What is the likelihood that NATO would invoke Article Five–NATO’s collective defense clause–in response to a cyber attack? The possibility first entered media discourse back in October 2010 when the German Süddeutsche Zeitung reported on an internal memo in which NATO Secretary-General Anders Fogh Rasmussen discussed the use of Article Five in the case of an cyber attack.
Over the past year I have had the opportunity to ask different people within the NATO structure on the matter.
It is unclear if NATO posses the tools to clearly identify the origin of a cyber attack. This is due to the difficulty in countering the so-called “laundering” techniques, which are in use today. Laundering essentially means that it is hard to know the true origin of a cyber attack.
Consider the example of the “Stuxnet” computer virus, which shut down the maneuvering components of the Bushner power plant in Southern Iran. There are many theories about who launched and ordered the attacks.
Some sources suggest that Russian novices created the computer virus and sold it to third parties. Others accuse Israel of orchestrating the attack. Classical deterrence fails to stop cyber attacks as they become more complex, and as multiple levels of people, organizations, and governments develop a virus and send it.
Karl-Heinz Lather, former chief of staff of NATO’s SHAPE stressed to me that NATO’s cyber strategy is first and foremost internally orientated. Much like a bank, NATO has to first secure its own critical infrastructures. Hence the security of “NATO’s own networks” has clear priority before any national, international, or regional networks or grids.
Lather did confess that there currently is no “recipe” which NATO can use to clearly respond to cyber attacks. “Article five responses require very concrete targets, which you don’t have with cyber attacks.” As a result, Lather deems the Article Five issue as off the table for the alliance.
However, Jamie Shea, NATO Deputy Assistant Secretary General for Emerging Security Challenges seemed more assured on the issue. While cyber attacks are “admittedly difficult” he did voice confidence in the progress of NATO’s “cyber forensics” especially since “cyberspace [has become a] leading area of investment for the private sector IT companies and governments alike.”
In addition, Shea stressed a legal parameter for responding to cyber attack where “countries suspected of launching cyber attacks could be put under a legal obligation to cooperate with an investigation on behalf of the victim.”
Despite the barriers presented by “laundering”, one must recognize that state-sponsored cyber-attacks are on the rise and require a strong deterrent.
Jaak Aaviksoo, the Estonian defense minister has urged NATO to resolve the cyber matter since at the moment, “Not a single NATO defense minister would define a cyber-attack as a clear military action at present.”
A solution that has been recently put forward by NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE) is the creation of an individual signature for each Internet user. According to Katharina Ziolkowski, legal advisor to the CCDCOE, the proposal would seek to solve the laundering problem by providing an “individual signature to everyone who acts within the Internet.”
At the end of the day one should be cautious of the preemptive application of Article Five towards cyber attacks as it could open a new Pandora’s box towards false-flag pretexts for war as certain individuals would be tempted to “flag” their cyber attackers.
All in all it seems that chances are high that the enemy fire of the future will not come from the barrel of a gun but rather through a fibre optic cable.