Imagine that China launches a cyber attack on the United States tomorrow. It devastates systems, crippling the financial sector or causing loss of life. But does it merit a military response? The answer to that big question also informs a much larger, looming debate: As it becomes increasingly clear that few cyber attacks can be defined as acts of war, what should the role of institutions such as NATO be? And in this new world, how do we define what is war - and what is not?
The topic was discussed at September's NATO Summit in Wales. Attending heads of state agreed that cyber attacks can reach a threshold that not only threatens Transatlantic prosperity and security, but could even be "as harmful to modern societies as a conventional attack" and thus merit an invocation of Article 5, the collective defense clause. Treading carefully, though, they refrained from defining which cyber attacks cross this threshold.
This is an important declaration and the culmination of a seven-year internal debate that stems from Distributed Denial of Service attacks pointed at Estonia in April 2007. But the emerging policy still begs questions, about NATO's response to cyber attacks in particular, but more broadly about the general function of the Alliance.
On April 27, 2007, Estonia, a NATO member, relocated a Soviet-era war memorial. Within hours, a large-scale DDoS campaign began, targeting the websites of government departments, banks, telecoms, and news organizations. Some sites were shut down entirely, while others were defaced. The attacks rendered a number of Estonian government sites inaccessible for weeks and generally disrupted communication in the country.
The attack on Estonia illuminated the vulnerability of NATO members in cyberspace and placed the enhancement of cyber capabilities near the top of the Alliance agenda. In June 2007, NATO defense ministers committed to take up the issue, and in 2008, the Alliance opened the Cooperative Cyber Defence Center of Excellence in the Estonian capital, Tallinn.
The latest Alliance statement, however, does little to clarify NATO's role. At its core, Article 5 is a reactionary clause. Its only invocation in the 65-year history of the Alliance came in response to the 9/11 terrorist attacks. And as the summit declaration states, a certain threshold must be met to consider invoking Article 5.
But how do we define thresholds in cyberspace? It is useful to consider three dimensions: confidentiality, integrity, and availability of data. A few key cases help unpack these concepts.
Confidentiality is the principle that sensitive data should be kept out of the wrong hands, and breaches of confidentiality are perhaps the most common form of cyber attack. Take the widespread accusations that the Chinese hacked Lockheed systems and stole blueprints for the new F-35 aircraft. This attack produced a tangible strategic loss for the United States - and for allies who buy the F-35. It provided the Chinese with not only the information to build a competitor aircraft, but also information to help defend against such an aircraft. Chinese responsibility for the incursion is widely acknowledged. The response? The Department of Justice indicted the hacker in question. For better or worse, confidentiality breaches have been treated as crimes.