NATO has once again flexed its muscles and insisted that it will attack anyone who goes up against it in cyber space. But what does that threat entail in an era of offensive low-level cyber activity?
“NATO will defend itself,” stormed the headline of an article in Prospect magazine. Authored by NTO secretary general Jens Stoltenberg, “For NATO, a serious cyber-attack could trigger Article 5 of our founding treaty,” it says. That treaty considers an attack on one ally as an attack against all NATO members.
In the past, one of the biggest arguments against hacking an enemy was the attribution problem. Analysts used to avoid explicitly blaming a nation state for an attack because it was difficult to be sure if that attacker was responsible. Perhaps someone else was using their infrastructure to make it look like it came from somewhere else?
These days, that seems to be less of an issue. A whole industry has grown up around detection and correlation technologies and techniques. They seem good enough to give white hats high confidence that they’ve found the culprit.
The problem with NATO’s rhetoric these days seems to lie in deciding what qualifies as a cyber-attack. Some of them – such as the Stuxnet attack that damaged Iran’s nuclear enrichment centrifuges or Russia’s disruption of Ukraine’s electricity grid – have a kinetic effect that seems to place them in that category. But what about the theft of millions of highly sensitive personal details from government agencies, for which the US blamed China? What about the infiltration of the US power grid with malware, which hasn’t resulted in a publicly discussed outage? What about the hacking of election infrastructure in all 50 states?
Policymakers could consider some of these latter cases low-level activity. None of them blew up a nuclear power station or leveled a dam.
The US seems to understand these different levels of activity and address them accordingly. Last week, the New York Times revealed that the US took Iranian military networks offline in June and destroyed sensitive data that slowed down its attempts to attack oil tankers.
The Pentagon has also mirrored Russia’s digital landmine-laying, reportedly seeding the country’s power grid with malware.
The US military also understands the role of information warfare and its link to cyber-attacks, as illustrated by recent calls to change the name of the US Army Cyber Command. Its head, Commander Lt. Gen. Stephen Fogarty, said this month he wants to call it the Army Information Warfare Command.
This shows us that ‘hacking back’ needn’t entail mega-attacks that bring traffic grinding to a halt or take down our power grids. Like many nation-state offensives, it entails a proportional response; a little reconnaissance here and some extended dwell time there.
The really sticky part of all this is in the legal and political positioning that supports these activities. Policymakers must decide what constitutes an appropriate response and what the community at large will tolerate. As allies shift their own cybersecurity and national security policies, they present each other with new responsibilities. What will a NATO member targeted by a low-level attack require its allies to do?
As cyber-attacks become more nuanced, these will be tricky issues to navigate. Perhaps that’s partly why Estonia has created a cybersecurity summer school for diplomats to get them up to speed. As international relations in cyber space become increasingly complex, it’s a timely move.
