NATO Faces Challenges in Mounting Cyber-DefenseWill Cyber-Attack on One Member State Be Seen as Attack on All?
Cybersecurity isn't the most pressing issue NATO leaders face as they gather this week in Wales. The growing Taliban threat in Afghanistan, Russia's intervention in Ukraine and the escalating threat of the Islamic State are more urgent concerns. But how the alliance defends its member states against cyber-attacks is a topic they'll tackle at the summit.
Article 5 of the North Atlantic Treaty says that an armed attack against one or more NATO members should be considered an attack against all of them. NATO leaders, including U.S. President Barack Obama and British Prime Minister David Cameron, meeting this week in Newport, Wales, are considering amending Article 5 to include cyber-attacks.
Sounds simple, but it's not. NATO first must define a cyber-attack, which isn't as easy to describe as kinetic warfare. "Words are very critical in defining what constitutes a cyber-attack," says Harry Raduege, a retired 3-star U.S. Air Force general who once headed the Defense Information Systems Agency, where he collaborated with his NATO counterparts on cyber-defense.
Raduege, who now chairs the Deloitte Center for Cyber Innovation, defines a qualifying cyber-attack as one that could cause death, infrastructure disruption and a devastating economic loss to a member state.
Retired Gen. Harry Raduege discusses cybersecurity challenges NATO faces.
The Attribution Problem
NATO leaders also must must deal with the issue of who is to blame for an attack, or what's known as attribution. "That's what's very complex today," says Raduege, who co-chaired the Commission on Cybersecurity for the 44th Presidency, which helped the Obama administration shape its cybersecurity policy. "It's not like a ground invasion or an airborne bombing campaign against another nation that is pretty clear who that might be, but the enemy is much harder to identify if they're operating in the world of cyberspace."
Defining a cyber-attack or identifying the enemy aren't the only challenges NATO faces in ramping up its joint cyber-defenses. "NATO and its members will have to create a more detailed and comprehensive cyber strategy, including appropriate defensive and offensive measures," says Richard Stiennon, author of Surviving Cyberwar.
Not all member states have the same financial resources to elevate their cyber-defenses, and an imbalance could adversely affect the way NATO can defend its member states. A former top U.S. Defense Department cybersecurity official says nations with stronger cyber-defenses are reluctant to share cyber-threat information with countries that have weak cyber-defenses. And information sharing is key to strengthening cyber-defenses.
"Will there be disparity amongst the leader nations and the follower nations?" the former DoD official, who asked not to be identified, asks. "I think the answer is yes."
Inequality also exists among NATO members in regards to kinetic weaponry and defenses, with the United States, Britain, Germany and, to some extent, France, possessing high-end military capability.
"When you get into the Italians, the Greeks, the whatevers, their economies drive the capabilities they have," the former Defense official says. "They'll be some disparity in cyber, but I think they'll find a place that they can share information because the last thing the alliance needs - NATO or the EU - is some nation getting its infrastructure taken down as in Estonia. They know that it is real, so as a security alliance, they'll have to defend and protect the faith. They're not there yet."
In 2007, Russians were blamed for cyber-assaults against the Estonian government, banking and commercial sites during a political dispute between the two nations. Similarly, a year later, as Russia invaded neighboring Georgia, it disrupted Georgian IT sites. Estonia joined NATO in 2004; Georgia is not a NATO member.
How effective would such a NATO mutual cyber-defense be? "Standards for appropriate cyber-defense of each member state stand in the way," Stiennon says. "This is not a matter of, say, the nuclear shield that some NATO members provide. The U.S. and U.K. have not demonstrated that they can defend themselves against cyber-attack, let alone another member nation."
Aiding Small Nations
Thomas Rid, professor of security studies at King's College London, downplays the significance of adding cyber-attacks to Article 5. "In terms of NATO politics, this move is primarily intended to get the smaller countries to up their computer network defenses," Rid says. "It's an internal political move, directed more at NATO members than at its potential adversaries."
Critical infrastructure is vulnerable, he says. "This move could make it easier for some ministries and agencies to get funding and resources from their own governments," he says.
But Rid says changes to Article 5 could stir confusion among other potential adversaries, such as China's People's Liberation Army, itself accused a multiple cyber-attacks (see Mandiant on Nation-State Threats).
"How is the PLA going to interpret this move on NATO's part?" Rid asks. "We don't know. But they may either think: 'Well, what we're doing already seems to be fine, let's carry on.' Or they will think: 'NATO sees great potential here, let's up our game.' Either way, NATO's move is more escalation than deterrence."