Will Cyber-Attack on One Member State Be Seen as Attack on All?
Member states' flags fly outside NATO's headquarters.
Cybersecurity isn't the most pressing issue NATO leaders face as they gather this week in Wales. The growing Taliban threat in Afghanistan, Russia's intervention in Ukraine and the escalating threat of the Islamic State are more urgent concerns. But how the alliance defends its member states against cyber-attacks is a topic they'll tackle at the summit.
Article 5 of the North Atlantic Treaty says that an armed attack against one or more NATO members should be considered an attack against all of them. NATO leaders, including U.S. President Barack Obama and British Prime Minister David Cameron, meeting this week in Newport, Wales, are considering amending Article 5 to include cyber-attacks.
Sounds simple, but it's not. NATO first must define a cyber-attack, which isn't as easy to describe as kinetic warfare. "Words are very critical in defining what constitutes a cyber-attack," says Harry Raduege, a retired 3-star U.S. Air Force general who once headed the Defense Information Systems Agency, where he collaborated with his NATO counterparts on cyber-defense.
Raduege, who now chairs the Deloitte Center for Cyber Innovation, defines a qualifying cyber-attack as one that could cause death, infrastructure disruption and a devastating economic loss to a member state.
Retired Gen. Harry Raduege discusses cybersecurity challenges NATO faces.
The Attribution Problem
NATO leaders also must must deal with the issue of who is to blame for an attack, or what's known as attribution. "That's what's very complex today," says Raduege, who co-chaired the Commission on Cybersecurity for the 44th Presidency, which helped the Obama administration shape its cybersecurity policy. "It's not like a ground invasion or an airborne bombing campaign against another nation that is pretty clear who that might be, but the enemy is much harder to identify if they're operating in the world of cyberspace."
Defining a cyber-attack or identifying the enemy aren't the only challenges NATO faces in ramping up its joint cyber-defenses. "NATO and its members will have to create a more detailed and comprehensive cyber strategy, including appropriate defensive and offensive measures," says Richard Stiennon, author of Surviving Cyberwar.
Not all member states have the same financial resources to elevate their cyber-defenses, and an imbalance could adversely affect the way NATO can defend its member states. A former top U.S. Defense Department cybersecurity official says nations with stronger cyber-defenses are reluctant to share cyber-threat information with countries that have weak cyber-defenses. And information sharing is key to strengthening cyber-defenses.
"Will there be disparity amongst the leader nations and the follower nations?" the former DoD official, who asked not to be identified, asks. "I think the answer is yes."
Economic Influences
Inequality also exists among NATO members in regards to kinetic weaponry and defenses, with the United States, Britain, Germany and, to some extent, France, possessing high-end military capability.
"When you get into the Italians, the Greeks, the whatevers, their economies drive the capabilities they have," the former Defense official says. "They'll be some disparity in cyber, but I think they'll find a place that they can share information because the last thing the alliance needs - NATO or the EU - is some nation getting its infrastructure taken down as in Estonia. They know that it is real, so as a security alliance, they'll have to defend and protect the faith. They're not there yet."
In 2007, Russians were blamed for cyber-assaults against the Estonian government, banking and commercial sites during a political dispute between the two nations. Similarly, a year later, as Russia invaded neighboring Georgia, it disrupted Georgian IT sites. Estonia joined NATO in 2004; Georgia is not a NATO member.
How effective would such a NATO mutual cyber-defense be? "Standards for appropriate cyber-defense of each member state stand in the way," Stiennon says. "This is not a matter of, say, the nuclear shield that some NATO members provide. The U.S. and U.K. have not demonstrated that they can defend themselves against cyber-attack, let alone another member nation."