NATO’s Empty Cybersecurity Gesture

Its new approach to cyberattacks misses some fundamental points.

Photo by Larry Downing/Reuters

President Obama joins in a meeting on the situation in Ukraine at the NATO Summit in Newport, Wales, on Sept. 4, 2014.

Photo by Larry Downing/Reuters

Last week at the NATO summit in South Wales, the 28-nation alliance born in the age of nuclear weapons took its first formal steps into the era of cyberweapons. From now on, a cyberattack on any NATO member could trigger a collective response from all of the allies. It’s a decision that seems at once significant, weighted, and purely pro forma. It’s a fraught topic for the alliance because there is still so much tension among NATO members themselves concerning the secrecy of each nation’s cyber capabilities and how those capabilities are wielded against one another. At the same time, the change appears to be largely symbolic because sufficiently severe cyberattacks would likely have been covered under the nations’ treaty regardless.

In 2007, when Estonia suffered large-scale denial-of-service attacks on its infrastructure, the country’s then minister of defense, Jaak Aaviksoo, reportedly contemplated invoking NATO Article 5, the collective defense commitment that states that “an armed attack against one or more of [the member states] shall be considered an attack against them all.” In other words, seven years ago Estonia thought Article 5 applied to cyberattacks—even though that wasn’t made explicit until last week.

In the end, Estonia didn’t invoke Article 5, but that wasn’t because Article 5 was helpless in the face of a digital threat; more likely, it was because the threat just wasn’t severe enough. Sure, the denial-of-service attacks caused some pretty major disruptions to Estonian daily life, but nothing on par with the harm caused by the Sept. 11 attacks—the only incident in NATO’s history for which Article 5 has ever been invoked. We don’t really know what it would look like for an incident of that magnitude to be perpetrated through electronic means, but if such a thing happened, it seems unlikely that the NATO members would waste time quibbling about whether their treaty applied to cyberattacks.

Of course, we can’t be certain since no one, NATO member or otherwise, has ever experienced a cyberattack that resulted in loss of life and mass destruction comparable to that of Sept. 11. Is such a devastating cyberattack even possible? NATO’s decision last week seemed in many ways to be driven by the sense that it is.

“Cyberattacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack,” participating heads of state wrote in the summit declaration. “We affirm therefore that cyber defence is part of NATO’s core task of collective defence.” In other words, if the consequences of wielding computers as weapons could potentially be as devastating as the consequences of wielding bombs or airplanes, then NATO won’t discriminate on the basis of weapon type.

Maybe that’s actually a change in policy to some members, but, more likely, it’s just an explicit affirmation of something that was already true. In many ways, it calls to mind the Pentagon’s 2011 announcement that cyberattacks can be considered acts of war and warrant the use of traditional military force. Presumably, the U.S. military would not have hesitated to use any means in its power to respond to a sufficiently serious threat, computer-based or otherwise, so why bother explicitly highlighting the inclusion of cyberattacks in existing military frameworks?

One oft-cited explanation is deterrence: By publicly announcing their intentions to respond to cyberattacks as aggressively as they would to kinetic or traditional warfare, the argument goes, the United States and NATO may scare off potential perpetrators. This may well be at least part of the logic behind the NATO announcement, but it’s not entirely satisfying. For one thing, it relies on NATO countries being able to identify the perpetrators of such attacks in order to retaliate. If attackers are confident in their ability to hide their identities—and there are lots of options for doing so in cyberspace—then they have no reason to fear the collective wrath of NATO. The attribution challenges of reliably tracing computer activity to a responsible person, or group of people, make deterrence a much less effective maneuver when it comes to cyberattacks.

Deterrence is also a strange explanation for the NATO decision because it implies that cyberattackers believe they have some kind of immunity from retaliation—and therefore require formal notice that their actions may have consequences. But was Russia, the supposed target of NATO’s declaration, really laboring under that delusion before last week?

The NATO announcement suggests a certain mindset in which cyberattacks were dismissed as less serious—less real, even—than other forms of attack by virtue of their virtual nature, and are only now being accepted as actual threats to the physical world. If NATO’s declaration of joint cyberdefense capabilities is symbolic, then part of what it symbolizes may be acceptance of the idea that what we do on computers may have consequences that are every bit as significant and grim and real as our offline actions.

The point of the NATO announcement last week—and the Pentagon’s in 2011—is that they will retaliate not based on how they’re attacked but rather based on how much damage is done by those attacks. Since we haven’t seen cyberattacks cause as much damage as serious kinetic strikes, we haven’t responded to them as aggressively. But reaffirming that we would do so in the event of a devastating cyberattack isn’t necessarily helpful as a means of defense. In the absence of better attribution techniques, it seems unlikely that skilled potential cyberattackers will tremble at the prospect of a joint retaliatory strike from the NATO nations.

Deterrence and retaliation may not be the most useful ways of defending against cyberattacks. Instead, responding to these types of threats may be more exclusively about trying to mitigate the harmful consequences in the physical world, confining the damage, and making it more difficult for attackers to achieve their ultimate goals and inflict the intended harm.

To NATO’s credit, it has also shown an interest in ramping up its activity in these areas as well. In 2009, the alliance even provided technical assistance to Estonia to help restore critical services and connectivity when the nation experienced another major denial-of-service attack. That kind of aid—focused on reducing damage and restoring order—is a much more promising mode of collective defense against cyberattacks than the threat of Article 5 and joint retaliation is likely to ever be.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.