With Russian hackers in mind, NATO takes hard look at cyber strategy
| Brussels
Article 5 is the linchpin of the NATO pact, putting adversaries on notice that an attack against one is an attack against all. Founded on the Cold War logic of deterrence, the idea is that no aggressor will strike for fear of certain retaliation from combined NATO forces.
But with modern warfare expanding to virtual battlefields, NATO strategists are overhauling their cyber tactics. That means rethinking the concept of deterrence, as well as what constitutes a cyberattack that triggers Article 5: a crucial issue amid tensions between Russia and NATO-supported (though nonmember) Ukraine.
Since 2019 it has been clear that a large-scale cyberattack on a member could trigger Article 5. But last year, the alliance quietly announced that a series of lower-level cyberattacks could, cumulatively, be a tripwire for the article as well. The move marked a sea change in NATO cyber strategy, and sparked questions about how best to bolster NATO cyber defenses 鈥 and if offense, of a sort, might be part of the solution, too.
Why We Wrote This
NATO has based its security policy on deterrence, via a mutual defense pact among members. But its strategists are rethinking that approach when it comes to the digital battlefield.
鈥淚t鈥檚 a total change in how NATO views Article 5, and it actually could be perceived as escalatory and spiral out of control,鈥 says Stefan Soesanto, senior researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies in Zurich. 鈥淣o one is really sure whether and when Article 5 will apply.鈥
NATO officials acknowledge that the opaqueness is part of the point. 鈥淯p until now, the idea [among cyber adversaries] was, if we don鈥檛 completely disable a full country鈥檚 infrastructure, it鈥檒l probably be OK. With the new policy we鈥檙e saying, well, that鈥檚 not necessarily true,鈥 David van Weel, NATO鈥檚 assistant secretary-general for emerging security challenges, said at a discussion with journalists in Brussels in December. 鈥淚鈥檓 making it less defined. Sorry for that.鈥
Are enemies deterred?
For the alliance, this ambiguity was a 鈥渟orry, not sorry鈥 moment.
That鈥檚 because among NATO鈥檚 security planners, there has been a growing belief that the military strategy of deterrence 鈥 so apt during the Cold War nuclear era 鈥 simply hasn鈥檛 worked in cyberspace.
鈥淚 would feel pretty confident in telling you that there is probably a scale of cyberattack that is deterred: absolute destruction. Clearly attacks like that don鈥檛 happen every day. But the scale of cyberespionage and the scale of cyberattacks is growing, and the frequency is very high,鈥 said David Cattler, NATO鈥檚 assistant secretary-general for joint intelligence and security, at the December discussion in Brussels. 鈥淚鈥檇 say on balance, except for probably some really big efforts, [adversaries] are not deterred.鈥
Reassessing the relevance of deterrence in cyberspace marks a major shift in military strategic thinking, says Richard Harknett, U.S. Cyber Command鈥檚 2016 scholar-in-residence.
A holdover from the Cold War, the idea behind deterrence and escalation, too, is that since there鈥檚 no defending against a nuclear attack, the key is convincing an opponent that launching one is too costly in the first place. Until recently, there鈥檚 been a belief in cyber that 鈥渨e鈥檙e not threatening enough. We don鈥檛 have the punishment right,鈥 Mr. Harknett says. Strategy as it鈥檚 currently being pioneered is less about trying to arrest all hacking operations 鈥 an unrealistic prospect given the interconnectedness of the internet 鈥 as it is to understand and shape them so allies can better protect themselves.
After historically taking 鈥渁 very defensive approach鈥 to cyber operations, officials are now mulling whether there is 鈥渁nything from an offensive perspective that this alliance wants to have in its tool kit,鈥 Ambassador Julianne Smith, U.S. permanent representative to NATO, said at a discussion sponsored by the German Marshall Fund of the United States last month in Brussels.
The limits of Article 5
In crafting NATO鈥檚 new cyber strategy, senior security and intelligence officials for the alliance say they were informed by a series of 鈥渋ncreasingly destructive鈥 cyberattacks by Russian and Chinese actors over the last few years.
When Ukraine was hit by a spate of strikes on its government computer systems in January, as Russian troops massed on its border, NATO officials were watching closely. They had been working 鈥渇or years,鈥 they noted, to shore up the embattled nation鈥檚 cyber defenses, though it鈥檚 not a NATO member entitled to Article 5 protections.
What the incursions had in common was that, though damaging, they fell below the threshold of armed attack. It was increasingly evident, too, that the alliance needed to be more 鈥減roactive鈥 in cyberspace, Mr. van Weel said. 鈥淚t鈥檚 about not limiting our options to just waiting for a massive attack. It鈥檚 about recognizing that what happens below that threshold of a massive attack is worthy of our attention.鈥
But NATO doesn鈥檛 want to be too clear about what the new threshold is, Mr. van Weel added. 鈥淭he key to the policy is that there is no set bar, and there is a deterrent effect that will go from that.鈥
Behind the scenes, as cyberattacks were playing out, the U.S. was doing some heavy lobbying for a shift in the alliance鈥檚 strategic thinking, says Max Smeets, director of the European Cyber Conflict Research Initiative. This was driven in large part by the Russian meddling in Western elections, and the dawning understanding that a series of cyberattacks can cumulatively tear away at the fabric of democratic society.
In response, U.S. Central Command quietly began deploying proactive expert U.S. military hackers, known as 鈥渉unt forward鈥 teams, to operate 鈥渙utside the United States against our adversaries, before they could do harm to us,鈥 as the group鈥檚 head, Gen. Paul Nakasone, explained at the Reagan National Defense Forum in December.
鈥淗unting forward鈥
Some military analysts believe that a greater motivation behind NATO鈥檚 Article 5 policy shift is to set legal groundwork for allies to work together proactively in a way that is difficult without invoking collective defense mandates under Article 5 鈥 particularly given some NATO members鈥 reticence about intelligence-sharing.
A potential model for such operations was on display in 2018, when U.S. Cyber Command launched its first known cyber response to Russia for election meddling. In the run-up to the 2018 midterm vote, U.S. military cyber operators 鈥減opped up鈥 on the screens of workers at the Internet Research Agency (IRA), a Russian state-sponsored troll farm that carried out damaging online influence operations during the U.S. election.
鈥淭hey just showed up on the system and said hello,鈥 says Mr. Harknett, now a professor of political science at the University of Cincinnati and co-author of the forthcoming, 鈥淐yber Persistence Theory: Redefining National Security in Cyber Space.鈥 They also blocked the IRA鈥檚 internet access, a move calculated to put the Russians on the defensive and sow confusion. 鈥淭hey had to be thinking, 鈥楢mericans couldn鈥檛 have done all this work just to show up on our screens and say hi. How did they get in?鈥欌
The response among NATO adversaries to such operations remains to be seen, says Mr. Soesanto. 鈥淏y the Russians, on Russian soil, it could definitely be perceived as escalatory.鈥 At the same time, what U.S. Cyber Command did 鈥渨as temporarily shut down IRA, but it didn鈥檛 stop them.鈥
Yet the impact of these operations may be less obvious, Mr. Harknett says. 鈥溾楬unting forward鈥 means you actually have to be in the networks of your adversaries to understand malware development and the vulnerabilities they seek to exploit,鈥 he notes. 鈥淎 lot of criticism has been made that this is being aggressive, going on the offensive, that it could escalate.鈥 But often, 鈥渢hey don鈥檛 even know we were in there.鈥
Deliberations about the efficacy, politics, and ethics of offensive cyberweapons are likely to be more challenging for the alliance than 20th-century discussions 鈥渁bout tanks rolling across the border, in which case we know how to respond and what to do,鈥 said Ambassador Smith. 鈥淎nd there are still tough conversations to be had.鈥
