NATO has more of a history with cybersecurity than is widely known. With its new strategy and continued investments, the Alliance seems to want to expand its cybersecurity capabilities and responsibilities dramatically. But NATO needs to avoid its Article 5 aspirations for cyberattacks and risks taking on too much cybersecurity accountability.
Looking back, 2010 seems to have been dominated by reports on one security issue in particular: cyber threats. The discovery of Stuxnet, the industry-sabotaging super worm that scared politicians all over the world; tales of (Chinese) cyberespionage in many variations; the growing sophistication of cybercriminals as evidenced by their impressive scams; as well as Wikileaks’ release of US diplomatic cables and the subsequent actions of the hacker group Anonymous all catapulted the cyber topic from the realm of geeky experts and military strategists to a mainstream public fear. Whether the damage inflicted by cyberattacks is becoming more frequent, more organized, and more costly or if our perception has merely changed is unimportant. The outcome is clear: cyberattacks are considered one of the top security threats and have been anchored firmly in national strategy documents all over the world.
Given this general mood, NATO’s mention of cyberattacks as one of the primary future security concerns in its new Strategic Concept of November 2010 was widely applauded. But NATO was not just following the common strategic trend: this reference in its new roadmap marked the temporary culmination point of the Alliance’s dealing with the threat.
The Cyberthreat Debate Opens
NATO’s own cyberstory begins in the late 1990s. Via American forces, during the Kosovo Operation Allied Force in 1999 NATO was exposed to the operational reality of what has come to be called information operations. On the one hand, this multifaceted military doctrine tested by the United States during the campaign is a continuation of the aims of classic wartime information policy. On the other hand, it is shaped by the central premise that information dominance is not only an auxiliary to war fighting, but a form of combat in its own right that is suitable for determining the final outcome of conflicts. As a side effect, it focused Western strategists’ minds on their Achilles heel and also marked the beginning of the cyberthreats debate as we know it today. The more they thought about disruption of enemy information, infrastructures, and networks, the more the vulnerability of their own military and civilian networks became clear—and with it, the blatant insecurity of essential assets of industrialized societies practically run by these information networks, the so-called critical infrastructures.
What happened to NATO during the Kosovo conflict was not severe or critical, but a painful wake-up call: its website was hacked by pro-Serbian hackers and its e-mail server was clogged. The website remained unavailable for days, which was an acute embarrassment. Far more important for the development of NATO’s cyberdefense than this “hacktivism,” however, was the systematic cyberattack of Estonian networks in 2007. When Estonian authorities began removing a bronze statue of a World War II-era Soviet soldier from a park, a three-plus-week cyberspace “battle” ensued in which a wave of so-called Distributed Denial of Service attacks (DDoS) swamped various Estonian websites with tens of thousands of visits, disabling them by overcrowding the bandwidth for the servers running the sites.
Even though it was not and will never be possible to provide sufficient evidence for who was behind the attacks, various officials readily and publicly blamed the Russian government. Also, despite the fact that the attacks bore no truly serious consequences for Estonia other than economic losses, some officials even openly toyed with the idea of a counter-attack in the spirit of Article 5 of the North Atlantic Treaty, which states that “an armed attack” against one or more NATO countries “shall be considered an attack against them all.”
The Estonian incident was important for NATO’s cyberidentity in several ways. First, it clearly showed the limits of old-school strategic logic in the face of cyberattacks and also shaped the perception that the Alliance lacked both coherent cyberdoctrine and comprehensive cyberstrategy. Second, the incident also changed the way NATO perceived its own role in cyberdefense matters. Before the incident, NATO had almost exclusively focused on the protection of their own networks—afterward, the need for extended cyberdefense for the Allies came into focus.
Cyberdefense Management in the Status Quo
In brief, NATO’s current cyberdefense structure consists of three organizational units. The first unit, NATO’s Computer Incident Response Capability Technical Centre (NCIRC TC), was set up in the aftermath of the Kosovo conflict and website hack. The NCIRC TC monitors NATO-related websites and provides 24/7 technical response for cyberthreats. As part of an amended version of NATO’s cyberdefense policy, which is due this summer, the NCIRC TC’s capabilities are expected to be strengthened.
Second, NATO set up the Cyber Defence Management Authority (CDMA) in 2008, in order to centralize, manage, and coordinate cyberdefense operational capabilities across the Alliance. In the future, the CDMA will evolve into a war-room operation for NATO’s cyberdefenses with actual tactical responses carried out by member states. Third, the Cooperative Cyber Defence Centre of Excellence, with its clumsy acronym CCD CoE, was set up in Tallinn. Whereas the CDMA is charged mainly with coordinating NATO’s cyberdefense in an operational capacity, Estonia’s CoE advances the development of long-term NATO cyberdefense doctrine and strategy, seeking to be “the main source of expertise in the field of cooperative cyberdefense.”
So, what can be made of NATO’s cyberdefense structure? A proper evaluation of its actual capabilities like available hardware, software, or specialists is not possible due to the lack of public information surrounding the exact set-up and endowment of these units. What becomes clear from public sources, however, is that NATO’s cyberdefense system is still in its infancy, though a considerable amount of money seems to be flowing into grooming and improving it.
Duty Bound to Cyberdefense?
NATO being what it is, one specific topic keeps surfacing when cyberthreats and necessary countermeasures are discussed. Currently, NATO’s cyberdefense actions are framed within Article 4. It means that members will “consult together” in the case of cyberattacks, but are not duty bound to aid each other as described in Article 5 of the Treaty. Cyberdefense remains predominantly a national responsibility, but NATO puts a lot of effort into building up structures to offer this consultation. Whether the Article 4 approach is sufficient remains a point of debate. According to some newspaper reports, explicitly extending the definition of attacks that trigger activation of the Alliance to include cyberattacks—and thus changing Article 5—was part of the draft version of the new Strategic Concept circulated by Secretary General Rasmussen ahead of the Lisbon Summit.
The main reason behind this was likely a desire to maximize the deterrent effect of the Alliance in the cyberdomain. However, the cyberdomain poses considerable deterrence limitations. Deterrence works if one party is able to successfully convey to another that it is both capable and willing to use a set of available (military) instruments in retaliation if the other crosses a line. But for this to work, the opponent should first, be a state, and second, be identifiable as an attacker. While states can be behind some cases of cyberincidents (they are not usually the culprits), attackers do not have to fear retaliation, since they can likely remain anonymous if they choose. It is particularly tricky to identify actors in a timely manner due to frequent time lapses between the action that an perpetrator takes, the intrusion itself, and the effects of the intrusion. And even if one or several perpetrators could be identified certainly—proving that a state actor (or a terrorist organization) had coordinated their actions would be the next difficulty.
The second argument for changing Article 5 is to clarify what kind of a cyberattack should trigger NATO’s response. However, according to many experts, changing it would have come at a disadvantage for the organization because it would decrease its current flexibility. Furthermore, the existing framework already accommodates one specific kind of cyberattack: one whose effects are similar to an armed assault, for example, in casualties and destruction comparable to a military attack. This preserves the logic of Article 5 and prevents a dangerous expansion of war-logic into the domains of low-level, low-impact cyberattacks, which constitute the majority of worldwide cyberincidents. Though they are often portrayed as a huge problem, most cyberattacks only cause mild inconvenience rather than serious or long-term disruptions.
Keeping NATO’s cyberdefense within Article 4 mechanisms is in fact crucial if NATO wants to remain a credible player in cybersecurity matters—anything else would lead to severe legal, practical, and strategic problems. However, it is very likely that there will be further attempts to move the cyber topic under the frame of Article 5. Since the potentially devastating effects of cyberattacks are so scary, the temptation is to not only think about worst-case scenarios but also to give them added (often too much) weight despite their very low probability. This, however, will always result in calls for an aggressive, militarized response, which poses more of a problem than a solution to cyberinsecurity.
For the same reason, cyberdeterrence can also be expected to garner sustained attention in the future. In theory, effective cyberdeterrence requires a wide-ranging scheme of offensive and defensive cybercapabilities supported by a robust international legal framework as well as the ability to attribute an attack to an attacker without any doubt. Whereas defensive cybercapabilities and the design of better legal tools—actually a current focus of NATO’s Tallinn Centre—are relatively uncontested and worth investing time and money in, an open or clandestine cyberarms race must be avoided at all costs because it would have hugely detrimental effects on the way humankind uses the internet. The same can be said for the attribution problem, which, were it to be solved, would come at a very high cost for privacy. States, their militaries, and NATO should also think long and hard about whether the uncertain promise of an increase in security is really worth the sacrifice of cyberspace as we have come to cherish it.
Cybersecurity and cyberdefense are tough issues for state actors all over the world—and perhaps even more so for an organization like NATO. The nature of the problem raises the critical question of what role states should and actually can play in the field of cybersecurity. Clearly, it is plain impossible for the state to increase the cybersecurity of an entire country by itself. Most affected by cybercrime and espionage is the private sector, which owns most of the critical infrastructure. Unless the state wants to vastly increase regulation, it cannot ensure the security of these assets. Therefore, most states focus on the protection of their own networks and, through its legislative bodies, try to ensure that any existing gaps in internet law are closed. Furthermore, close partnerships with the corporate sector and international partners are pursued, mostly in order to exchange information on threats and issues.
All of these elements—namely the focus on the protection of its own networks, the inclusion of many stakeholders, and the international dimension—are also part of NATO’s cyberdefense concept. In theory at least, NATO measures up well with international standards. However, the more recent tendency to expand the logic of its cyberdefense, from the narrow confines of their own networks to those of their Allies, risks meddling with this historically grown logic of who can do what in cybersecurity. This will inevitably lead to problems. Expanding incident response to member states makes sense as long as cyberdefense is seen as a building block and confidence building measure within NATO’s transformation. However, if this expansion is promulgated as a mission to protect civilian infrastructures in general or if there is a belief that NATO can be a key player in enhancing cybersecurity as a whole, NATO has created its own major public relations fiasco.
The problem is that two different types of security logics clash when an organization like NATO takes on cybersecurity or cyberdefense. When the words security and defense are used with the prefix “cyber,” they mean something fundamentally different from security and defense in an (inter-)national security setting. There, security is a binary concept: either one is secure or one is insecure. Cyberdefense on the other hand is a “sexy” word for computer security or information assurance, which is concerned with analyzing the risk to information networks and then mitigating the identified risks by technical (and occasionally organizational) means. Risk is a concept aimed at managing an ongoing process, and is by definition linked to the notion of being insecure. As every systems administrator knows, his or her goal is not to eliminate all risks (even if this were possible) but to manage them in the most cost-effective way. Information networks, therefore, can never be “secure” in the national security sense. In fact, the opposite is true: cyberincidents are deemed to happen under the logic of risk because they simply cannot be -avoided.
In the national security setting in which NATO is situated, this constitutes a formidable communication challenge. How can one promise security where there can be none? All in all, NATO’s cyberdefense concept measures up to other cyber security concepts out there. However, the gravest threat to the Allinace in the cyber realm may be getting saddled with public accountably and ridicule if something goes wrong despite its substantial investments. Thus NATO might also want to start thinking carefully about investing in expectation management.