In what is a basic tenet of the NATO alliance, allies now pledge to defend one another in case any member state faces a cyberattack. You cyberattack one state, you attack all 28!
Anders Fogh Rasmussen, the NATO secretary general, said the pact was a start, “but I cannot tell you it is a complete strategy.
NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack
BRUSSELS — When President Obama meets with other NATO leaders later this week, they are expected to ratify what seems, at first glance, a far-reaching change in the organization’s mission of collective defense: For the first time, a cyberattack on any of the 28 NATO nations could be declared an attack on all of them, much like a ground invasion or an airborne bombing.
The most obvious target of the new policy is Russia, which was believed behind computer attacks that disrupted financial and telecommunications systems in Estonia in 2007 and Georgia in 2008, and is believed to have used them in the early days of the Ukraine crisis as well.
But in interviews, NATO officials concede that so far their cyberskills are limited at best.
While NATO has built a gleaming new computer security center, and now routinely runs computer exercises, it possesses no cyberweapons of its own — and, apparently, no strategy for how it might use the weapons of member states to strike back in a computer conflict. In fact, its most powerful members, led by the United States and Britain, have spent billions of dollars on secret computer offensive programs — but they have declined so far to tell NATO leaders what kind of weapons they might contribute in a NATO-led computer conflict.
“Our mandate is pure cyberdefense,” Anders Fogh Rasmussen, the departing NATO secretary general, said during a visit to Washington over the summer. “Our declaration is a start,” he said, “but I cannot tell you it is a complete strategy.”
NATO’s tentative steps into the realm of computer conflict, at a moment when Russian, Chinese and Iranian “patriotic hackers” have run increasingly sophisticated campaigns, show the alliance’s troubles in innovating to keep up with modern warfare, at a moment when it is also facing one of its greatest political challenges since the end of the Cold War.
The change in NATO’s definition of an “armed attack” will leave deliberately unclear what would constitute a cyberattack so large that the alliance might declare that the action against one of its members could lead to response by the entire alliance under Article V of its charter. “The judgment will lay with the impact,” said Douglas E. Lute, the American ambassador to NATO, when he spoke in late July at the Aspen Security Forum. “Does it look like it will rise to the level of an armed attack?”
Deterrence is all about ambiguity, and the implicit threat that NATO would enter a computer conflict in defense of one of its members is full of those ambiguities. “They fail to get to the heart of the quintessential question about NATO’s cybersecurity obligations,” Julianne Smith, a former Pentagon official, now at the Center for a New American Security, wrote earlier this year for Chatham House, the British foreign policy center. “What constitutes an ‘attack’ and what capabilities might be provided to a member experiencing an attack?”
Here at NATO headquarters, where top officials who were focusing on computer issues for the summit meeting are now preoccupied by Russia’s next moves, the mere declaration itself is considered significant progress. It was only after the Estonia attacks that the alliance paid real attention to the threat. Today Estonia, which President Obama will visit starting Tuesday night, has become the crown jewel in NATO’s computer defense efforts, the place where cyberstrategy is developed and the site of annual NATO computer security exercises, called “Locked Shields.”
In interviews, officials said that the declaration that would be ratified this week — it was already embraced by NATO defense ministers in June — marks a long-delayed recognition that a NATO nation could be crippled without a shot being fired. In 2010 the NATO council rejected the proposal that a computer attack on a nation’s electric grid or its financial systems might prove so damaging it should be considered the equivalent of a conventional, armed attack. (NATO has only invoked Article V — the declaration that it would come to the aid of a member state — one time, after the Sept. 11, 2001, attacks on the United States, and the Bush administration largely waved away the offer of help.)
“They just weren’t ready to think about cyberattacks in 2010,” recalled Ivo H. Daalder, the American ambassador to NATO during Mr. Obama’s first term and now president of the Chicago Council on Global Affairs. “It’s a measure of how far we’ve come on this issue that there’s now a consensus that a cyberattack could be as devastating as any other kind of attack, maybe even more so.”
But Mr. Daalder noted that NATO’s own ability to defend against computer attacks is “still pretty basic,” and it has no ability to execute a “forward defense” that involves going into an adversary’s computer systems and shutting down an attack.
“They could leave that to member states,” he said, but would handle it under a NATO chain of command. Yet the NATO members themselves, he noted, may have little understanding of what the United States, Britain or other larger computer powers were able to do.
In fact, NATO officials say they have never been briefed on the abilities of the National Security Agency and United States Cyber Command, or those of The Government Communications Headquarters, or GCHQ, its British equivalent. Both countries have routinely placed sensors into computers, switching centers and undersea cables for years, as the documents released by Edward J. Snowden, the former National Security Agency contractor, make clear.
The idea is to see an attack massing, and, if the president so ordered, to be able to take out a foreign computer server, or network, to halt an attack. But NATO officials ended up reading press accounts and the Snowden documents in search of an understanding of how the United States conducted computer operations against Iran, or how it monitors hacking units of China’s People’s Liberation Army.
“If conventional war or nuclear war were to break out,” one senior NATO official said in an interview here, “there are detailed plans about how we would respond, and what capabilities are at the disposal of the NATO military structure. We don’t have that in the cyberrealm,” he said, in large part because the United States, Britain and Germany do not want many of the other NATO members to understand what kind of abilities they have.