In June 2011, NATO adopted its first ever cyber defence policy. Its comprehensive nature, ranging from fortifying the networks of NATO members to research and training in cyber defence, meant that the application of the policy would be a time-consuming process.
Two years later, it is finally possible to analyse the effectiveness of the policy. Triggered by the cyberattacks on Estonia in 2007. Estonia, a NATO member since 2004, suffered cyber-attacks against various websites, including those belonging to banks, ministries, newspapers and the Estonian parliament. The attacks took place during a disagreement with Russia about the location of a Soviet-era grave marker. Despite no evidence of official Russian government involvement, the complexity and sophistication of the attacks were enough to compel the NATO defence ministers to meet in Brussels, and more importantly, to develop the Cooperative Cyber Defence Center of Excellence in Tallinn, Estonia to further build NATO’s cyberspace research and training capabilities.
According to the NATO Policy on Cyber Defence, the organization aims to “focus on prevention, resilience and defence of critical cyber assets to NATO and Allies.” NATO’s defensive position in cyberspace, while a natural extension of its founding principles, also highlights the difficulty for international organizations of actually developing a viable cyberspace policy. Given the clandestine nature of most cyber operations, NATO’s institutional structure and mission statement prevents it from mounting anything other than defensive cyber operations. At first this may seem intuitive considering NATO is by definition a defensive treaty, but a look at post-Cold War NATO operations reveals a tendency towards offensive operations.
By contrast, the inherent ambiguities in cyberspace make it more difficult to bring international law to bear. This is further complicated by a differing set of norms that exist in cyberspace when compared to the physical world. As it stands, NATO remains in a defensive posture and pursues a form of strategic deterrence in cyberspace by developing information systems that are too expensive to attack. However, there is little recourse if an attack does indeed take place. For example, while Estonia called for aggressive NATO action against the perpetrators of the cyberattacks, the organization could do little more than investigate the event.
NATO’s functions are ultimately impaired in cyberspace because of the difficulty in applying international law in cyberspace. The most salient question regarding NATO’s cyberspace strategy is naturally the question of Article 5, and whether the organization is capable of invoking it in response to a major cyberattack. While NATO confirmed that a cyberattack on a member state will always result in the activation of Article 4 of the treaty -a consultation with other members on how to respond – the organization has remained purposefully ambiguous on what threshold exists for the activation of Article 5.
The Article is primarily concerned with the idea of an armed attack, specifically that an attack on one member is considered an attack on all members of the organization. However, an “armed attack” is a specific legal concept, and counterintuitively, not all attacks that are armed, constitute an “armed attack.” To summarize, an “armed attack” as outlined in Article 51 of the UN Charter, which Article 5 of the NATO treaty relies upon, is considered to be a particularly vicious use of force. Unsurprisingly, there is general disagreement on what constitutes an armed attack. For example, on 12 October 2000, the USS Cole was bombed by Al-Qaeda while harboured and refuelling in the Yemeni port of Aden. The attack ultimately killed 17 sailors and further injured another 39. However, the United States did not consider this an armed attack as outlined by Article 51. Part of the explanation given, is that the USS Cole bombing constituted a frontier attack, and thus did not meet the threshold provided by Article 51. By extension, if we look at the 9/11 attacks, which were much larger both in term of scale and effects than the Cole bombing, and specifically targeted the US heartland, it becomes easier to see how the provisions in Article 51 are supposed to function.
Applying the principle of Article 51 to cyberspace is a little more difficult however, since most cyberattacks do not constitute an armed attack. The problem arises from the temporary consequences of most cyberattacks. Most attacks will temporarily disrupt a network or service, a problem that is easy enough to fix without lasting consequence. Even if cyberattacks that result in lasting physical damage are analyzed, there is still no consistent way to rank what could constitute an armed attack. For example, while the Stuxnet worm did destroy centrifuges at the Natanz nuclear facility, the Iranian government did not seek recourse through the UN. As a result, the kind of attacks that could cross the Article 51 threshold are dangerous indeed. They must either be a part of a wider attack on the target nation, which would undoubtedly result in the activation of Article 5, or the cyberattacks must severely undermine national security by directly targeting vital military or civilian systems, such as nuclear missile launch facilities or airports.
Returning to the issue of the Estonian attacks, it is clear why NATO could do little more than research the attacks and formulate future policy to accommodate aggressive cyberattacks rather than responding directly to them. The nature of cyberspace defies most applications of Article 5 and thus reduces NATO to a support element for the national systems of its member states. The difficulties of identifying attackers coupled with the often temporary nature of cyberattacks present a compelling reason for NATO’s adoption of its current strategy of cyber deterrence.