Jens Stoltenberg, Secretary General of NATO has warned that NATO will defend itself against cyberattacks. The warning comes in a piece written by Stoltenberg and published in Prospect Magazine. In that piece, Stoltenberg talks about the impact that a cyberattack can have on economies and critical national infrastructure. He cites the impact of WannaCry on the UK and the taking down of a power station in Ukraine.
The underlying message, however, is clear. Stoltenberg wrote: “For Nato, a serious cyberattack could trigger Article 5 of our founding treaty. This is our collective defence commitment where an attack against one ally is treated as an attack against all.
“We have designated cyberspace a domain in which Nato will operate and defend itself as effectively as it does in the air, on land, and at sea. This means we will deter and defend against any aggression towards allies, whether it takes place in the physical world or the virtual one.”
Collective defence the only solution
Part of NATO’s solution is the establishment of a new Cyberspace Operations Centre in Mons, Belgium. It is from here that NATO will coordinate any response to a cyberattack. According to Stoltenberg: “No single country alone can secure cyberspace. But by co-operating closely, sharing expertise, we will not only survive, but thrive in the new digital age.”
That co-operation is not just a NATO issue. Stoltenberg talked about working closely with the EU. The goal is greater sharing of data, training and joint exercises. This includes EU staff talking part in NATO’s Cyber Coalition exercise.
Creating cyber units is costly
All of this sounds good but there is an issue here over cost. NATO members have been under pressure to raise their level of investment in traditional areas of defence. Some are struggling to do so and others have flat out refused. When it comes to cyber, the problem is far more complex.
As Stoltenberg highlights, many have enacted new laws and begun to address the inherent vulnerabilities in areas such as CNI. There has also been investment in new military cyber units although this is more about reallocation of personnel not net new recruitment. The UK, for example, now has the smallest number of active military personnel for over a decade.
Transferring existing personnel over from traditional fighting troops to cyber warriors is expensive and time consuming. That does not mean there is a shortage of candidates. However, the big challenge is retention. Military pay is limited and is far lower than comparable salaries in the private sector. Additionally, the private sector comes with far less risk and demands.
Political considerations a serious challenge
There are also political considerations here. While NATO is working with the EU it is also mindful that there are politics at play. The EU wants to set up its own competitor to NATO in terms of a standing European military. That would include both NATO and non-NATO members and raises questions over equipment, command and communications.
A similar problem is arising with cyber defence forces. Estonia proposed last year that the EU creates its own cyber units. The move was approved and the EU is now creating its own cyber defence force. The problem is that the EU and NATO are not necessarily aligned here.
If, as Stoltenberg asserts, NATO decided to enact Article 5 but the EU decides that it has reasons not to act, can NATO guarantee a coordinated response? Who knows? Countries who sit in both organisations will have to decide which is the primary focus. That potential rift, and it is more than just a theoretical given the French view of NATO, is something that is likely to be exploited by attackers.
What is not clear from Stoltenberg’s article, is how this could be resolved.
When is a cyberattack a NATO Article 5 issue?
Perhaps the biggest elephant in the room is what level of proof would trigger an Article 5 activation. Experienced cyber security analysts admit that attribution is not just hard but virtually impossible.
The cyberattack on German politicians last year is a good example. Within days of the first set of leaked data, security vendors were claiming this was a nation state attack. Many claimed to have seen indicators pointing to different nation state groups. Unfortunately, what they saw was recycled code that they misinterpreted in a rush to make public comment. As we now know, the attack came from a disenchanted teenager who taught himself to attack.
Would the initial attribution in that case meet the standard for an Article 5 response? If not NATO, would it meet the new EU standard for a collective response? Would anyone have waited for more considered review of the data or would they have treated the claims by security vendors as absolute proof?
And here is the heart of the problem. It is not hard to insert code snippets or use known techniques that belong to specific hacking groups. It is just as easy to fake attack vectors to make an attack look as if it came from a specific location. This means that it is possible for an individual to create an attack that could start a cyber war just because they were bored.
Any response has to be a measured one and that means having plenty of provable and trusted intelligence. A missile strike or tanks moving over a border is easy to attribute, unless they are simply overly diligent members of armed units who take their tanks home with them (Ukraine/Russia). We cannot say the same thing about cyberattacks. NATO will have to develop better ways of attributing attacks.
Enterprise Times: What does this mean
Stoltenberg is making the right noises and he is absolutely right in that NATO needs to treat cyberspace as just another theatre of warfare. Unfortunately, there are a lot of missing parts here that will take time to develop and prove.
We have seen poor and mistaken attribution that, if acted upon, could have provoked a more serious incident. In addition, how do you separate a nation state attack from nation state support for cyber criminals? The latter creates a very complex landscape, one that we see with the West’s approach to Iran and its allies in the Middle East. Given that there is already a cyber element to that problem, why have we not seen a highly visible cyber response?
We are in an era where cyber warfare and defence are becoming top level areas for investment. However, the consequences of getting it wrong could be devastating on a world dependent on the Internet and connectivity.
It will be interesting to see how Russia, China and other countries respond to Stoltenberg’s article.