The second principle, availability, is just what the word says: The concept that data must be available to users. The DDoS campaign against Estonia is a prime example of an attack that compromises availability. The attack crippled Estonia's servers and routers, temporarily disconnecting the country from the Internet. Estonia responded by blocking global access to websites hosted in Estonia, blocking all Internet traffic originating in Russia, and requesting support from its NATO allies. NATO quickly dispatched a group of experts akin to a forensics team, but no counter attack, physical or cyber, took place.
So why didn't these two cyber events trigger a visible military response from NATO or NATO members? There are a number of factors in play. At a fundamental level we can look at the actors involved and the losses incurred. Russia and China are both emerging global powers with formidable cyber and physical force, and the cost of expanding ongoing political conflicts to the military level is simply too high. But the rationale extends further. Though some may disagree, these attacks alone do not constitute acts of war. They qualify as espionage, sabotage, and crime - they affect data confidentiality and availability, but not our third key principle: integrity.
An event that meets the NATO threshold must affect a state in the way a conventional attack would. This is where the concept of data integrity is important. Data can be manipulated; integrity is the concept that data remains valid, or unchanged. We can conceive of a cyber weapon that infects an industrial control system, alters the data that governs the system, and causes a leak at a chemical plant or shuts down an electrical grid. The Stuxnet virus, which the United States and Israel reportedly deployed to sabotage an Iranian nuclear facility, is an example of a capability to infect and manipulate data on an industrial control system. However, the attack sought only to damage a facility's capacity, not to induce human casualties. A sophisticated malware could conceivably be deployed in the future in a densely populated area where it threatens human life and not just that of an industrial system.
But what kind of actor would carry out such an attack? The chances of traditional NATO adversaries such as Russia or China engaging in this type of activity during peacetime are virtually null. Indeed, any country that adheres to general just war principles such as proportionality and distinction is unlikely to carry out such an attack, even during wartime. An attack on a nuclear or chemical facility in a populated area could yield an unacceptably high level of collateral damage, including civilian casualties. Any rational actor still willing to proceed would need to deploy a data integrity attack with caution. Data manipulation weapons are notoriously difficult to control if deployed remotely and can spread to infect unintended systems, including the attacker's own. The source of such an attack would have to be an international actor that does not adhere to just war.
Undoubtedly, these actors do exist, but extremist groups such as Islamic State and al Qaeda have access to much simpler and cheaper ways of inducing mass casualties, undercutting their incentive to develop and deploy greater cyber capabilities. This is not to say that an attack of this sort is impossible, and it would elicit a large-scale, coordinated response not unlike the response to 9/11. But as King's College professor Thomas Rid is quick to point out, an attack like this may be unrealistic at this point in time.
As more and more data points emerge to inform the conversation, it is becoming increasingly clear that few cyber attacks are acts of war. A small number of cyber attacks involve data manipulation, and even fewer pose militaristic threats. Instead, so called attacks are most often on availability and confidentiality and should be treated as crime. NATO is not a crime fighting organization; it is a military alliance. What NATO should do now is clarify its own role in cyber conflict.