WASHINGTON: NATO is now taking cyber threats as seriously as the Russian tanks and nuclear weapons it was created to deter. But the alliance has a long way to go just to shore up its own network defenses, and it explicitly eschews any role on the offense. NATO has not even written a formal policy on how it would deter a cyber attack. The net result is a certain degree of strategic ambiguity — but then NATO has survived and even thrived on ambiguity for decades.
The crucial development: September’s NATO summit declaration that the alliance’s hallowed Article 5 — which says an attack on one member is an attack against all — applies equally to virtual attacks as to physical ones.
“[In] linking cyber defense to collective defense and Article 5, the declaration says that cyber attacks…could be as harmful to modern society as conventional attack,” said Amb. Sorin Ducaru, NATO’s assistant secretary general for “emerging security challenges.”
That said, the Romanian diplomat emphasized at an Atlantic Council panel this week, “there’s no predetermined threshold,” no defined “red line” beyond which a cyber attack counts as an act of war. But then NATO never defined an automatic trigger for conventional or nuclear conflict either, even during the height of the Cold War. Article 5 only commits a NATO member to “assist” allies under attack by “such actions as it deems necessary, including the use of armed force” — which leaves vast amounts of wiggle room.
There was always doubt whether the United States would really risk nuclear escalation against its homeland to defend West Germany, and, for that matter, whether West Germany would stick with the alliance once wartime commanders started using tactical nuclear weapons on its soil to slow the Soviet horde. Yet despite these uncertainties, the Soviets were ultimately still deterred.
So when it came to cyber, Ducaru said, “there was a conscious decision by the allies in this policy that there is benefit in keeping flexibility and ambiguity.”
“Article 5 was by design something that should be invoked politically by [member] nations in a specific context, on a case by case basis,” Ducaru said. “Article 5 was never designed to be triggered by a certain threshold. [In fact,] the only time it was invoked was after 9/11, which was a scenario that had never been contemplated by the founding partners.
Despite that one area of (arguably inevitable) strategic ambiguity, the NATO summit made the situation in cyberspace much clearer, argued Christopher Painter, the State Department’s cyber coordinator. Beyond Article 5, “the NATO leaders’ declaration [stated] that international law including the UN Charter, the Law of Armed Conflict, international humanitarian law, etc. applies in cyberspace just like it does in the physical world,” Painter said at the Atlantic Council event. “This is a clear statement that this is not a lawless space — [and] there was some doubt before. There was some thought you had different rules entirely for the cyber world than the physical world, which made no sense and in fact would be very destabilizing.”
“Cyber seems so weird and different [that] it’s really inhibited seeing which of the old laws and ways of thinking about it might apply,” said Jason Healey, the Atlantic Council’s in-house cyber strategist. In fact, he argued, “the more strategically significant the conflict, the more similar it is to conflict in the air, land, and sea.”
Notably, the Russians — widely considered capable of out-hacking even the Chinese — have not launched a purely online offensive since Estonia in 2007, when technical success in shutting down websites not only failed to intimidate Tallinn but outright backfired on a strategic level, scaring NATO into taking cyber seriously. Ever since, in Georgia, Crimea, and now eastern Ukraine, the Kremlin has subordinated cyber to propaganda and good old-fashioned men with guns.
“I’m actually quite hopeful,” Healey said. NATO has been willing to brush aside Russia’s flimsy denials and hold the Kremlin accountable for both the actions of its insignia-less “little green men” in Crimea and its “patriotic hackers” in Estonia. “We will not be tricked,” he said.
Cyber nests within a wider “NATO discussion and analysis on the hybrid warfare concept,” said Amb. Ducaru. “The cyber dimension fits very well into this concept that brings together the conventional with the nonconventional, the low and high-tech elements, the regular and irregular, [and] also this element of deniability of responsibility.”
The hard part, Ducaru admitted, is figuring out how to respond. “NATO’s mandate in cyber is about cyber defense,” he said. “It’s not about cyber warfare or cyber attack or cyber offensive weapons.”
“[Member] nations have their own strategies and those strategies are less narrow than NATO’s,” Ducaru said. (The US, for example, has acknowledged offensive cyber capabilities). But across the alliance as a whole, he said, “there’s so much to be still done to achieve strong resilience and protection of the network that this is the main focus.”
Defense has a deterrent value all its own, Ducaru and Painter both emphasized. It’s what the Cold War theorists called “deterrence by denial”: You don’t have to convince the enemy you’ll retaliate with an overwhelming counter-offensive, you just have to convince him his attack won’t hurt you in the first place. In cyberspace, however, as in nuclear warfare, defense is hard to do.