7/30/2019 311 Dunn Fixed

1/5

NATOs New Tricks

Looking back, 2010 seems to have been dominated by reports on one security

issue in particular: cyber threats. The discovery of Stuxnet, the industry-sabo-

taging super worm that scared politicians all over the world; tales of (Chinese)

cyberespionage in many variations; the growing sophistication of cybercrimi-

nals as evidenced by their impressive scams; as well as Wikileaks release of US

diplomatic cables and the subsequent actions of the hacker group Anonymous

all catapulted the cyber topic from the realm of geeky experts and military strat-

egists to a mainstream public fear. Whether the damage inflicted by cyberat-

tacks is becoming more frequent, more organized, and more costly or if our

perception has merely changed is unimportant. The outcome is clear: cyberat-

tacks are considered one of the top security threats and have been anchored

firmly in national strategy documents all over the world.

Given this general mood, NATOs mention of cyberattacks as one of the

primary future security concerns in its new Strategic Concept of November2010 was widely applauded. But NATO was not just following the common

strategic trend: this reference in its new roadmap marked the temporary culmi-

nation point of the Alliances dealing with the threat.

The Cyberthreat Debate Opens

NATOs own cyberstory begins in the late 1990s. Via American forces, during

the Kosovo Operation Allied Force in 1999 NATO was exposed to the opera-

tional reality of what has come to be called information operations. On the one

hand, this multifaceted military doctrine tested by the United States during the

campaign is a continuation of the aims of classic wartime information policy.

On the other hand, it is shaped by the central premise that information domi-

nance is not only an auxiliary to war fighting, but a form of combat in its own

Cyber-AlliesStrengths and weaknesses of NATOs cyberdefense posture

Myriam Dunn Cavelty | NATO has more of a history with cybersecurity thanis widely known. With its new strategy and continued investments, the Al-

liance seems to want to expand its cybersecurity capabilities and responsi-

bilities dramatically. But NATO needs to avoid its Article 5 aspirations for

cyberattacks and risks taking on too much cybersecurity accountability.

IP Global Edition 3 / 2011 11

7/30/2019 311 Dunn Fixed

2/5

NATOs New Tricks

right that is suitable for determining the final outcome of conflicts. As a side

effect, it focused Western strategists minds on their Achilles heel and also

marked the beginning of the cyberthreats debate as we know it today. The more

they thought about disruption of enemy information, infrastructures, and net-

works, the more the vulnerability of their own military and civilian networks

became clearand with it, the blatant insecurity of essential assets of industri-

alized societies practically run by these information networks, the so-called

critical infrastructures.

What happened to NATO during the Kosovo conflict was not severe or

critical, but a painful wake-up call: its website was hacked by pro-Serbian hack-

ers and its e-mail server was clogged. The website remained unavailable for

days, which was an acute embarrassment. Far more important for the develop-

ment of NATOs cyberdefense than this hacktivism,

however, was the systematic cyberattack of Estonian net-works in 2007. When Estonian authorities began removing

a bronze statue of a World War II-era Soviet soldier from a

park, a three-plus-week cyberspace battle ensued in

which a wave of so-called Distributed Denial of Service at-

tacks (DDoS) swamped various Estonian websites with tens of thousands of

visits, disabling them by overcrowding the bandwidth for the servers running

the sites.

Even though it was not and will never be possible to provide sufficient evi-

dence for who was behind the attacks, various officials readily and publicly

blamed the Russian government. Also, despite the fact that the attacks bore no

truly serious consequences for Estonia other than economic losses, some offi-

cials even openly toyed with the idea of a counter-attack in the spirit of Article

5 of the North Atlantic Treaty, which states that an armed attack against one

or more NATO countries shall be considered an attack against them all.

The Estonian incident was important for NATOs cyberidentity in several

ways. First, it clearly showed the limits of old-school strategic logic in the face

of cyberattacks and also shaped the perception that the Alliance lacked both

coherent cyberdoctrine and comprehensive cyberstrategy. Second, the incident

also changed the way NATO perceived its own role in cyberdefense matters.Before the incident, NATO had almost exclusively focused on the protection of

their own networksafterward, the need for extended cyberdefense for the

Allies came into focus.

Cyberdefense Management in the Status Quo

In brief, NATOs current cyberdefense structure consists of three organiza-

tional units. The first unit, NATOs Computer Incident Response Capability

Technical Centre (NCIRC TC), was set up in the aftermath of the Kosovo con-

flict and website hack. The NCIRC TC monitors NATO-related websites and

provides 24/7 technical response for cyberthreats. As part of an amended ver-sion of NATOs cyberdefense policy, which is due this summer, the NCIRC

TCs capabilities are expected to be strengthened.

The more NATO thoughtabout disruption of enemynetworks, the more their ownvulnerability became clear.

12 IP Global Edition 3 / 2011

7/30/2019 311 Dunn Fixed

3/5

NATOs New Tricks

Second, NATO set up the Cyber Defence Management Authority (CDMA)

in 2008, in order to centralize, manage, and coordinate cyberdefense opera-

tional capabilities across the Alliance. In the future, the CDMA will evolve into

a war-room operation for NATOs cyberdefenses with actual tactical responses

carried out by member states. Third, the Cooperative Cyber Defence Centre of

Excellence, with its clumsy acronym CCD CoE, was set up in Tallinn. Whereas

the CDMA is charged mainly with coordinating NATOs cyberdefense in an

operational capacity, Estonias CoE advances the development of long-term

NATO cyberdefense doctrine and strategy, seeking to be the main source of

expertise in the field of cooperative cyberdefense.

So, what can be made of NATOs cyberdefense structure? A proper evalua-

tion of its actual capabilities like available hardware, software, or specialists is

not possible due to the lack of public information surrounding the exact set-up

and endowment of these units. What becomes clear from public sources, how-ever, is that NATOs cyberdefense system is still in its infancy, though a consid-

erable amount of money seems to be flowing into grooming and improving it.

Duty Bound to Cyberdefense?

NATO being what it is, one specific topic keeps surfacing when cyberthreats

and necessary countermeasures are discussed. Currently, NATOs cyberdefense

actions are framed within Article 4. It means that members will consult to-

gether in the case of cyberattacks, but are not duty bound

to aid each other as described in Article 5 of the Treaty.

Cyberdefense remains predominantly a national responsibil-

ity, but NATO puts a lot of effort into building up structures

to offer this consultation. Whether the Article 4 approach is

sufficient remains a point of debate. According to some

newspaper reports, explicitly extending the definition of attacks that trigger

activation of the Alliance to include cyberattacksand thus changing Article

5was part of the draft version of the new Strategic Concept circulated by

Secretary General Rasmussen ahead of the Lisbon Summit.

The main reason behind this was likely a desire to maximize the deterrent

effect of the Alliance in the cyberdomain. However, the cyberdomain posesconsiderable deterrence limitations. Deterrence works if one party is able to

successfully convey to another that it is both capable and willing to use a set of

available (military) instruments in retaliation if the other crosses a line. But for

this to work, the opponent should first, be a state, and second, be identifiable

as an attacker. While states can be behind some cases of cyberincidents (they

are not usually the culprits), attackers do not have to fear retaliation, since they

can likely remain anonymous if they choose. It is particularly tricky to identify

actors in a timely manner due to frequent time lapses between the action that

an perpetrator takes, the intrusion itself, and the effects of the intrusion. And

even if one or several perpetrators could be identified certainlyproving that astate actor (or a terrorist organization) had coordinated their actions would be

the next difficulty.

Although its actualcapabilities are unknown,NATOs cyberdefense systemis still in its infancy.

IP Global Edition 3 / 2011 13

7/30/2019 311 Dunn Fixed

4/5

NATOs New Tricks

The second argument for changing Article 5 is to clarify what kind of a cy-

berattack should trigger NATOs response. However, according to many ex-

perts, changing it would have come at a disadvantage for the organization be-

cause it would decrease its current flexibility. Furthermore, the existing frame-

work already accommodates one specific kind of cyberattack: one whose effects

are similar to an armed assault, for example, in casualties and destruction com-

parable to a military attack. This preserves the logic of Article 5 and prevents a

dangerous expansion of war-logic into the domains of low-level, low-impact

cyberattacks, which constitute the majority of worldwide cyberincidents.

Though they are often portrayed as a huge problem, most cyberattacks only

cause mild inconvenience rather than serious or long-term disruptions.

Keeping NATOs cyberdefense within Article 4 mechanisms is in fact cru-

cial if NATO wants to remain a credible player in cybersecurity mattersany-

thing else would lead to severe legal, practical, and strategic problems. However,it is very likely that there will be further attempts to move the cyber topic under

the frame of Article 5. Since the potentially devastating effects of cyberattacks

are so scary, the temptation is to not only think about worst-case scenarios but

also to give them added (often too much) weight despite their very low probabil-

ity. This, however, will always result in calls for an aggressive, militarized re-

sponse, which poses more of a problem than a solution to cyberinsecurity.

For the same reason, cyberdeterrence can also be expected to garner sus-

tained attention in the future. In theory, effective cyberdeterrence requires a

wide-ranging scheme of offensive and defensive cybercapa-

bilities supported by a robust international legal framework

as well as the ability to attribute an attack to an attacker

without any doubt. Whereas defensive cybercapabilities

and the design of better legal toolsactually a current focus

of NATOs Tallinn Centreare relatively uncontested and

worth investing time and money in, an open or clandestine cyberarms race

must be avoided at all costs because it would have hugely detrimental effects on

the way humankind uses the internet. The same can be said for the attribution

problem, which, were it to be solved, would come at a very high cost for pri-

vacy. States, their militaries, and NATO should also think long and hard aboutwhether the uncertain promise of an increase in security is really worth the

sacrifice of cyberspace as we have come to cherish it.

Cybersecurity and cyberdefense are tough issues for state actors all over the

worldand perhaps even more so for an organization like NATO. The nature

of the problem raises the critical question of what role states should and actu-

ally can play in the field of cybersecurity. Clearly, it is plain impossible for the

state to increase the cybersecurity of an entire country by itself. Most affected

by cybercrime and espionage is the private sector, which owns most of the

critical infrastructure. Unless the state wants to vastly increase regulation, it

cannot ensure the security of these assets. Therefore, most states focus on theprotection of their own networks and, through its legislative bodies, try to en-

sure that any existing gaps in internet law are closed. Furthermore, close part-

Cyberattackers do not haveto fear retaliation since theycan likely remain anonymousif they want to.

14 IP Global Edition 3 / 2011

7/30/2019 311 Dunn Fixed

5/5

NATOs New Tricks

nerships with the corporate sector and international partners are pursued,

mostly in order to exchange information on threats and issues.

All of these elementsnamely the focus on the protection of its own net-

works, the inclusion of many stakeholders, and the international dimension

are also part of NATOs cyberdefense concept. In theory at least, NATO mea-

sures up well with international standards. However, the more recent tendency

to expand the logic of its cyberdefense, from the narrow confines of their own

networks to those of their Allies, risks meddling with this historically grown

logic of who can do what in cybersecurity. This will inevitably lead to problems.

Expanding incident response to member states makes sense as long as cyberde-

fense is seen as a building block and confidence building measure within

NATOs transformation. However, if this expansion is promulgated as a mis-

sion to protect civilian infrastructures in general or if there is a belief that

NATO can be a key player in enhancing cybersecurity as a whole, NATO hascreated its own major public relations fiasco.

The problem is that two different types of security logics clash when an

organization like NATO takes on cybersecurity or cyberdefense. When the

words security and defense are used with the prefix cyber, they mean some-

thing fundamentally different from security and defense in an (inter-)national

security setting. There, security is a binary concept: either one is secure or one

is insecure. Cyberdefense on the other hand is a sexy

word for computer security or information assurance,

which is concerned with analyzing the risk to information

networks and then mitigating the identified risks by techni-

cal (and occasionally organizational) means. Risk is a con-

cept aimed at managing an ongoing process, and is by definition linked to the

notion of being insecure. As every systems administrator knows, his or her

goal is not to eliminate all risks (even if this were possible) but to manage them

in the most cost-effective way. Information networks, therefore, can never be

secure in the national security sense. In fact, the opposite is true: cyberinci-

dents are deemed to happen under the logic of risk because they simply cannot

be avoided.

In the national security setting in which NATO is situated, this consti-tutes a formidable communication challenge. How can one promise security

where there can be none? All in all, NATOs cyberdefense concept measures

up to other cyber security concepts out there. However, the gravest threat to

the Allinace in the cyber realm may

be getting saddled with public ac-

countably and ridicule if something

goes wrong despite its substantial

investments. Thus NATO might also

want to start thinking carefully

about investing in expectation man-

agement.

MYRIAM DUNNCAVELTY is head ofthe new risksresearch unit at ETHZurich and a fellowat the stiftung neueverantwortung,Berlin.

NATO might want to startthinking about investing inexpectation management.

IP Global Edition 3 / 2011 15