NATO struggles to define collective defence in the age of cyberwarfare
Keystrokes could soon replace Kalashnikovs as the harbinger of future wars once NATO leaders endorse an updated policy that places catastrophic cyberattacks in the same league as real-world bombs and bullets.
A major digital assault against any of the alliance's 28 members would have the potential to trigger a response under NATO's collective defence clause, according to a revised policy that's expected to get final blessing at this week's summit in Wales.
The concern came into sharp focus last week with reports of a major cyberattack on U.S. banks which defence officials blamed on Russia.
The revised policy, crafted earlier this year as the crisis in Ukraine unfolded, was quietly approved by NATO defence ministers in June. For the first time, it paves the way for members to retaliate against cyberattacks with measures that could include the use of conventional military forces.
While NATO has always informally retained that right, the policy codifies the practice in what's being seen as an attempt to minimize the time it takes to make important political decisions in a crisis.
But critical questions remain unclear, say experts who have tracked development of the plan.
When does an attack in cyberspace constitute an act of war? And should Western allies adopt an offensive posture to counter the growing, sophisticated capabilities of adversaries such as Russia and China?
Observers say the decisions being taken this week in Wales could lay down markers for possible future conflicts and have far-reaching implications for NATO's all-for-one, one-for-all strategy.
The policy does not spell out what the threshold of damage must be in order for a nation to call for retaliation, nor does it prescribe what NATO's collective response should be.
Those are issues that will be dealt with on a case-by-case basis, said Karla Tothova-Jordan, a cyberwarfare expert at the Atlantic Council's centre for international security in Washington.
"It is purposefully ambiguous because, as anyone at NATO will tell you, (the response to an attack) will be a political decision," said Tothova-Jordan, whose background is in international law.
Spelling out a clear threshold would also encourage adversaries, such as Russia, to calibrate their attacks to inflict just enough damage to avoid retaliation, she added.
"If you say: 'You take down our ATMs, it is Article 5,' then they will always find a way to play just below that level," she said. "They will always find a way to be a nuisance and play just below that threshold."
The speed, precision and fidelity with which the Russians used cyberattacks to annex Crimea last spring scared the pants off military leaders, who described the isolation of Ukrainian military forces in the region from the central government as a "decapitation."
"Ukraine was absolutely disconnected from being able to do anything with their forces in that area," NATO Supreme Commander U.S. Gen. Phillip Breedlove said during a stop in Ottawa last May.
"Cyber was one of three tools used, and used quite exquisitely."
The other aspect that impressed western military leaders, including the head of Canada's joint operations command, was how savvy the Russians proved to be at using social media for their information war.
"They managed the communications sphere very well," Lt.-Gen. Stuart Beare said.
"They were able to communicate and dominate the (public) messaging. They were filling the space through their networks with their message on the regional and home front audiences."
Some have coined what happened last spring as "the grey zone war," where there was just enough ambiguity to instill hesitation.
NATO has been slow to fully embrace cyber-concepts and has — at times — been gripped by internal debate about where the line is between a defensive and offensive posture.
There are some within the alliance who advocate taking on hackers and potential adversaries with the virtual equivalent of online disruption operations, say several defence insiders.
The best example would be the 2010 use of the so-called "Stuxnet" virus on computers running Iran's nuclear program. The origin of the malware has never been revealed but several published reports, including the New York Times and the Guardian in Britain, quote experts as saying only one organization — the U.S. National Security Agency — has the sophistication to build such a weapon.
Since all nations are not as technically adept, Tothova-Jordan said it would be a mistake for NATO to develop an offensive strategy.
"Many member states still don't understand what they are talking about," she said.
It's understandable that countries, which have already invested hundreds of millions of dollars and euros into their own capability, would be reluctant to share at an alliance-wide level.
But NATO, according to its new policy, is pushing ahead with minimum standards for cyberdefence.
Each nation will be required to take certain measures to protect themselves and their networks, but defence insiders say the alliance is still struggling with how to engage each country.
For example, the alliance has been quietly trying to convince eastern European corporations to better defend themselves, but has met with little success.