzan, Wæver, and De Wilde, Security, 23–25. 124 Mitchell Dean, Governementality: Power and rule in modern society (London: SAGE, 2010). 125 Barnard-Wills and Ashenden, “Securing Virtual Space,” 115. 126 Dean, Governementality, 18. 127 Barnard-Wills and Ashenden, “Securing Virtual Space,” 115.


37

“We should pay attention to the way that cyber security is understood as a problem

of government, the particular vocabularies and discourses that construct this

problem and the solutions those problematizations privilege.”128

Furthermore, Barnard-Wills and Ashenden defined cyber security discourse as:

“The working term for a set of concepts and ways of thinking, […] with continuity,

and certain presumptions and axioms. […] It is fundamentally a security discourse,

with an orientation toward the securing of virtual space.”129

This definition seems to be especially relevant, insofar as it highlights the role of

discourses as constituting the way cyber security issues are understood, and

consequentially what solutions to these are privileged. For these reasons, the analysis

below is ultimately based on this particular characterization of cyber security discourse.

These conceptualizations, which show the pertinence of discourse analysis as a method,

also demonstrates that the different arguments above share some commons views with

the previously reviewed constructivist accounts, at least regarding the aims of this

dissertation. This explains fundamentally why this dissertation, while focusing on a

constructivist approach, also includes the particular accounts cited above, even if they

have been formulated by scholars not usually labelled as constructivists. Furthermore,

Barnard-Wills and Ashenden showed in their analysis that merging different

approaches seems to be a “powerful tool”130 for analyzing cyber security discourses,

especially with the inherent abstraction of this field of security, and the current lack of

consensus on its fundamental nature.

128 Ibid. 129 Ibid., 116. 130 Ibid., 114.


38

iii. CONCEPTUAL FRAMEWORK (2): CYBER SECURITY DISCOURSES IN

PRACTICE With regards to the research question articulated in the introduction, to what extent

NATO’s cyber policy matches a vision of NATO as a defensive alliance, or as a security

management institution, presupposes the definition of these two forms of institutions.

In order to provide a clear conceptualisation of these, Wallander and Keohane’s

typology of security institutions is used.131 In particular, this analysis relies on the three

main dimensions identified by Wallander and Keohane (already mentioned above) for

assessing if an institution is conceived as a defencive alliance or a security management

institution.

From this perspective, risk and threat are two forms of security issues that can have the

same kind of effects on state security, however, “their sources are qualitatively

different”,132 and consequentially, “dealing with them requires different policies and

institutional mechanisms.”133 Indeed, Wallander and Keohane stipulate that:

“Institutions meant to cope with security threats will have rules, norms, and

procedures to enable the members to identify threats and retaliate effectively

against them. Institutions meant to cope with security risks will have rules, norms,

and procedures to enable the members to provide and obtain information and to

manage disputes in order to avoid generating security dilemmas.”134

Moreover, they stated that:

131 Wallander and Keohane, “Risk,” 22. 132 Wallander, “Institutional Assets,” 710. 133 Ibid. 134 Wallander and Keohane, “Risk,” 26.


39

“Exclusive strategies seem better suited to coping with threats, while inclusive

strategies appear to be better able to cope with and manage risks.”135

The main hypothesis here is that, if NATO cyber defence policy is indeed an example of

NATO’s transformation into a security management institution, some noticeable trends

will display that NATO deals with cyber security issues from a security risk

management, rather than threat retaliation perspective; and that accordingly, NATO’s

cyber defence policy is inclusive and highly institutionalized. 136

This typology has nonetheless one very striking downside, in the sense that it focuses

primarily on risks and threats emerging from interstates relations. Yet, in the case of

cyber security, the importance of security problems emerging from non-states actors is

commonly acknowledged, along with the recurrent problem of attribution, and the

potential opportunities that this gives to states to avoid responsibility (not even

speaking about the problem of states using state-sponsored proxies, or deliberately

ignoring reprehensible cyber activities within their borders).137 Nonetheless, this

typology provides indicators based on institutional policy responses rather than on the

nature of the security challenges that one institution can face (and in this sense, seems

compatible with the constructivist approach discussed above). Therefore, it could be

viewed reasonably as able to cover security issues related to non-state actors or

situations where determining the identity of the attackers is difficult because the focus

here is not on the nature of security issues but rather on the response that institutions

choose to develop to these.

135 Ibid. 136 Ibid., 25. 137 Alexander Klimburg, “Mobilising Cyber Power,” Survival: Global Politics and Strategy 53, no. 1 (2011): 41–60.


40

The main advantage of merging a constructivist approach with Wallander and

Keohane’s typology is to allow the analysis of potential discrepancies between NATO’s

discourses and practices in the field of cyber security. Indeed, a strict discursive analysis

of NATO’s cyber defence policy would provide some interesting insights on how NATO

frames the emerging cyber security issues, and what kind of solutions it privileges to

respond to these; but not addressing the extent to which this discourse is applying – or

not – in practice would severely undermine the potential usefulness of this dissertation,

as it has been noted above that discourses and practices are correlated, but not

necessarily consistent with each other.

Furthermore, this dissertation proposes to go a step further and posits that it may be

possible to find within a particular security institution – and especially a highly

institutionalized one as NATO – diverse functions, organisms and mechanisms which

present distinct features, each of them corresponding to different interpretations of

NATO’s raison d’être. Yet this possibility has not been explicitly addressed by Wallander

and Keohane. For this reason, this statement is made with regards to Wagnsson’s views

that NATO (from a liberal institutionalist approach) is a composite actor, currently

performing different roles, each of them attached to different narratives (that is,

competitive constitutive stories presenting NATO alternatively as a “watchdog”, a “fire-

fighter”, a “neighbour” and a “seminar leader”).138 In her opinion, each narrative is more

or less accented for each NATO’s domains of action, and depends on NATO’s particular

readings of threats, as well as its perception of geography and history.139

138 Charlotte Wagnsson, “NATO’s Role in the Strategic Concept Debate: Watchdog, Fire-Fighter, Neighbour or Seminar Leader?,” Cooperation and Conflict 46, no. 4 (2011): 483–484. 139 Ibid., 485.


41

In particular, she argued that NATO’s action in the field of cyber security is focused on a

strong deterrence logic (corresponding to the “watchdog” narrative) – rooted in the

security logic prevailing during the Cold War – and concluded that NATO’s perception of

itself remains embedded in a traditional Westphalian vision of world politics. According

to her, while attempting to adapt its old strategies to the emerging cyber security

challenges that it faces, NATO persists in conceiving cyber threats from a traditional

deterrence logic, focusing on a state-centric vision and problem-solving – rather that

structural – solutions.140 In this sense, she did not agree with Wallander and Keohane

regarding the overall transformation of NATO into a security management institution,

or at least not in the field of cyber security. Accordingly, this analysis is interesting also

because it examines a question –what kind of institution is NATO with regard to its

cyber defence policy – which is definitely not consensual.

iv. SOURCES Accordingly with the theoretical framework above, a discourse analysis seems to be the

most suitable approach to assess if NATO’s cyber agenda (understood as the whole

range of practices, policies, procedures, norms and knowledge production, as well as,

critically, discourses related to cyber security issues) illustrates its transformation into

a security management instruction, or if other patterns emerge.

In order to analyze NATO’s cyber security discourses and practices, this dissertation is

centred on the textual analysis of several types of official documents released by NATO

(including summit transcripts, reports, as well as speeches, briefings and press

releases). In addition to this, codified norms and procedures are also examined, in order

140 Ibid., 486–487.


42

to assess how NATO’s cyber security discourses are translated into practice. The

collection of these primary sources will be made directly on NATO’s official websites.

One of the striking limits of this analysis, in choosing NATO as a case study to analyze

cyber security discourses, is that numerous documents remain classified,141 which has

consequentially an impact on the findings. However, more often than not, studying

cyber security discourses from an IR perspective means analyzing states’ policy or

particular national institutions’ discourses. In this sense, choosing another case-study

would not allow to bypass such limitation, as cyber issues are commonly viewed as

falling into the realm of military and intelligence offices, where the access to numerous

information and procedures is also restricted.

Another difficulty that could bias this analysis is that, as mentioned in the first chapter, a

great part of the documents assessing the cyber security issues facing NATO is produced

by the CCD COE. This centre is an organism created by NATO (but funded by the

member states themselves). Its core task is “to enhance the capability, cooperation and

information sharing among NATO, NATO nations, and partners in cyber defence by

virtue of education, research and development, lessons learned and consultation”, and it

aims at being “the main source of expertise in the field of cooperative cyber defence.”142

However, it should be noted that, “it is not an operational centre, and does not fall

141 Olivier Kempf, L’OTAN et La Cyberdéfense (Chaire de Cyberdéfense et Cybersécurité: Ministère français de la Défense, 2013), 2, http://www.st-cyr.terre.defense.gouv.fr/index.php/content/download/5741/39535/file/Article%20n%C2%B07%20-%20Chaire%20cyberd%C3%A9fense%20-%20Kempf.pdf. 142 NATO CCDCOE, “Mission and Vision,” NATO CCDCOE, accessed November 27, 2013, http://www.ccdcoe.org/11.html.


43

within the NATO command structure.” 143 Nonetheless, this particular environment, the

arguable reasons why this centre has been established, and the connection between

researchers and NATO, displays convincing indications that the CCD COE knowledge

production should better be understood as part of NATO’s cyber security discourse, or

at least cannot be interpreted as entirely independent of NATO’s perceptions and

interests.

143 NATO CCDCOE, “Institutional Status,” NATO CCDCOE, accessed December 1, 2013, http://www.ccdcoe.org/38.html.


44

IV. NATO CYBER DEFENCE POLICY

This fourth chapter is devoted to the analysis of NATO’s cyber security discourses and

practices, in accordance with to the conceptual framework and the different sources

reviewed above. It is constituted into four different parts: first, a short overview of

NATO cyber defence policy’s development – from 1999 to today – is provided. Secondly,

the analysis aims to examine if NATO is viewing cyber security issues from a risk

perspective, or as potential threats. Thirdly, the question to what extent NATO’s cyber

strategy could be viewed as an inclusive, or exclusive, strategy, is addressed. Finally, the

degree of institutionalization of NATO’s cyber defence policy is examined.

i. CHRONOLOGY AND OVERVIEW In 1999, NATO started to recognize cyberspace as a new domain where pursuing its

missions of collective defence, after it endured its first cyber-attacks during the Kosovo

Operation Allied Force. 144 At that time, several NATO websites were attacked

subsequently by Serbian, Chinese and Russian hackers. As a result, NATO and several

governmental websites were defaced and repeatedly unavailable for significant periods.

However, the hackers did not succeed in acquiring any confidential information, or

having a significant impact on NATO operation.145

Nonetheless, NATO took these incidents seriously. As a result, in 2002, NATO adopted

the Cyber Defence Program at the Prague Summit, with notably the creation of the

NATO Computer Incident Response Capability (NCIRC) as a part of the NATO

144 Jason Healey and Leendert Van Bochoven, NATO’s Cyber Capacities: Yesterday, Today, and Tomorrow, Issue Brief (Atlantic Council, 2011), 1. 145 Szentgáli, “The NATO Policy,” 83.


45

Communication and Information Service Agency.146 At that time, the main task of this

technical centre was to protect NATO own networks, while the protection of allies’

national computer systems fell strictly into the responsibility of state members.147

Moreover, in 2006, NATO expressed its will “to work to develop a NATO Network

Enabled Capability to share information, data and intelligence reliably, securely and

without delay in Alliance operations, while improving protection of [its] key

information systems against cyber attack.”148

However, beyond this declaration, NATO cyber defence policy did not substantially

change from 2002 until the cyber-attacks on Estonia in 2007, which are regarded by

many as the real trigger for the subsequent developments in NATO’s cyber defence

policy. 149 On April 27th, following the decision to relocate the Bronze Soldier of Tallinn

(a Soviet World War II memorial), Estonia faced a three-week wave of massive cyber-

attacks – presumably imputed to Russian nationalist hackers – targeting governmental

and private companies’ websites. At that time, the Estonian Foreign Minister, Urmas

Paet, stated that the direct involvement of the Kremlin in these attacks was likely.

However, NATO officials were reluctant to officially accuse Russia and no proof of any

direct governmental implication has been found to this day.150

At that time, Estonia requested NATO emergency assistance but the organization had no

procedure regarding attacks on cyber assets. As a result, NATO decided to develop a

146 Healey and Van Bochoven, NATO’s Cyber Capacities, 1. 147 Szentgáli, “The NATO Policy,” 83. 148 NATO, Riga Summit Declaration (Riga, Latvia: North Atlantic Council, November 29, 2006), http://www.nato.int/docu/pr/2006/p06-150e.htm. 149 Dunn Cavelty, “Cyber-Allies,” 12. 150 Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” The Guardian, May 17, 2007, http://www.theguardian.com/world/2007/may/17/topstories3.russia; Tony Halpin, “Estonia Accuses Russia of ’ Waging Cyber War’,” The Times, May 17, 2007, http://www.thetimes.co.uk/tto/news/world/europe/article2595189.ece.


46

cyber-doctrine and a comprehensive cyber strategy allowing NATO to respond more

effectively to cyber-attacks on state members.151 This will to enhance NATO cyber

strategy and capacities has been reinforced after the conflict between Russia and

Georgia in 2008, due to the scope and the disruptive effect of cyber-attacks that Georgia

faced, in addition to Russian operations on the ground. Even if Russia denied any

involvement in these cyber-attacks, it “unquestionably enjoyed strategic benefits

brought about by [these]”.152

Most importantly, the cyber-attacks on Georgia and Estonia have led to enlarge "the

scope of NATO cyber defense activities",153 from a strict focus on the NATO's own cyber

capacities to a more inclusive conception of cyber defence, including to a certain extent

members' cyber assets.154 The fact that the vast majority of this dissertation’s primary

sources are from after these events also displays “the growing importance of the cyber

issue over the past years.”155

At the Bucharest Summit on 2nd-4th April 2008,156 NATO established two major cyber

defence institutions; the CCD COE in Tallinn, to enhance NATO expert knowledge on

cyber security issues and develop a long-term cyber doctrine and strategy,157 and the

151 Rex Hughes, “NATO and Cyber Defence,” Atlantisch Perspectief 33, no. 1 (2009): 1, http://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf; Jeffrey Hunker, Cyber War and Cyber Power, Research Paper (Rome: NATO Defense College, 2010), 9. 152 Van Epps, “Common Ground,” 30. 153 Hunker, Cyber War and Cyber Power, 9. 154 Jeffrey Hunker, “NATO and Cyber Security,” in Understanding NATO in the 21st Century : Alliance Strategies, Security and Global Governance, ed. Graeme P. Herd and John Kriendler (New York: Routledge, 2013), 157. 155 Gerhard Jandl, “The Challenges of Cyber Security - A Government’s Perspective,” Human Security Perspectives 1 (2012): 29. 156 NATO, Bucharest Summit Declaration (Bucharest, Romania: North Atlantic Council, April 3, 2008), http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_8443.htm?selectedLocale=en. 157 Dunn Cavelty, “Cyber-Allies,” 13.


47

Cyber Defense Management Authority (CDMA), aiming at helping “member states to

improve [coordinate and review] their own national cyber defense capacities”, and

conducting “appropriate security risk management.”158 The CDMA is subordinated to

the Cyber Defence Management Board (CDMB). Furthermore, a Rapid Reaction Team

(RTT) was created, in charge of assisting members on a national level in case of cyber-

attacks, within the NATO Computer Incident Response Capacity Technical Centre

(NCIRC TC, set up after cyber-attacks during the Kosovo Operation Allied Force, and in

charge of the security of NATO’s networks).159 Furthermore, member states approved

the first “NATO Policy on Cyber Defence” (classified).160

In 2010, the Lisbon Summit161 especially emphasized “enhancing NATO cyber defence

capabilities.” Moreover, NATO adopted a new Strategic Concept recognizing cyber

security issues as one of the most prominent emerging security challenges.162

In August 2010, NATO also established the Emerging Security Challenges Division

(ESCD), aiming at “provid[ing] NATO with a Strategic Analysis Capability to monitor and

anticipate international developments that could affect Allied security”, 163 and notably

focusing on cyber defence.

158 Healey and Van Bochoven, NATO’s Cyber Capacities, 2. 159 Dunn Cavelty, “Cyber-Allies,” 12. 160 Kempf, L’OTAN, 2. 161 NATO, Lisbon Summit Declaration (Lisbon, Portugal: North Atlantic Council, November 20, 2010), http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_68828.htm?selectedLocale=en. 162 Michael Rühle, “NATO and Emerging Security Challenges: Beyond the Deterrence Paradigm,” American Foreign Policy Interests: The Journal of the National Committee on American Foreign Policy 33, no. 6 (2011): 281. 163 NATO, “New NATO Division to Deal with Emerging Security Challenges,” NATO, August 4, 2010, http://www.nato.int/cps/en/natolive/news_65107.htm.


48

In 2011, a second NATO cyber defence Policy, Concept, and Action Plan, was approved,

“which set out a vision for coordinated efforts in cyber defence throughout the Alliance

[…], and an associated action plan for its implementation.”164 It provided the integration

of cyber defence into the NATO Defence Planning Process (NDPP), and clarified “the

process the Alliance will use to invoke collective defense while maintaining ambiguity

about specific thresholds.”165 This document is also classified; nonetheless NATO

released documents explaining that the aims of this policy included:

“• Integrate cyber defence considerations into NATO structures and planning processes in

order to perform NATO’s core tasks of collective defence and crisis management.

• Focus on prevention, resilience and defence of critical cyber assets to NATO and Allies.

• Develop robust cyber defence capabilities and centralise protection of NATO’s own networks.

• Develop minimum requirements for cyber defence of national networks critical to NATO’s

core tasks.

• Provide assistance to the Allies to achieve a minimum level of cyber defence and reduce

vulnerabilities of national critical infrastructures.

• Engage with partners, international organisations, the private sector and academia.”166

In May 2012 at the Chicago Summit, member states emphasized developing further

NATO’s ability “to prevent, detect, defend against, and recover from cyber attacks.” They

164 NATO, “NATO and Cyber Defence,” NATO, accessed August 13, 2014, http://www.nato.int/cps/en/natolive/topics_78170.htm. 165 Healey and Van Bochoven, NATO’s Cyber Capacities, 13. 166 NATO, “Defending the Networks - The NATO Policy on Cyber Defence,” 2011, 1, http://www.nato.int/nato_static/assets/pdf/pdf_2011_08/20110819_110819-policy-cyberdefence.pdf.


49

also expressed their will “to engage with relevant partner nations […] basis and with

international organisations, […] in order to increase concrete cooperation.”167

From 2012 until today, NATO has notably achieved bringing “NATO bodies under

centralized protection”168 via the NATO Communication and Information Agency (NCIA,

created in 2012), incorporating the NCIRC TC and its RRT.169 Moreover, cyber defence

has been incorporated into the NATO Defence Planning Process (NDPP), which provides

“a framework for the harmonisation of national and Alliance defence planning activities

aimed at the timely development and delivery of all the capabilities, military and non-

military, needed to meet the agreed security and defence objectives inherent to the

Strategic Concept.”170 State members also tasked NATO with developing an enhanced

cyber defence policy “regarding collective defence, assistance to Allies, streamlined

governance, legal considerations and relations with industry.”171 Finally, it has been

endorsed by NATO Defence Ministers in June 2014, and is currently being implemented.

Another output of NATO’s attempt to tackle cyber security issues worth pointing out is

the Tallinn Manual on the International Law Applicable to Cyber Warfare.172 Its ultimate

goal is to examine the “international law governing cyber warfare”,173 in addressing the

167 NATO, Chicago Summit Declaration (Chicago, US: North Atlantic Council, May 20, 2012), para. 49, http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_87593.htm?selectedLocale=en. 168 Szentgáli, “The NATO Policy,” 86. 169 NATO, “Cyber Security,” NATO Communications and Information Agency, accessed September 1, 2014, https://www.ncia.nato.int/Our-Work/Pages/Cyber-Security.aspx. 170 NATO, “The NATO Defence Planning Process (NDPP),” NATO, accessed August 20, 2014, http://www.nato.int/cps/en/natolive/topics_49202.htm. 171 NATO, “NATO and Cyber Defence.” 172 Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013). 173 Wolff Heintchel Von Heinegg, “The Tallinn Manual and International Cyber Security Law,” Yearbook of International Humanitarian Law 15 (2012): 3.


50

applicable “jus ad bellum, jus in bello, and […] the law of neutrality.”174 It has been

produced by an “International Group of Experts”175 sponsored by CCD COE; and should

be characterized as “a consensus academic work”,176 rather than as reflecting NATO’s

doctrine (according to NATO’s official discourse).177 However, elements show that, in

practice, the Tallinn Manual has been perceived as being a NATO’s endeavour to

implement its own interpretation of international cyber security law. In particular,

criticizing the absence of experts from “anywhere outside Western Europe or North

America”178 and the resulting lack of legitimacy of such work, Russia decided essentially

to “either [ignore] or [reject] (depending on the source) the interpretations […]

represented in the Tallinn Manual.”179 For this reason, the Tallinn Manual’s content is

discussed in this analysis as a part of NATO cyber defence developments, yet restricted

to the elements reflected in NATO’s official doctrine and discourse.

ii. ANALYSIS

a. CYBER SECURITY ISSUES: RISK MANAGEMENT OR THREAT RETALIATION?

The first striking feature emerging from the analysis of NATO officials’ discourses (and

amongst these, first and foremost, NATO Secretary General Anders Fogh Rasmussen’s

speeches) is that cyber defence is often pictured as a strong example of NATO’s

174 Ibid., 4. Emphasis original. 175 Ibid., 3. 176 Ibid., 4. 177 NATO CCDCOE, “The Tallinn Manual,” NATO CCDCOE, accessed September 1, 2014, http://www.ccdcoe.org/tallinn-manual.html. 178 Van Epps, “Common Ground,” 45. 179 Eneken Tikk et al., “The Applicability of International Law in Cyberspace - From If to How?” (presented at the Georgetown University Conference on the International Law on Cyber, Georgetown University, Washington D.C., US, 2013), http://www.scholarlyinsider.com/Insider/videolist/watch/1623/the-applicability-of-international-law-in-cyberspace-from-if-to-how. See, especially, the comments of Dr. Anatoly Streltsov. Cited in Van Epps, “Common Ground,” 45.


51

persisting relevance in the 21st century. Precisely, cyber defence is seen as a new facet

of NATO’s initial mission, namely as a “part of NATO’s core task of collective defence.”180

This view is usually justified by the idea that today “it is no longer sufficient to line up

tanks along [allies’] borders to patrol and protect them, [because] Today’s threats - and

tomorrow’s – often come from the other side of the world, even from cyber space.”181

This means that from this perspective, it is to continue performing its initial role that

NATO has necessarily to take into account new forms of security challenges, among

these those coming from cyberspace. Consequently, NATO’s considerations on how it

“could assist Allies who come under cyber attack […] is [precisely] modern collective

defence.”182

The corollary of this is the recognition of cyber-attacks as having a significant impact on

NATO, as well as on member states, security. Indeed, the new 2010 Strategic Concept

highlights NATO’s vision of cyber security challenges as primordial, because “they can

reach a threshold that threatens national and Euro-Atlantic prosperity, security and

stability.”183 Moreover, the substantial importance of cyber-attacks on NATO and

member states’ cyber assets is considerably emphasized in many speeches, as a

justification of including cyber defence in NATO’s collective defence mission. For

180 Anders Fogh Rasmussen, “Press Conference” (presented at the NATO Defence Ministers Meeting, NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_110618.htm?selectedLocale=en. 181 Anders Fogh Rasmussen, “NATO: Ready, Robust, Rebalanced” (presented at the Carnegie Europe Event, Concert Noble, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_103231.htm?selectedLocale=en. 182 Ibid. Emphasis added. 183 NATO, “Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organization,” NATO, 2010, 12, http://www.nato.int/strategic-concept/pdf/Strat_Concept_web_en.pdf.


52

instance, the current Deputy Secretary-General of NATO, Alexander Vershbow, argued

that:

“[The] ability to defend against cyber attacks will be central to NATO’s role as a

collective defense alliance in the coming years, especially given the fact that cyber

attacks could have consequences for our societies on the scale of armed attacks.”184

Unsurprisingly, the 2007 cyber-attacks on Estonia are regularly invoked to display the

urge and the importance of strengthening NATO’s cyber defence capacities and strategy.

In Rasmussen’s words:

“A well-orchestrated cyber attack can shut down air traffic control. It can turn off the power in

your house, your city, your country. It can shut down banks – which means no money for

anyone. This isn’t fiction. It has happened. Our NATO-Ally Estonia suffered a few years ago from

a sustained, directed cyber attack that shut down a lot of essential services.”185

Interestingly, more often than not the emphasis is put on repercussions not only in

terms of national security, but also on the impact of cyber-attacks on individuals. This is

particularly salient comparing NATO’s cyber security discourse with other emerging

security challenges (such as terrorism, the proliferation of Weapons of Mass

Destruction (WMD), and energy security). Regarding the latter, direct invocation of

people as the target of cyber-attacks is slightly more widespread. Therein, this quote of

the then Secretary General of NATO, Jaap de Hoop Scheffer, is particularly striking:

184 Alexander Vershbow, “Challenges Facing NATO and the Transatlantic Community Post-2014” (presented at the 30th International Workshop on Global Security, Hôtel national des invalides, Paris, France, 2013), http://www.nato.int/cps/en/natolive/opinions_101606.htm?selectedLocale=en. 185 Anders Fogh Rasmussen, “Speech” (Georgetown University, Washington D.C., US, 2010), http://www.nato.int/cps/en/natolive/opinions_61566.htm?selectedLocale=en.


53

“Speak to Estonia, speak to Estonians and they can easily tell you what it means

when the whole government system or a bank or a factory or whatever, your

Internet traffic, your Internet banking will be brought to a standstill because some

people have made a decision to launch a cyber attack.”186

From a securitization perspective, Hansen and Nissenbaum have already highlighted

how cyber security has been securitized through specific ‘‘grammars’’, amongst these

everyday security practices, which focuses on “mobiliz[ing] “normal” individuals’

experiences”,187 in order to “to secure the individual’s partnership and compliance […],

and to make hypersecuritization scenarios more plausible by linking elements of the

disaster scenario to experiences familiar from everyday life.”188 According to these

initial remarks, NATO’s views on cyber defence seem to be more focused on threats

than risks, as discourses tend to stress empirical situations, as well as very practical

effects of cyber-attacks on state security – and on individuals – to display the

significance of these.

Indeed, regarding cyber-attacks, NATO displays the idea that “threat is very

clear”,189 as “attacks on industry and government websites and information systems

are already a daily occurrence […]. And while [NATO is] certainly able to do better,

[it] have a general idea of the steps [it] should take. The challenge is figuring out

how to do it.”190

186 Jaap De Hoop Scheffer, “Speech at the Annual Press Reception on the Occasion of the New Year” (NATO Headquarters, Brussels, Belgium, 2008), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_7374.htm?selectedLocale=fr. 187 Hansen and Nissenbaum, “Digital Disaster,” 1165. 188 Ibid. 189 Anders Fogh Rasmussen, “Speech on Emerging Security Risks” (Lloyd’s, London, UK, 2009), http://www.nato.int/cps/en/natolive/opinions_57785.htm?selectedLocale=en. 190 Ibid.


54

To a substantial extent these elements seem in accordance with Wallander and

Keohane’s argument that “threats pertain when there are actors that have the

capabilities to harm the security of others and that are perceived by their potential

targets as having intentions to do so.”191

Turning to the origin of this new threat, NATO has been cautious not to point the

finger192 at any government, even if during the cyber-attacks on Estonia and Georgia

officials from these two countries hold the Kremlin responsible explicitly, considering

the political context. Predominantly in its official documents, NATO recognizes that

threats emerging from the cyberspace can come from states, but also from “hacktivists

or criminal organisations, among many others.”193 Precisely, in its 2010 Strategic

Concept, NATO identified “foreign militaries and intelligence services, organised

criminals, terrorist and/or extremist groups”194 as the most likely sources of cyber-

attacks. In this sense, the inherent difficulty of identifying the perpetrators behind a

cyber-attack (and even more, to prove that a government can be hold responsible for

this)195 makes it very difficult to address cyber security issues from a traditional threat

perspective without generating or increasing geopolitical instability. Overall, the

cautiousness with which NATO refers to the sources of cyber security threats – facing

NATO and its members – could reasonably be explained, to a certain extent, by the

recurrent attribution problem.

191 Wallander and Keohane, “Risk,” 25. 192 Traynor, “Russia Accused.” 193 NATO, “Defending the Networks,” 1. 194 NATO, “Strategic Concept,” 11. 195 Klimburg, “Mobilising Cyber Power.”


55

However, since the beginning of the Russia-Ukraine crisis, and the resulting tensions

between NATO and Russia, state members are becoming more likely to explicitly blame

Russia for using cyber-activities to destabilize the Ukrainian government; 196 notably

regarding the very sophisticated virus named “Snake”, which has been detected in the

Ukrainian networks since March 2014.197 These relatively recent changes show that

depending on the future developments in Ukraine, NATO could become less hesitant in

accusing Russia of using cyberattacks or sponsoring proxy groups. Nonetheless, it

should be noted that so far, NATO has been fairly reluctant to openly accuse any

government of being directly involved in cyber-attacks on another state. Concerning

Russia in particular, until recently NATO officials often stress the constructive

developments of NATO-Russia cooperation, even if the on-going political tensions tend

to mitigate these discourses.198

In this context, the 2010 Strategic Concept considers NATO mission in the cyberdomain

as consisting in:

“develop[ing] further [its] ability to prevent, detect defend against and recover from

cyberattacks including by using the NATO planning process to enhance and

coordinate national cyber-defence capabilities, bringing all NATO bodies under

196 Philip M. Breedlove, “Opening Statement” (presented at the 171st NATO Chiefs of Defence meeting, NATO Headquarters , Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_110223.htm?selectedLocale=en. 197 Steven Erlanger and David E. Sanger, “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government,” The New York Times, March 8, 2014, www.nytimes.com/2014/03/09/world/europe/suspicion-falls-on-russia-as-snake-cyberattacks-target-ukraines-government.html. 198 See, e.g., in comparison, Anders Fogh Rasmussen, “Future NATO” (Chatham House, London, UK, 2014), http://www.nato.int/cps/en/natolive/opinions_111132.htm?selectedLocale=en; Anders Fogh Rasmussen, “NATO – Delivering Security in the 21st Century” (Chatham House, London, UK, 2012), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_88886.htm?selectedLocale=fr.


56

centralized cyber protection, and better integrating NATO cyber awareness,

warning and response with member nations.”199

The details on NATO Policy on Cyber Defence openly released further emphasized that

“NATO cyber defence efforts are based on the overarching principles of prevention and

resilience […].”200

It should be noted that NATO cyber defence policy focus primarily “on the protection of

NATO networks and on cyber defence requirements related to national networks that

NATO relies upon to carry out its core tasks: collective defence and crisis

management.”201 This focus on NATO’s own networks, while underscoring state

responsibility for its national cyber assets is regularly reiterated.202 However, in 2013

NATO broadened its mission (notably in including cyber defence in the NDPP), in order

“to ensure that Allies have the basic organisation, capabilities, and interoperability to

assist each other in the event of cyber attacks.”203

Wallander and Keohane stipulated that:

“Institutions meant to cope with security threats will have rules, norms, and

procedures to enable the members to identify threats and retaliate effectively

199 NATO, “Strategic Concept,” 16–17. 200 NATO, “Defending the Networks,” 2. 201 Ibid. 202 Rasmussen, “Press Conference,” 2014; Anders Fogh Rasmussen, “Press Conference Following the Meeting of the North Atlantic Council in Defence Ministers Session” (NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_104257.htm?selectedLocale=en; Anders Fogh Rasmussen, “Press Conference Following the NATO Defence Ministers Meeting” (NATO Headquarters, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_101151.htm?selectedLocale=en; Rasmussen, “NATO – Delivering Security.” 203 Anders Fogh Rasmussen, “Future NATO: Towards the 2014 Summit - Secretary General’s Annual Report 2013” (NATO Headquarters, Brussels, Belgium, 2014), http://www.nato.int/cps/en/natolive/opinions_106247.htm?selectedLocale=en.


57

against them. Institutions meant to cope with security risks will have rules, norms,

and procedures enable members to provide and obtain information and to manage

disputes in order to avoid generating security dilemmas.”204

In accordance with this perspective, NATO cyber defence policy seems – regarding its

purpose – more concerned about threats that risks, regarding the fact that a significant

part of what has been done concerns the protection of NATO’s networks, and more

recently state members’ networks, rather than managing conflict per se.

Furthermore, the use of terms such as “cyber warfare” in NATO officials’ discourses205

and in the Tallinn Manual206 tends to reinforce the view that NATO is viewing at cyber

security issues from a threat perspective. The existence of any “cyberwar”, as well as the

relevance and implications of this term is still far from being consensual amongst

scholars and practitioners;207 even if it tends to become omnipresent in military circles,

especially in the US.208 What is important here is to note that linking cyber-attacks with

204 Wallander and Keohane, “Risk,” 29. 205 Alexander Vershbow, “Looking towards the Wales Summit” (NATO Defense College, Rome, Italy, 2014), http://www.nato.int/cps/en/natolive/opinions_111056.htm?selectedLocale=en; Anders Fogh Rasmussen, “Switzerland and NATO : Partners in Security” (Churchill Symposium, Zürich, Switzerland, 2012), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_91490.htm?selectedLocale=en; Anders Fogh Rasmussen, “Building Security in an Age of Austerity” (presented at the 2011 Munich Security Conference, Hotel Bayerischer, Munich, Germany, 2011), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_70400.htm?selectedLocale=fr. 206 Schmitt, Tallinn Manual. 207 See, e.g., Thomas Rid, Cyber War Will Not Take Place (London: Hurst & Company, 2013); John Stone, “Cyber War Will Take Place!,” Journal of Strategic Studies 36, no. 1 (2013): 101–8; Myriam Dunn Cavelty, “The Militarisation of Cyberspace: Why Less May Be Better” (presented at the International Conference on Cyber Conflict Proceedings, CCD COE,Tallinn, 2012); Mary Ellen O’Connell, “Cyber Security without Cyber War,” Journal of Conflict & Security Law 17, no. 2 (2012): 187–209; James Lewis, “The Fog of Cyberwar,” International Relations and Security Network, 2009, http://isnblog.ethz.ch/intelligence/isn-weekly-theme-the-fog-of-cyberwar; John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” in Athena’s Camp: Preparing for Conflict in the Information Age, ed. John Arquilla and David Ronfeldt (Santa Monica: RAND, 1997), 23–60. 208 See, e.g., Sean Lawson, “Putting the ‘War’ in Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the United States.,” First Monday 17, no. 7 (2012), http://firstmonday.org/ojs/index.php/fm/article/view/3848/3270; Ryan Singel, “White House Cyber


58

the notion of warfare is not trivial, and denotes a certain vision of cyber security issues

undoubtedly focused on a threat perspective rather than on risk management.

Moreover, NATO cyber security discourses display a vision of cyber security as

undoubtedly falling into the responsibility of governments and particularly, military

circles.209 This particular vision is currently shared by many governments and has been

outlined repeatedly by scholars.210 Form a discursive perspective, Dunn Cavelty argued

that, “the stronger the link between cyberspace and a threat of strategic dimensions

becomes, the more natural it seems that the keeper of the peace in the cyberspace

should be the military.”211 In definitive, this shows that NATO’s narrative is participating

to the constitution of this widespread vision of cyber threats as falling into the scope of

military issues; which, simultaneously, reinforces its own legitimacy, as a military

alliance, in this security field.

As a conclusion, the recurrent evocations in NATO’s discourses and official documents

of the significant impact of cyber-attacks on national security, as well as on individuals,

along with a policy centred on protection of NATO and state members’ networks, and

the semantic use of military-centred terms such as “cyberwarfare”, display significant

elements demonstrating that NATO is viewing at cyber security from a threat

perspective, in accordance with Wallander and Keohane’s definition.

Czar: ‘There Is No Cyberwar,” Wired, March 4, 2010, http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/; Mike McConnell, “How to Win the Cyber-War We’re Losing,” The Washington Post, February 28, 2010, http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html; William Lynn, “Defending a New Domain,” Foreign Affairs 89, no. 5 (2010): 97–108; Bendrath, “The Cyberwar Debate.” 209 Rasmussen, “Press Conference,” 2013. 210 See, footnote n°214. 211 Myriam Dunn Cavelty, “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse,” International Studies Review 15, no. 1 (2013): 119.


59

b. NATO’S CYBER STRATEGY: INCLUSIVE OR EXCLUSIVE?

NATO’s discourse on cyber defence abundantly stresses the importance of international

cooperation and partnerships in this domain; usually in relation to the broad

recognition that new global threats, such as cyber threats, bypass borders and demand

“a global perspective.”212 In parallel, what is usually underscored by NATO’s officials is

that NATO is a “unique forum”213 where states can “develop new common approaches

to new common challenges – such as terrorism, proliferation, and cyber warfare –”214

which are complex and request “a high degree of consultation, coordination, and

cooperation.”215 This narrative was defined by Wagnsson as “the seminar leader”, that

is, the idea that NATO is picturing itself as a “powerful ‘security hub’ in the global

arena.”216 Focused on partnerships with partners sharing common interests and based

on the idea that “transnational threats […] demand a comprehensive approach and joint

action by many different actors”,217 it emphasises on NATO as a “forum for global

consultation”,218 if not a “worldwide security provider.”219

In particular, Rasmussen stated that because cyber-attacks are inherently transcending

state borders, a successful cyber defence policy “need[s] sustained international

212 Rasmussen, “Switzerland and NATO.” 213 Anders Fogh Rasmussen, “NATO – Value for Security” (Bratislava, Slovakia, 2011), http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_74522.htm?selectedLocale=fr. 214 Ibid. 215 Rasmussen, “NATO – Delivering Security.” 216 Wagnsson, “NATO’s Role,” 493. 217 Ibid. 218 Anders Fogh Rasmussen, “NATO in the 21st Century: Towards Global Connectivity” (presented at the Munich Security Conference, Hotel Bayerischer Hof, Munich, Germany, 2010), http://www.nato.int/cps/en/natolive/opinions_61395.htm; Anders Fogh Rasmussen, “On Alliance Solidarity in the 21st Century” (Tallinn, Estonia, 2010), http://www.nato.int/cps/en/natolive/opinions_62699.htm; Anders Fogh Rasmussen, “Speech” (presented at the Strategic Concept Seminar, Helsinki, Finland, 2010), http://www.nato.int/cps/en/natolive/opinions_61891.htm. 219 Rob de Wijk, “Speech on NATO’s New Strategic Concept” (MCCS, Lisbon, 2009), http://www.nato.int/cps/en/natolive/opinions_58107.htm?selectedLocale=en.


60

cooperation, between countries that trust each other. And that certainly includes

NATO.”220 In definitive, “an effective response to today’s complex challenges requires

the right connections [for NATO] with other nations and organisations, wherever they

may be located on the globe.”221 In this context, officials’ discourses emphasises on

NATO’s expertise and added value that it can share with state members and partners.222

For instance, in 2011, NATO adopted a “more efficient and flexible partnership

policy”,223 identifying cyber defence as a key sector.224 According to Ioanna-Nikoletta

Zyga, “this increasing emphasis on partnership mirrors a realization among Allies that

partners are a vital factor in addressing the threats and challenges that shape today’s

security landscape.”225 It should also be noted that NATO annual cyber defence

exercises integrate several partners, namely, in 2013, five non-NATO nations (Austria,

Finland, Ireland, Sweden and Switzerland), as well as New Zealand and the European

Union (which both have observer status).226

Similarly to what has been said in the previous section, NATO’s justification of its

broader conception of security, as well as its will to provide security on a global scale, is

based on the idea that new security challenges require intrinsically a global approach.

However, this does not suppose changing the ultimate goal of the Alliance, namely,

220 Rasmussen, “Speech (Georgetown University).” 221 Rasmussen, “Future NATO (Chatham House).” 222 Rasmussen, “Speech (Lloyd’s)”; De Hoop Scheffer, “Speech at the Annual Press Reception.” 223 NATO, “Active Engagement in Cooperative Security: A More Efficient and Flexible Partnership Policy,” 2011, http://www.nato.int/nato_static/assets/pdf/pdf_2011_04/20110415_110415-partnership-policy.pdf. 224 NATO, “Partnerships: A Cooperative Approach to Security,” NATO, accessed August 23, 2014, http://www.nato.int/cps/en/natolive/topics_84336.htm. 225 Ioanna-Nikoletta Zyga, “Emerging Security Challenges: A Glue for NATO and Partners?,” Research Divison - NATO Defense College, Rome, no. 85 (2012): 3. 226 NATO, “NATO Holds Annual Cyber Defence Exercise,” NATO, November 26, 2013, http://www.nato.int/cps/en/natolive/news_105205.htm?selectedLocale=en.


61

collective security.227 On the contrary, it is precisely because NATO’s core mission has

not changed, but that the global environment has, that NATO has to evolve in order to

maintain its relevance, according to NATO officials’ discourses.

Interestingly, when it comes to NATO’s fundamental mission, the emphasis on shared

values is very present in NATO officials’ discourses. Rasmussen notably stated that

“NATO’s essential mission remains the same: to ensure that the Alliance remains a

strong community of freedom, peace, security and shared values.”228 Moreover, he

claimed that “NATO is more than a military Alliance, […] [it is] a community of values,

[…] namely individual liberty, democracy, the rule of law and human rights.”229

This emphasis on NATO as the receptacle of particular values is very interesting

regarding the constructivist literature on NATO, notably the emphasis that several

scholars have put on NATO’s role as a norm promoter.230 Moreover, Rasmussen also

displays elements that can be connected with NATO’s role as a socialization agent,

which can modify state preferences.231 For instance, he stated that:

“Throughout Central and Eastern Europe, NATO membership has been a powerful

incentive for reform. Countries aspiring to membership have restructured their

armed forces and brought them under democratic control. They have enhanced

accountability and transparency. And strengthened the rule of law.”232

227 Rasmussen, “Future NATO (Chatham House).” 228 Ibid. 229 Ibid. 230 See, e.g., Gheciu, Securing Civilization?; Gheciu, NATO in the “New Europe”; Helene Sjursen, “On the Identity of NATO,” International Affairs 80, no. 4 (2004): 687–703; Risse-Kappen, “Collective Identity.” 231 As mentioned in chapter II, see, e.g., Adler, “The Spread”; Flockhart, “‘Masters and Novices’”; Schimmelfennig, The EU, NATO. 232 Rasmussen, “NATO – Delivering Security.”


62

This vision of NATO, as focused on partnerships and conveying norms and values tends

to accredit the idea that NATO is indeed an inclusive alliance: regarding the global

security issues that it face nowadays, it is currently broadening its cooperation in order

to tackle effectively the emerging security challenges of the 21st century, amongst others

cyber security. As Ivo Daalder and James Goldgeier observed:

“If the point of the alliance is no longer territorial defense but bringing together

countries with similar values and interests to combat global problems, then NATO

no longer needs to have an exclusively transatlantic character.”233

Williams and Neumann underscore that with this emphasis on partnerships, NATO has

transformed “its own identity and its portrayal of conditions of security”,234 which in

turn, helped to shape a shared understanding reinforcing NATO’s legitimacy in this

changing security landscape.235

However, several other insights tend to mitigate this first impression. First of all, a

community of shared values is founded on the recognition of on one hand, states

entitled to these values, and on the other hand, states that are considered as not

committed to these values. This first and fundamental division explain why NATO’s

partnerships are selective.236

Regarding partnerships with other actors than states, while NATO, “recognising the

truly global nature of cyberspace and its associated threats,”237 stresses the importance

of “work[ing] with partners, international organisations, academia and the private

233 Ivo Daalder and James Goldgeier, “Global NATO,” Foreign Affairs 85, no. 5 (2006): 109. 234 Neumann and Williams, “From Alliance,” 75. 235 Ibid., 90. 236 Daalder and Goldgeier, “Global NATO,” 111. 237 NATO, “Defending the Networks,” 2.


63

sector”;238 it remains that cyber security is a national responsibility for all allies,

individually and together under the auspices of NATO.239

Furthermore, in practice, NATO partnerships in the domain of cyber defence are still

limited and quite exclusive.240 If NATO’s members have indeed increased their

cooperation within NATO, as well as via subsidiary organisations, such as the

Multinational Cyber Defence Capability Development (MNCD2, aiming at developing

cooperation “in order to effectively and efficiently develop and acquire capabilities for

national use”241), more often than not these initiatives still exclude non-state members;

even if a potential participation of “partner nations” is starting to be discussed.242 The

same rules are applied by the CCD COE.243 Moreover, as it has been noticed above, the

fact that experts who worked on the Tallinn Manual were predominantly from NATO

nations has not gone unnoticed by other countries, which deplored the exclusive

character of such work.244

According to US lieutenant colonel Geoff Van Epps:

“NATO policy essentially forbids cooperating on cybersecurity with any countries

outside the Alliance except for a select group of its closest partners,[245] requiring

238 Ibid. 239 Rasmussen, “Press Conference,” 2013. 240 Van Epps, “Common Ground,” 41. 241 MNCD2, “Multinational Cyber Defence Capability Development,” MNCD2, accessed August 26, 2014, https://mncd2.ncia.nato.int/Pages/default.aspx. 242 Ibid. 243 NATO CCDCOE, “CCD COE.” 244 Van Epps, “Common Ground,” 45. 245 i.e., the non-NATO nations participating to the NATO Holds Annual Cyber Defence Exercise, as seen above. Jandl, “The Challenges,” 36.


64

either a change to current policy or case-by-case exceptions to forge any real cyber

partnership.”246

From his perspective, the exclusive character of NATO cyber defence policy is imbedded

in the defiance of former Warsaw Pact Members or Soviet republics towards Russia, and

more generally towards non-NATO nations. For these countries, cooperation on

cybersecurity is a heresy, and nearly unthinkable. As unanimity is required for all NATO

decisions, “without their consent, no change is possible […].”247

It should be noted that his dissertation tends to examine NATO as a unitary actor,

mainly because the scope of this research does not allow further investigations on

NATO internal tensions. Nevertheless, it does not claim that such tensions do not exist

or are insignificant. On the opposite, regarding NATO partnerships on cyber security, it

seems that the events in Estonia and Georgia have had more an impact on Eastern

European countries for understandable geopolitical reasons, that they are more worried

about Russia’s intentions, and consequently keener on engaging NATO in collective

cyber defence.248 In accordance with this, the declarations of national top-officials

during the cyber-attacks on Estonia and Georgia are enlightening.249

Besides, at the time of writing NATO-Russia partnership is currently suspended because

of the crisis between Ukraine and Russia, which has led to the condemnation by NATO

members of “Russia’s illegal military intervention in Ukraine and Russia’s violation of

246 Van Epps, “Common Ground,” 41. 247 Ibid. 248 Zyga, “Emerging Security Challenges,” 4. 249 Shachtman, “Top Georgian Official”; Traynor, “Russia Accused”; Halpin, “Estonia Accuses Russia.”


65

Ukraine’s sovereignty and territorial integrity.”250 The current situation and its future

developments will certainly have a substantial impact on NATO’s perception of Russia’s

intentions, in the cyberdomain and beyond. However, even before these events, NATO’s

discourse on Russia seemed “somewhat schizophrenic”;251 simultaneously stressing the

idea that Russia is not a threat for NATO,252 but acknowledging that some member

states remained concerned about Russia.253

Additionally, it seems clear regarding the elements mentioned above that NATO’s

perception on cyber threats conceives these as emanating from outside the Alliance. In

parallel, Wallander and Keohane stipulated that from their perspective, “collective

security arrangements are inclusive, since they are designed to deal with threats among

members; alliances are exclusive because they […] defend against external threats.”254

Here, NATO discourse clearly emphasizes the external character of cyber threats, while

the partnerships’ main purpose is to increase the effectivity of NATO’s response and

resilience to these. This core mission of protecting the Alliance, and its members, via a

coordination of their cyber defence policy and capacities, along with the strong

emphasis in NATO’s discourse on enhancing the protection if their cyber assets, tend to

accredit the vision of NATO as an alliance as Wallander and Keohane stated that:

250 NATO, “NATO’s Relations with Russia,” NATO, accessed August 26, 2014, http://www.nato.int/cps/en/natolive/topics_50090.htm? 251 Wagnsson, “NATO’s Role,” 491. 252 Rasmussen, “NATO – Delivering Security.” 253 Anders Fogh Rasmussen, “NATO at 60 – Traditional Values and New Threats” (presented at the 14th International NATO Conference, Budapest, Hungary, 2009), http://www.nato.int/cps/en/natolive/opinions_59297.htm; Anders Fogh Rasmussen, “Speech” (presented at the NATO Parliamentary Assembly meeting, Edinburgh, UK, 2009), http://www.nato.int/cps/en/natolive/opinions_59214.htm. 254 Wallander and Keohane, “Risk,” 26.


66

“Alliances and alignments […] need effectively to aggregate the military capabilities

of their members in order to pose credible deterrence threats or efficient

instruments of defence. In contrast, security management institutions do not need

to mount credible deterrents and effective defences against adversaries. They need

to provide for transparency, consultation, and incentives for cooperative strategies

among members.”255

Nevertheless, as noted above, NATO members do not necessarily rank their priorities in

a similar way, and this could lead to internal disagreements.256 In this sense, enhancing

NATO cyber defence policy can also be viewed as a way to reaffirm solidarity amongst

members, especially towards NATO nations formerly under the Soviet Union’s sphere of

influence. Indeed, regarding the empirical record and the public requests from these

nations,257 they are commonly perceived as the allies who could be the most probably

attacked, and consequentially emphasize more on the applicability and importance of

NATO’s obligation of collective defence in the cyberdomain. 258 Overall, officials’

discourse underscore that it is important for NATO to assist nations requesting

assistance in case of cyber-attacks, also because “this would show [NATO’s] solidarity as

an Alliance.”259

In conclusion, NATO cyber defence policy is to some extent becoming more inclusive

(which is particularly emphasized in NATO officials’ discourses), but substantial

255 Ibid., 33. 256 David S. Yost, “NATO’s Evolving Purposes and the next Strategic Concept,” International Affairs 86, no. 2 (2010): 519. 257 Ibid., 495. 258 Anders Fogh Rasmussen and Taavi Roivas, “Opening Remarks - Joint Press Point” (Tallinn, Estonia, 2014), http://www.nato.int/cps/en/natolive/opinions_109662.htm?selectedLocale=en. 259 Anders Fogh Rasmussen, “Opening Remarks in Defence Ministers Session” (presented at the North Atlantic Council, NATO Headquarters, Brussels, Belgium, 2013), http://www.nato.int/cps/en/natolive/opinions_101100.htm?selectedLocale=en.


67

limitations remain regarding the scope of cooperation, and the choice of partners.

Moreover, the inclusion of non-NATO nations is not described as a change in NATO’s

core mission (from defending against an external threat, in opposition with managing

an internal threat in reducing uncertainty), but rather as a necessary strategy implied

by the emergence of global security threats.

Even if on this particular topic, there is some dissention among NATO members

regarding the level of threat, the perception of cyber threats facing NATO – as arising

from outside the Alliance – seem shared to a great extent. Overall, even if NATO cyber

defence policy enhancement has been justified as a demonstration of NATO’s collective

solidarity, which reinforces NATO’s internal coherence;260 ultimately, it seems that this

does not put into question the prevalence of the vision of NATO cyber defence policy as

aiming at defending allies against an external threat.

c. INSTITUTIONALIZATION OF NATO’S CYBER DEFENCE POLICY

As it has been reviewed above, NATO established several organizational units in charge

of coping with cyber security challenges. While some of them are technical and focus

primarily on the protection of NATO’s networks, such as NATO Communication and

Information Agency (NCIA),261 others, for instance NATO Defence Planning Process

(NDPP),262 are in charge of harmonizing national capacities and policy of member

states, in accordance with NATO’s Strategic Concept. Altogether, these organizations are

focused on NATO allies’ – individually and together – operational capacity. In parallel,

the NATO CCD COE has been established to advance “the development of long-term

260 Michael Horowitz notably states that the emergence of cyberspace as a global common may present opportunities for renewed cooperation within NATO.” Horowitz, “A Common Future?,” 5. 261 NATO, “Cyber Security.” 262 NATO, “NDPP.”


68

NATO cyberdefense doctrine and strategy, seeking to be ‘the main source of expertise in

the field of cooperative cyberdefense.’”263

While the exact set-up and endowments of these organizational units are difficult to

assess because of the lack of public information, the considerable amount of money and

the managerial effort dedicated to implement NATO cyber defence system have not

gone unnoticed.264 Moreover, the fact that NATO cyber defence institutional system is

combining “political, military, industrial, and technological approaches to

cybersecurity”265 displays strong evidences that NATO cyber defence policy is indeed

becoming greatly institutionalized, accrediting the thesis of NATO’s transformation into

a security management institution “with highly institutionalized practices.”266

Turning to NATO’s discourses, noticeable trends illustrate NATO’s emphasis on the need

of approaching cyber defence from multiple angles (and translated into institutionalized

practices) to be effective. In Rasmussen’s own words:

“NATO’s fundamental responsibility in this domain is to defend our own systems,

while nations defend theirs. But under the new policy, we will enhance information

sharing and mutual assistance between Allies. We will improve NATO’s cyber

defence training and exercises. And we will boost our cooperation with industry.”267

263 Dunn Cavelty, “Cyber-Allies,” 13. 264 Kempf, L’OTAN, 5; Dunn Cavelty, “Cyber-Allies,” 13; Healey and Van Bochoven, NATO’s Cyber Capacities, 4. 265 Tikk, “Global Cybersecurity,” 112. 266 Wallander and Keohane, “Risk,” 28. 267 Rasmussen, “Press Conference,” 2013.


69

NATO officials also repeatedly declared that institutionalizing NATO cyber defence is

the most suitable way to protect every link in the chain of NATO cyber defence,268

providing a suitable response in case of cyber-attacks on NATO or allies’ networks,269

and taking advantage of NATO’s added value in this security field.270

However, these first remarks have to be nuanced with regards to other elements of

NATO cyber defence policy; in particular the application to cyber-attacks of the Articles

4 and 5 of its constitutive treaty, and the conclusions of the Tallinn Manual.

Regarding the application of Articles 4 and 5, in 2010, a group of experts has been

nominated to assist the Secretary General in drafting the new Strategic Concept. Their

report was officially agreed by Allies at the Lisbon Summit in November 2010.271 It

stipulates that cyber-assaults are amongst “the most probable threats to Allies in the

coming decade”272, and that they “may or may not reach the level of an Article 5

attack.”273 In this context, NATO collective defence mechanism of Article 5 has to be

determined on case-by-case basis, accordingly with “the nature, source, scope, and

other aspects of the particular security challenge.”274 Importantly, the report stresses

268 Rasmussen, “Press Conference,” 2014. 269 Rasmussen, “Speech (Georgetown University).” 270 De Hoop Scheffer, “Speech at the Annual Press Reception.” 271 NATO, “NATO 2020: Assured Security; Dynamic Engagement,” NATO, accessed September 1, 2014, http://www.nato.int/cps/en/natolive/topics_85961.htm. 272 NATO, “NATO 2020: Assured Security; Dynamic Engagement - Analysis and Recommendations of the Group of Experts on a New Strategic Concept for NATO,” May 17, 2010, 18, http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf. 273 Ibid., 10. 274 Ibid., 21.


70

that, “NATO should assume that serious threats will in fact materialize”,275 emphasizing

on calibrating accordingly “detection, deterrence and response”.276

The notion of deterrence, largely conceptualized and applied during the Cold War,277 is

usually remarkably absent of NATO’s official discourses. This can be viewed as NATO’s

clear will to detach itself form its initial mission during the Cold War, in order not to

appear as a relic from the past. However, the presence of such word in official

documents, agreed by the allies, displays also evidence that such logic did not totally

disappear NATO’s policy. On a subsidiary basis, it should be noted that this report has

been directed by Madeleine K. Albright, former US ambassador. Or, in opposition with

NATO’s official discourse, since many years US officials’ discourses and documents have

recurrently applied the concept of deterrence to cyberspace,278 which has been

criticized for being both inaccurate and counter-productive.279

Paradoxically, this illustrates, on the one hand, that examining NATO as a single actor

can limit our understanding concerning the effects of the unequal influence of each

member on NATO policy. Nonetheless, on the other hand, it shows that NATO – at least

275 Ibid. 276 Ibid. Emphasis added. 277 Lawson, “Putting the ‘War.’” 278 US Department of Defense, “Department of Defense Cyberspace Policy Report,” US Department of Defense, 2011, http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf; Barack Obama, “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” The White House, May 29, 2009, http://www.whitehoU.S.e.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure; US Department of Homeland Security, “National Strategy to Secure Cyberspace,” US Department of Homeland Security, 2003, http://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf; US Department of Defense, “The Cyber Domain.” 279 Dunn Cavelty, “The Militarisation”; Noah Shachtman and Peter W. Singer, “The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive,” Brookings, August 15, 2011, http://www.brookings.edu/research/articles/2011/08/15-cybersecurity-singer-shachtman; Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica: RAND Corporation, 2009); Martin C. Libicki, Defending Cyberspace and Other Metaphors (Washington D.C.: US Government Printing Office, 1997).


71

in the field of cyber defence – does not completely replicate its allies’ national policy

(not even the US, which is arguably the most influential one), as deterrence is a concept

barely evocated in NATO cyber defence policy. Consequentially it also illustrates the

merits of a holistic approach.

Returning to the report, its most important conclusion is that: “the risk of a large-scale

attack on NATO’s command and control systems or energy grids could readily warrant

consultations under Article 4 and could possibly lead to collective defence measures

under Article 5.”280 In substance, it states that NATO could not be restrained form

applying Article 5, depending on the context, but does not provide any further

clarifications on what could require this application. Accordingly, if the

institutionalization of NATO cyber defence, as reviewed above, “has given clarity to the

process the Alliance will use to invoke collective defense”,281 it maintains “ambiguity

about specific thresholds”282 with the appreciation on a case-by-case basis.

In parallel, it could be viewed that if NATO has made substantial institutional

improvements regarding the protection of its cyber-assets and its capacity to assist

member states in case of cyber-attacks; however, regarding the Tallinn Manual, the

institutionalization of NATO’s response in case of cyber-attacks which could be

categorized as armed attacks (in accordance with the international law of armed

conflict) is still fundamentally flexible. For instance, the experts have not been able to

280 NATO, “NATO 2020 [report],” 46. 281 Healey and Van Bochoven, NATO’s Cyber Capacities, 3. 282 Ibid.


72

reach a consensus on evaluating the threshold of a cyber armed attack, the notion of

self-defence, and the notion of organized armed groups in the cyberspace.283

In conclusion, if several institutional mechanisms have been established by NATO to

manage and mitigate the effects of cyber-attacks of law intensity and scale (which are

the one commonly experienced by NATO), the attempt to institutionalize practices in

case of a cyber-attack reaching the definition of use of force is still in its infancy (notably

because the empirical records regarding this type of attacks, and the potentiality of their

future occurrence, is to a certain extent still debated). With regard to the Tallinn Manual

and the different public releases on NATO policy on cyber defence, it is noticeable that

beyond a consensus on several rules of law reflecting the international law of armed

conflicts, a flexible response on a case-by-case application of either Article 4 or 5 is still

privileged.

On the one hand, the cyber security issues facing NATO on a daily basis, which are

limited in scope, have led to several institutional developments that can illustrate

NATO’s transformation into a security management institution. On the other hand, these

elements display the idea that NATO’s perception of cyber defence, at the highest level,

is still embedded in the vision of itself as an Alliance designed to assure collective

defence against threats, which demands flexibility in choosing the adequate response, in

opposition with a truly security management institution designed to reduce

uncertainty.284

283 Kempf, L’OTAN, 7. 284 Wallander and Keohane, “Risk,” 30.


73

V. CONCLUSION

At first glance, this dissertation displays mixed results: On the one hand, it has been

indicated that NATO is currently establishing significant institutional practices, aiming

at protecting NATO’s own cyber assets (and to a lesser extent, state members’ national

networks) in developing cooperative processes, and in sharing information and best

practices. Moreover, to a certain extent, the development of NATO cyber defence policy

can be seen as responding to internal logic of preserving NATO’s coherence and

solidarity amongst its members.

On the other hand, NATO seems to clearly perceive cyber security issues from a threat

perspective. Its partnerships, although discursively emphasized by NATO officials, are

still quite limited and exclusive, and ultimately do not presuppose a change in NATO’s

core mission, namely, the collective defence of its members. Furthermore, the

institutionalization of NATO cyber defence policy seems to concern in priority a certain

type of cyber-attacks, namely the most commonly experimented by NATO, which are

typically clearly beyond the threshold of the use of force. If NATO has sponsored

academic research aiming at examining the international law applicable to more

significant cyber-assaults, via the Tallinn Manual, the conclusions has been essentially

advocating for applying Articles 4 and 5 on a case-by-case basis, while the criteria

determining such application are still matter to debate.

Ultimately, it seems that NATO cyber defence policy exemplifies the continuous

prevalence of NATO’s self-perception as an alliance, designed to defend its members

against an external threat. Indeed, this analysis has displayed that most NATO

institutional developments, including the modification of its partnership policy, the


74

establishment of several specialised institutional units, and its knowledge production

on cyber security issues, are discursively justified as required for enabling NATO to

continue to perform its core mission. Overall, they are conceived as new facets of

NATO’s original role – demanding adjusting NATO’s strategy and operational capacities.

Yet, NATO cyber defence policy does not seem to represent a fundamental shift in

NATO’s perception of its own purpose.

Moreover, this analysis indicates that NATO is addressing cyber security from a

military-centred perspective, thus legitimizing its own role, and reinforcing the

dominant perception articulating cyber-threats as the matter of military prerogatives.

This analysis is valuable because having showed this; it illustrates the dominance of a

certain discursive construction of cyber security, considering an international

institution (as it has been already studied in the case of several national cyber

policies).285 This construction is based on axioms presented as indisputable (for

instance, that cyber security is a national security issue) and a particular rhetoric (using

metaphors and terms referring to warfare and especially, the Cold War). Highlighting

the premises on which such perception is grounded, and its discursive mechanisms can

“help to understand that it is neither natural nor inevitable that cyber-security should

be presented in terms of power-struggles, war-fighting, and military action […].” In the

long run, this can also be worthwhile to assess further questions regarding the

pertinence of NATO’s self-proclaimed role in this domain.

285 See, e.g.,Barnard-Wills and Ashenden, “Securing Virtual Space”; Dunn Cavelty, “The Militarisation”; Lawson, “Putting the ‘War’”; O’Connell, “Cyber Security”; Dunn Cavelty, “Cyber-Terror.”


75

Regarding the limits of this dissertation, it has already been discussed that examining

NATO from a holistic approach entailed both merits and biases. In particular, cyber

security does not seem to be perceived completely similarly amongst allies; and further

research taking more into account these internal dissensions, as well as the uneven

influential power of each ally, would certainly enhance our understanding of NATO

cyber defence policy as implemented nowadays. In parallel, this dissertation is centred

on cyber security and has the merit to highlight distinctive trends of NATO’s discourse

regarding this particular security field. However, it goes without saying that the global

security landscape that NATO faces, and its own perception in this context, has

interconnected repercussions on every of its domain of action.

More importantly, the results of this analysis tend to reveal another important factor

that has not been explicitly addressed in this research: the fact that cyber-attacks are

not all equivalent in terms of scope and effects. Indeed, the conceptual framework

stipulated that NATO could potentially transform itself more or less into a security

management institution depending on its domains of action.286 However, it did not

address the possibility that NATO cyber defence policy and discourses can be viewed as

exemplifying NATO as a defensive alliance or a security management institution,

depending on the degree of severity of a particular cyber-attack. In particular, NATO’s

narrative picturing itself as a security institution, and adapting its institutional assets in

order to manage effectively cyber security challenges, seems to consider only the

recurrent cyber threats that NATO faces on a daily basis, which are usually limited in

term of scope and impact. Yet, when the possibility of a cyber-attack powerful enough to

286 Wagnsson, “NATO’s Role.”


76

destabilize an ally is evoked (one that could be qualified as a use of force), NATO

discourse and policy displays strong elements considering NATO fundamentally as a

defensive alliance, which would not be reluctant to use all means, including Article 5, to

accomplish its mission.

At first glance, such distinction is not easily analysable using a discursive approach, as

the primary sources examined in this dissertation usually evoke “cyber-attacks” in

generic terms. This is not utterly surprising form a constructivist approach (and

especially from a securitization perspective), as it has been already demonstrated by

several scholars that one of the distinctive features of discourses on cyber security is the

discursive linkage between a whole range of threats directed to multiple referent

objects, from individual to national security.287

However, the fact that NATO does not explicitly make a distinction between different

types of cyber-attacks or referent objects (and focus its knowledge production on cyber-

attacks that can be categorized as use of force, notwithstanding the fact that this kind of

attacks are definitely highly unusual, and does not represent the cyber security issues

that NATO faces on a daily basis), displays the idea that NATO’s cyber security discourse

reinforces this discursive rhetoric viewing cyber security as an unclear continuum of

threats. In turn, this allows NATO picturing itself as a pertinent security actor for a

whole range of threats, and increases its general legitimacy in this security field. In

parallel, it eludes a clarification regarding the different security actors that could me

more relevant depending on which kind of cyber security issues occur. In conclusion, in

287 Hansen and Nissenbaum, “Digital Disaster,” 1162–1163. See also, Barnard-Wills and Ashenden, “Securing Virtual Space”; Dunn Cavelty, “Cyber-Terror.”


77

the field of cyber security, NATO allows itself to evaluate what are its responsibilities

and potential means of actions, according to its own criteria and assessment (on a case-

by-case basis) of any situation, which displays strong evidences that NATO still

considers itself primary as an Alliance, including in the cyberspace.


78

BIBLIOGRAPHY

Adler, Emanuel. “The Spread of Security Communities: Communities of Practice, Self-Restraint, and NATO’s Post-Cold War Transformation.” European Journal of International Relations 14, no. 02 (2008): 195–230.

Andersen, Niels Åkerstrøm. Discursive Analytical Strategies: Understanding Foucault, Koselleck, Laclau, Luhmann. Bristol: Policy Press, 2003.

Arquilla, John, and David Ronfeldt. “Cyberwar Is Coming!” In Athena’s Camp: Preparing for Conflict in the Information Age, edited by John Arquilla and David Ronfeldt, 23–60. Santa Monica: RAND, 1997.

Art, Robert J. “Why Western Europe Needs the United States and NATO.” Political Science Quarterly 111, no. 1 (1996): 1–39.

Balzacq, Thierry. Securitization Theory: How Security Problems Emerge and Dissolve. London: Routledge, 2011.

———. “The Three Faces of Securitization: Political Agency, Audience and Context.” European Journal of International Relations 11, no. 2 (2005): 171–201.

Barany, Zoltan. “NATO at Sixty.” Journal of Democracy 20, no. 02 (2009): 108–22. Barany, Zoltan, and Robert Rauchhaus. “Explaining NATO’s Resilience: Is International Relations

Theory Useful?” Contemporary Security Policy 32, no. 2 (2011): 286–307. Barnard-Wills, David, and Debi Ashenden. “Securing Virtual Space: Cyber War, Cyber Terror,

and Risk.” Space and Culture 15, no. 2 (2012): 110–23. Bendrath, Ralf. “The American Cyber-Angst and the Real World - Any Link?” In Bombs and

Bandwidth: The Emerging Relationship Between Information Technology and Security, edited by Robert Latham, 49–73. New York: New Press, 2003.

———. “The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection.” Information and Security 7 (2001): 80–103.

Betz, David J., and Tim Stevens. Cyberspace and the State: Toward a Strategy for Cyber-Power. New York: Routledge, 2011.

Breedlove, Philip M. “Opening Statement.” NATO Headquarters , Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_110223.htm?selectedLocale=en.

Buzan, Barry. People, States & Fear: An Agenda for International Security Studies in the Post-Cold War Era. Colchester: ECPR Press, 2007.

Buzan, Barry, and Ole Wæver. Regions and Powers: The Structure of International Security. Cambridge: Cambridge University Press, 2003.

Buzan, Barry, Ole Wæver, and Jaap De Wilde. Security: A New Framework For Analysis. Boulder: Reinner, 1998.

Campbell, David. Writing Security: United States Foreign Policy and the Politics of Security. Revised Edition. Manchester: Manchester University Press, 1998.

Coleman, Katharina P. International Organisations and Peace Enforcement: The Politics of International Legitimacy. New York: Cambridge University Press, 2007.

Council of Europe. “Convention on Cybercrime.” Council of Europe, November 23, 2001. http://conventions.coe.int/treaty/en/Treaties/Html/185.htm.

Daalder, Ivo, and James Goldgeier. “Global NATO.” Foreign Affairs 85, no. 5 (2006): 105–13. Dean, Mitchell. Governementality: Power and rule in modern society. London: SAGE, 2010. De Hoop Scheffer, Jaap. “Speech at the Annual Press Reception on the Occasion of the New Year.”

NATO Headquarters, Brussels, Belgium, 2008. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_7374.htm?selectedLocale=fr.

Deibert, Ronald J., and Rafal Rohozinski. “Risking Security: Policies and Paradoxes of CyberspacevSecurity.” International Political Sociology 4, no. 1 (2010): 15–32.

Der Derian, James. “Virtuous War/Virtual Theory.” International Affairs 76, no. 4 (2000): 771–88.


79

De Wijk, Rob. “Speech on NATO’s New Strategic Concept.” MCCS, Lisbon, 2009. http://www.nato.int/cps/en/natolive/opinions_58107.htm?selectedLocale=en.

Dunn Cavelty, Myriam. “Cyber-Allies.” IP Journal, May 1, 2011. https://ip-journal.dgap.org/en/ip-journal/topics/cyber-allies.

———. “Cyber-Terror – Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate.” Journal of Information Technology & Politics 4, no. 1 (2007): 19–36.

———. “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse.” International Studies Review 15, no. 1 (2013): 105–22.

———. “The Militarisation of Cyberspace: Why Less May Be Better.” CCD COE,Tallinn, 2012. Edelman, Murray. Constructing the Political Spectacle. Chicago: Chicago University Press, 1988. ———. Political Language: Words That Succeed and Policies That Fail. New York: Academic

Press, 1977. Political Language. ———. The Symbolic Uses of Politics: With a New Afterword. Urbana: University of Illinois Press,

1985. Eriksson, Johan. “Cyberplagues, IT and Security: Threat Politics in the Information Age.” Journal

of Contingencies and Crisis Management 9, no. 4 (2001): 211–22. ———. “Securizing IT.” In Threat Politics: New Perspectives on Security, Risk, and Crisis

Management, by Johan Eriksson. Aldershot: Ashgate, 2001. Eriksson, Johan, and Giampiero Giacomello. “The Information Revolution, Security, and

International Relations: (IR)relevant Theory?” International Political Science Review 27, no. 3 (2006): 221–44.

Erlanger, Steven, and David E. Sanger. “Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government.” The New York Times, March 8, 2014. www.nytimes.com/2014/03/09/world/europe/suspicion-falls-on-russia-as-snake-cyberattacks-target-ukraines-government.html.

“Estonia Hit by ‘Moscow Cyber War.’” BBC News, May 17, 2007. http://news.bbc.co.uk/2/hi/europe/6665145.stm.

Fleck, Dieter. “Searching for International Rules Applicable to Cyber Warfare - A Critical First Assesment of the New Tallinn Manual.” Journal of Conflict & Security Law 18, no. 2 (2013): 331–51.

Flockhart, Trine. “‘Masters and Novices’: Socialization and Social Learning through the NATO Parliamentary Assembly.” International Relations 18, no. 03 (2004): 361–80.

Foucault, Michel. Security, Territory, Population: Lectures at the Collège de France, 1977-1978. Houndmill: Palgrave, 2007.

Gee, James Paul. Discourse Analysis: Theory and Method. London: Routledge, 1999. Gheciu, Alexandra. NATO in the “New Europe”: The Politics of International Socialization After the

Cold War. Palo Alto: Stanford University Press, 2005. ———. Securing Civilization? The EU, NATO and the OSCE in the Post-9/11 World. Oxford: Oxford

University Press, 2008. Glaser, Charles L. “Why NATO Is Still Best: Future Security Arrangements for Europe.”

International Security 18, no. 1 (1993): 5–50. Halpin, Tony. “Estonia Accuses Russia of ’ Waging Cyber War’.” The Times, May 17, 2007.

http://www.thetimes.co.uk/tto/news/world/europe/article2595189.ece. Hansen, Lene, and Helen Nissenbaum. “Digital Disaster, Cyber Security, and the Copenhagen

School.” International Studies Quarterly 53, no. 4 (2009): 1155–75. Healey, Jason, and Leendert Van Bochoven. NATO’s Cyber Capacities: Yesterday, Today, and

Tomorrow. Issue Brief. Atlantic Council, 2011. Herzog, Stephen. “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational

Responses.” Journal of Strategic Security 4, no. 2 (2011): 41–60. Holmberg, Arita. “The Changing Role of NATO: Exploring the Implications for Security

Governance and Legitimacy.” European Security 20, no. 04 (2011): 529–46. Holsti, Ole R., Terrence P. Hopmann, and John D. Sullivan. Unity and Disintegration in

International Alliances: Comparative Studies. New York: John Wiley and Sons, 1973.


80

Horowitz, Michael. “A Common Future? NATO and the Protection of the Commons.” Transatlantic Paper Series, no. 3 (2010): 1–18.

Hughes, Rex. “NATO and Cyber Defence.” Atlantisch Perspectief 33, no. 1 (2009). http://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf.

Hunker, Jeffrey. Cyber War and Cyber Power. Research Paper. Rome: NATO Defense College, 2010.

———. “NATO and Cyber Security.” In Understanding NATO in the 21st Century : Alliance Strategies, Security and Global Governance, edited by Graeme P. Herd and John Kriendler, 154–75. New York: Routledge, 2013.

Jandl, Gerhard. “The Challenges of Cyber Security - A Government’s Perspective.” Human Security Perspectives 1 (2012): 26–37.

Johnston, Alastair I. “Treating International Institutions as Social Environments.” International Studies Quarterly 45, no. 04 (2001): 487–515.

Kempf, Olivier. L’OTAN et La Cyberdéfense. Chaire de Cyberdéfense et Cybersécurité: Ministère français de la Défense, 2013. http://www.st-cyr.terre.defense.gouv.fr/index.php/content/download/5741/39535/file/Article%20n%C2%B07%20-%20Chaire%20cyberd%C3%A9fense%20-%20Kempf.pdf.

Keohane, Robert O. International Institutions and State Power: Essays in International Relations Theory. Boulder: Westview, 1989.

Klimburg, Alexander. “Mobilising Cyber Power.” Survival: Global Politics and Strategy 53, no. 1 (2011): 41–60.

Kuehl, Daniel T. “From Cyberspace to Cyberpower: Defining the Problem.” In Cyberpower and National Security, edited by Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, 24–42. Dulles: Potomac Books, 2010.

Laclau, Ernesto, and Chantal Mouffe. Hegemony and Socialist Strategy. London: Verso, 1985. Lawson, Sean. “NATO & Cyber Conflict: Background & Challenges,” 7. Washington D.C., 2012. ———. “Putting the ‘War’ in Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the

United States.” First Monday 17, no. 7 (2012). http://firstmonday.org/ojs/index.php/fm/article/view/3848/3270.

Levarska, Nina. Regulation of Cyber-Warfare: Interpretation versus Creation. European Security Review. ISIS Europe, 2013. www.isis-europe.eu/sites/default/files/publications-downloads/esr70-cyber-warfare-Dec2013NL.pdf.

Lewis, James. “Rethinking Cybersecurity - A Comprehensive Approach.” Sasakawa Peace Foundation, Tokyo, Japan, 2011. http://csis.org/files/publication/110920_Japan_speech_2011.pdf.

———. “The Cyber War Has Not Begun.” Center for Strategic and International Studies, March 2010. http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf.

———. “The Fog of Cyberwar.” International Relations and Security Network, 2009. http://isnblog.ethz.ch/intelligence/isn-weekly-theme-the-fog-of-cyberwar.

Libicki, Martin C. Cyberdeterrence and Cyberwar. Santa Monica: RAND Corporation, 2009. ———. Defending Cyberspace and Other Metaphors. Washington D.C.: US Government Printing

Office, 1997. Lijphart, Arend. “Comparative Politics and the Comparative Method.” American Political Science

Review 65, no. 03 (1971): 682–93. Liska, George. Nations in Alliance: The Limits of Interdependance. Baltimore: Johns Hopkins

University Press, 1962. Lynn, William. “Defending a New Domain.” Foreign Affairs 89, no. 5 (2010): 97–108. Macleod, Alex. “Le Néoréalisme.” In Théories Des Relations Internationales - Contestations et

Résistances, edited by Alex Macleod and O’Meara Dan, 87–114. Outremont: Athéna Éditions, 2010.

McCalla, Robert B. “NATO’s Persistence after the Cold War.” International Organization 50, no. 03 (1996): 445–75.


81

McConnell, Mike. “How to Win the Cyber-War We’re Losing.” The Washington Post, February 28, 2010. http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html.

McEvoy Manjikian, Mary. “From a Global Village to Virtual Battlespace: The Colonizing of the Internet and the Extension of Realpolitik.” International Studies Quarterly 54, no. 2 (2010): 381–401.

McLuhan, Marshall, and Quentin Fiore. War and Peace in the Global Village. New York: Simon & Schuster Inc., 1974.

Mearsheimer, John J. “Back to the Future: Instability in Europe after the Cold War.” International Security 15, no. 1 (1990): 5–56.

Menon, Anand, and Jennifer Welsh. “Understanding NATO’s Sustainability: The Limits of Institutionalist Theory.” Global Governance 17, no. 1 (2011): 81–94.

Merelman, Richard M. Language, Symbolism, and Politics. Boulder: Westview, 1993. MNCD2. “Multinational Cyber Defence Capability Development.” MNCD2. Accessed August 26,

2014. https://mncd2.ncia.nato.int/Pages/default.aspx. NATO. “Active Engagement in Cooperative Security: A More Efficient and Flexible Partnership

Policy,” 2011. http://www.nato.int/nato_static/assets/pdf/pdf_2011_04/20110415_110415-partnership-policy.pdf.

———. Bucharest Summit Declaration. Bucharest, Romania: North Atlantic Council, April 3, 2008. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_8443.htm?selectedLocale=en.

———. Chicago Summit Declaration. Chicago, US: North Atlantic Council, May 20, 2012. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_87593.htm?selectedLocale=en.

———. “Cyber Security.” NATO Communications and Information Agency. Accessed September 1, 2014. https://www.ncia.nato.int/Our-Work/Pages/Cyber-Security.aspx.

———. “Defending the Networks - The NATO Policy on Cyber Defence,” 2011. http://www.nato.int/nato_static/assets/pdf/pdf_2011_08/20110819_110819-policy-cyberdefence.pdf.

———. Lisbon Summit Declaration. Lisbon, Portugal: North Atlantic Council, November 20, 2010. http://www.nato.int/cps/en/SID-1EAF8C0F-DD711C86/natolive/official_texts_68828.htm?selectedLocale=en.

———. “NATO 2020: Assured Security; Dynamic Engagement.” NATO. Accessed September 1, 2014. http://www.nato.int/cps/en/natolive/topics_85961.htm.

———. “NATO 2020: Assured Security; Dynamic Engagement - Analysis and Recommendations of the Group of Experts on a New Strategic Concept for NATO,” May 17, 2010. http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf.

———. “NATO and Cyber Defence.” NATO. Accessed August 13, 2014. http://www.nato.int/cps/en/natolive/topics_78170.htm.

———. “NATO Holds Annual Cyber Defence Exercise.” NATO, November 26, 2013. http://www.nato.int/cps/en/natolive/news_105205.htm?selectedLocale=en.

———. “NATO’s Relations with Russia.” NATO. Accessed August 26, 2014. http://www.nato.int/cps/en/natolive/topics_50090.htm?

———. “New NATO Division to Deal with Emerging Security Challenges.” NATO, August 4, 2010. http://www.nato.int/cps/en/natolive/news_65107.htm.

———. “Partnerships: A Cooperative Approach to Security.” NATO. Accessed August 23, 2014. http://www.nato.int/cps/en/natolive/topics_84336.htm.

———. Riga Summit Declaration. Riga, Latvia: North Atlantic Council, November 29, 2006. http://www.nato.int/docu/pr/2006/p06-150e.htm.


82

———. “Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organization.” NATO, 2010. http://www.nato.int/strategic-concept/pdf/Strat_Concept_web_en.pdf.

———. “The NATO Defence Planning Process (NDPP).” NATO. Accessed August 20, 2014. http://www.nato.int/cps/en/natolive/topics_49202.htm.

———. The North Atlantic Treaty. Washington D.C.: NATO, April 4, 1949. http://www.nato.int/nato_static/assets/pdf/stock_publications/20120822_nato_treaty_en_light_2009.pdf.

NATO CCDCOE. “CCD COE.” NATO CCDCOE. Accessed August 5, 2014. https://www.ccdcoe.org/. ———. “Institutional Status.” NATO CCDCOE. Accessed December 1, 2013.

http://www.ccdcoe.org/38.html. ———. “Mission and Vision.” NATO CCDCOE. Accessed November 27, 2013.

http://www.ccdcoe.org/11.html. ———. “The Tallinn Manual.” NATO CCDCOE. Accessed September 1, 2014.

http://www.ccdcoe.org/tallinn-manual.html. Neumann, Iver B., and Michael C. Williams. “From Alliance to Security Community - NATO.” In

Culture And Security, by Michael C. Williams, 62–91, Routledge. London, 2007. Nye, Joseph S. Cyber Power. Harvard Kennedy School: Belfer Center for Science and

International Affairs, 2010. ———. Soft Power: The Means to Success in World Politics. New York: PublicAffairs, 2004. ———. The Future of Power. New York: PublicAffairs, 2011. Obama, Barack. “Remarks by the President on Securing Our Nation’s Cyber Infrastructure.” The

White House, May 29, 2009. http://www.whitehoU.S.e.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure.

O’Connell, Mary Ellen. “Cyber Security without Cyber War.” Journal of Conflict & Security Law 17, no. 2 (2012): 187–209.

O’Meara, Dan. “Le Constructivisme.” In Théories Des Relations Internationales - Contestations et Résistances, edited by Alex Macleod and Dan O’Meara, 243–66. Outremont: Athéna Éditions, 2006.

O’Meara, Dan, and Stéphane Roussel. “Le Libéralisme Classique.” In Théories Des Relations Internationales - Contestations et Résistances, edited by Alex Macleod and Dan O’Meara, 131–51. Outremont: Athéna Éditions, 2006.

Panetta, Leon. “Remarks on Cybersecurity.” New York, 2012. Pawlak, Patryk, and Cécile Wendling. “Trends in Cyberspace: Can Governments Keep Up?”

Environment Systems and Decisions 33, no. 4 (2013): 536–43. Philips, Louise J., and Marianne W. Jørgensen. Discourse Analysis as Theory and Method. London:

SAGE, 2002. Rasmussen, Anders Fogh. “Building Security in an Age of Austerity.” Hotel Bayerischer, Munich,

Germany, 2011. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_70400.htm?selectedLocale=fr.

———. “Future NATO.” Chatham House, London, UK, 2014. http://www.nato.int/cps/en/natolive/opinions_111132.htm?selectedLocale=en.

———. “Future NATO: Towards the 2014 Summit - Secretary General’s Annual Report 2013.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_106247.htm?selectedLocale=en.

———. “NATO at 60 – Traditional Values and New Threats.” Budapest, Hungary, 2009. http://www.nato.int/cps/en/natolive/opinions_59297.htm.

———. “NATO – Delivering Security in the 21st Century.” Chatham House, London, UK, 2012. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_88886.htm?selectedLocale=fr.

———. “NATO in the 21st Century: Towards Global Connectivity.” Hotel Bayerischer Hof, Munich, Germany, 2010. http://www.nato.int/cps/en/natolive/opinions_61395.htm.


83

———. “NATO: Ready, Robust, Rebalanced.” Concert Noble, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_103231.htm?selectedLocale=en.

———. “NATO – Value for Security.” Bratislava, Slovakia, 2011. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_74522.htm?selectedLocale=fr.

———. “On Alliance Solidarity in the 21st Century.” Tallinn, Estonia, 2010. http://www.nato.int/cps/en/natolive/opinions_62699.htm.

———. “Opening Remarks in Defence Ministers Session.” NATO Headquarters, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_101100.htm?selectedLocale=en.

———. “Press Conference.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_110618.htm?selectedLocale=en.

———. “Press Conference Following the Meeting of the North Atlantic Council in Defence Ministers Session.” NATO Headquarters, Brussels, Belgium, 2014. http://www.nato.int/cps/en/natolive/opinions_104257.htm?selectedLocale=en.

———. “Press Conference Following the NATO Defence Ministers Meeting.” NATO Headquarters, Brussels, Belgium, 2013. http://www.nato.int/cps/en/natolive/opinions_101151.htm?selectedLocale=en.

———. “Speech.” Edinburgh, UK, 2009. http://www.nato.int/cps/en/natolive/opinions_59214.htm.

———. “Speech.” Georgetown University, Washington D.C., US, 2010. http://www.nato.int/cps/en/natolive/opinions_61566.htm?selectedLocale=en.

———. “Speech.” Helsinki, Finland, 2010. http://www.nato.int/cps/en/natolive/opinions_61891.htm.

———. “Speech on Emerging Security Risks.” Lloyd’s, London, UK, 2009. http://www.nato.int/cps/en/natolive/opinions_57785.htm?selectedLocale=en.

———. “Switzerland and NATO : Partners in Security.” Churchill Symposium, Zürich, Switzerland, 2012. http://www.nato.int/cps/fr/SID-F698C3D0-50AE6503/natolive/opinions_91490.htm?selectedLocale=en.

Rasmussen, Anders Fogh, and Taavi Roivas. “Opening Remarks - Joint Press Point.” Tallinn, Estonia, 2014. http://www.nato.int/cps/en/natolive/opinions_109662.htm?selectedLocale=en.

Rid, Thomas. Cyber War Will Not Take Place. London: Hurst & Company, 2013. Risse-Kappen, Thomas. “Collective Identity in a Democratic Community: The Case of NATO.” In

The Culture of National Security, edited by Peter Katzenstein, 357–99. New York: Columbia University Press, 1996.

Rühle, Michael. “NATO and Emerging Security Challenges: Beyond the Deterrence Paradigm.” American Foreign Policy Interests: The Journal of the National Committee on American Foreign Policy 33, no. 6 (2011): 278–82.

Schimmelfennig, Frank. The EU, NATO, and the Integration of Europe: Rules, and Retoric. New York: Cambridge University Press, 2003.

Schmitt, Michael N., ed. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press, 2013.

Shachtman, Noah. “Top Georgian Official: Moscow Cyber Attacked Us – We Just Can’t Prove It.” Wired, March 11, 2009. http://www.wired.com/2009/03/georgia-blames/.

Shachtman, Noah, and Peter W. Singer. “The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive.” Brookings, August 15, 2011. http://www.brookings.edu/research/articles/2011/08/15-cybersecurity-singer-shachtman.

Sheldon, John B. “Deciphering Cyberpower: Strategic Purpose in Peace and War.” Strategic Studies Quarterly 5, no. 2 (2011): 95–112.

Singel, Ryan. “White House Cyber Czar: ‘There Is No Cyberwar.” Wired, March 4, 2010. http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/.


84

Sjursen, Helene. “On the Identity of NATO.” International Affairs 80, no. 4 (2004): 687–703. Sloan, Stanley R. Permanent Alliance? NATO and the Transatlantic Bargain from Truman to

Obama. London: Bloomsbury Academic, 2010. Snyder, Glenn H. Alliance Politics. Ithaca: Cornell University Press, 1994. ———. “Alliances, Balance, and Stability.” International Organization 45, no. 1 (1991): 121–42. Stone, John. “Cyber War Will Take Place!” Journal of Strategic Studies 36, no. 1 (2013): 101–8. Stryker, Sheldon, and Anne Statham. “Symbolic Interaction and Role Theory.” In The Handbook

of Social Psychology, edited by Gardner Lindzey and Elliot Aronson, 1:311–78. New York: Random House, 1985.

Szentgáli, Gergely. “The NATO Policy on Cyber Defence: The Road so Far.” AARMS 12, no. 1 (2013): 83–91.

Tikk, Eneken. “Global Cybersecurity - Thinking About The Niche for NATO.” SAIS Review of International Affairs 30, no. 2 (2010): 105–19.

Tikk, Eneken, Wolff Heintchel Von Heinegg, Anatoly Streltsov, and László Deák. “The Applicability of International Law in Cyberspace - From If to How?” Georgetown University, Washington D.C., US, 2013. http://www.scholarlyinsider.com/Insider/videolist/watch/1623/the-applicability-of-international-law-in-cyberspace-from-if-to-how.

Traynor, Ian. “Russia Accused of Unleashing Cyberwar to Disable Estonia.” The Guardian. May 17, 2007. http://www.theguardian.com/world/2007/may/17/topstories3.russia.

US Department of Defense. “Department of Defense Cyberspace Policy Report.” US Department of Defense, 2011. http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf.

———. “The Cyber Domain: Security and Operations.” US Department of Defense. Accessed March 11, 2014. http://www.defense.gov/home/features/2013/0713_cyberdomain/.

US Department of Homeland Security. “National Strategy to Secure Cyberspace.” US Department of Homeland Security, 2003. http://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.

Van Epps, Geoff. “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain.” The Quarterly Journal 12, no. 4 (2013): 15–50.

Vershbow, Alexander. “Challenges Facing NATO and the Transatlantic Community Post-2014.” Hôtel national des invalides, Paris, France, 2013. http://www.nato.int/cps/en/natolive/opinions_101606.htm?selectedLocale=en.

———. “Looking towards the Wales Summit.” NATO Defense College, Rome, Italy, 2014. http://www.nato.int/cps/en/natolive/opinions_111056.htm?selectedLocale=en.

Von Heinegg, Wolff Heintchel. “The Tallinn Manual and International Cyber Security Law.” Yearbook of International Humanitarian Law 15 (2012): 3–18.

Wæver, Ole. “Securitization and Desecuritization.” In On Security, edited by Ronnie Lipschutz, 46–86. New York: Columbia University Press, 1995.

Wæver, Ole, Barry Buzan, Morten Kelstrup, and Pierre Lemaitre. Identity, Migration and the New Security Agenda in Europe. London: Pinter, 1993.

Wagnsson, Charlotte. “NATO’s Role in the Strategic Concept Debate: Watchdog, Fire-Fighter, Neighbour or Seminar Leader?” Cooperation and Conflict 46, no. 4 (2011): 482–501.

Wallander, Celeste A. “Institutional Assets and Adaptability: NATO After the Cold War.” International Organization 54, no. 04 (2000): 705–35.

Wallander, Celeste A., and Robert O. Keohane. “Risk, Threat, and Security Institutions.” In Imperfect Unions: Security Institutions over Time and Space, edited by Helga Haftendorn, Robert O. Keohane, and Celeste A. Wallander, 21–47. New York: Oxford University Press, 1999.

Walt, Stephen M. “Alliance Formation and the Balance of World Power.” International Security 9, no. 4 (1985): 3–43.


85

———. “Testing Theories of Alliance Formation: The Case of Southwest Asia.” International Organization 42, no. 02 (1988): 275–316.

———. The Origins of the Alliances. Ithaca: Cornell University Press, 1987. Waltz, Kenneth N. “NATO Expansion: A Realist’s View.” Contemporary Security Policy 21, no. 2

(2000): 23–38. ———. “The Emerging Structure of International Politics.” International Security 18, no. 2

(1993): 44–79. ———. Theory of International Politics. Reading: Addison-Wesley, 1979. Wendt, Alexander. “Anarchy Is What States Make of It: The Social Construction of Power

Politics.” International Organization 46, no. 2 (April 1, 1992): 391–425. Yost, David S. “NATO’s Evolving Purposes and the next Strategic Concept.” International Affairs

86, no. 2 (2010): 489–522. Zyga, Ioanna-Nikoletta. “Emerging Security Challenges: A Glue for NATO and Partners?”

Research Divison - NATO Defense College, Rome, no. 85 (2012): 1–8.

NATO Cyber Defence Policy: An adaptation to the emerging threats of the 21st century, or the...

Documents

Transcript of NATO Cyber Defence Policy: An adaptation to the emerging threats of the 21st century, or the...