NATO Tries to Define Cyber War
Imagine that China launches a cyber attack on the United States tomorrow. It devastates systems, crippling the financial sector or causing loss of life. But does it merit a military response? The answer to that big question also informs a much larger, looming debate: As it becomes increasingly clear that few cyber attacks can be defined as acts of war, what should the role of institutions such as NATO be? And in this new world, how do we define what is war - and what is not?
The topic was discussed at September's NATO Summit in Wales. Attending heads of state agreed that cyber attacks can reach a threshold that not only threatens Transatlantic prosperity and security, but could even be "as harmful to modern societies as a conventional attack" and thus merit an invocation of Article 5, the collective defense clause. Treading carefully, though, they refrained from defining which cyber attacks cross this threshold.
This is an important declaration and the culmination of a seven-year internal debate that stems from Distributed Denial of Service attacks pointed at Estonia in April 2007. But the emerging policy still begs questions, about NATO's response to cyber attacks in particular, but more broadly about the general function of the Alliance.
On April 27, 2007, Estonia, a NATO member, relocated a Soviet-era war memorial. Within hours, a large-scale DDoS campaign began, targeting the websites of government departments, banks, telecoms, and news organizations. Some sites were shut down entirely, while others were defaced. The attacks rendered a number of Estonian government sites inaccessible for weeks and generally disrupted communication in the country.
The attack on Estonia illuminated the vulnerability of NATO members in cyberspace and placed the enhancement of cyber capabilities near the top of the Alliance agenda. In June 2007, NATO defense ministers committed to take up the issue, and in 2008, the Alliance opened the Cooperative Cyber Defence Center of Excellence in the Estonian capital, Tallinn.
The latest Alliance statement, however, does little to clarify NATO's role. At its core, Article 5 is a reactionary clause. Its only invocation in the 65-year history of the Alliance came in response to the 9/11 terrorist attacks. And as the summit declaration states, a certain threshold must be met to consider invoking Article 5.
But how do we define thresholds in cyberspace? It is useful to consider three dimensions: confidentiality, integrity, and availability of data. A few key cases help unpack these concepts.
Confidentiality is the principle that sensitive data should be kept out of the wrong hands, and breaches of confidentiality are perhaps the most common form of cyber attack. Take the widespread accusations that the Chinese hacked Lockheed systems and stole blueprints for the new F-35 aircraft. This attack produced a tangible strategic loss for the United States - and for allies who buy the F-35. It provided the Chinese with not only the information to build a competitor aircraft, but also information to help defend against such an aircraft. Chinese responsibility for the incursion is widely acknowledged. The response? The Department of Justice indicted the hacker in question. For better or worse, confidentiality breaches have been treated as crimes.
The second principle, availability, is just what the word says: The concept that data must be available to users. The DDoS campaign against Estonia is a prime example of an attack that compromises availability. The attack crippled Estonia's servers and routers, temporarily disconnecting the country from the Internet. Estonia responded by blocking global access to websites hosted in Estonia, blocking all Internet traffic originating in Russia, and requesting support from its NATO allies. NATO quickly dispatched a group of experts akin to a forensics team, but no counter attack, physical or cyber, took place.
So why didn't these two cyber events trigger a visible military response from NATO or NATO members? There are a number of factors in play. At a fundamental level we can look at the actors involved and the losses incurred. Russia and China are both emerging global powers with formidable cyber and physical force, and the cost of expanding ongoing political conflicts to the military level is simply too high. But the rationale extends further. Though some may disagree, these attacks alone do not constitute acts of war. They qualify as espionage, sabotage, and crime - they affect data confidentiality and availability, but not our third key principle: integrity.
An event that meets the NATO threshold must affect a state in the way a conventional attack would. This is where the concept of data integrity is important. Data can be manipulated; integrity is the concept that data remains valid, or unchanged. We can conceive of a cyber weapon that infects an industrial control system, alters the data that governs the system, and causes a leak at a chemical plant or shuts down an electrical grid. The Stuxnet virus, which the United States and Israel reportedly deployed to sabotage an Iranian nuclear facility, is an example of a capability to infect and manipulate data on an industrial control system. However, the attack sought only to damage a facility's capacity, not to induce human casualties. A sophisticated malware could conceivably be deployed in the future in a densely populated area where it threatens human life and not just that of an industrial system.
But what kind of actor would carry out such an attack? The chances of traditional NATO adversaries such as Russia or China engaging in this type of activity during peacetime are virtually null. Indeed, any country that adheres to general just war principles such as proportionality and distinction is unlikely to carry out such an attack, even during wartime. An attack on a nuclear or chemical facility in a populated area could yield an unacceptably high level of collateral damage, including civilian casualties. Any rational actor still willing to proceed would need to deploy a data integrity attack with caution. Data manipulation weapons are notoriously difficult to control if deployed remotely and can spread to infect unintended systems, including the attacker's own. The source of such an attack would have to be an international actor that does not adhere to just war.
Undoubtedly, these actors do exist, but extremist groups such as Islamic State and al Qaeda have access to much simpler and cheaper ways of inducing mass casualties, undercutting their incentive to develop and deploy greater cyber capabilities. This is not to say that an attack of this sort is impossible, and it would elicit a large-scale, coordinated response not unlike the response to 9/11. But as King's College professor Thomas Rid is quick to point out, an attack like this may be unrealistic at this point in time.
As more and more data points emerge to inform the conversation, it is becoming increasingly clear that few cyber attacks are acts of war. A small number of cyber attacks involve data manipulation, and even fewer pose militaristic threats. Instead, so called attacks are most often on availability and confidentiality and should be treated as crime. NATO is not a crime fighting organization; it is a military alliance. What NATO should do now is clarify its own role in cyber conflict.