Imagine this scenario: Estonia, a NATO member, is cut off from the Internet by cyber attackers who besiege the country's bandwidth with a devastating denial of service attack. Then, the nation's power grid is attacked, threatening economic disruption and even causing loss of life as emergency services are overwhelmed. As international outcry swells, outside researchers determine the attack is being sponsored by a foreign government and being directed from a military base. Desperate and outgunned in tech resources, Estonia invokes Article 5 of the NATO Treaty -- an attack against one member nation is an attack against all. It requests an immediate response from its military allies: Bomb the attacker's command-and-control headquarters to stop the punishing cyber attack.
Now, the U.S. government is faced with a chilling question: Should it get dragged into a shooting war by a cyber attack on an ally? Or should it decline and threaten the fiber of the NATO alliance?
About half this fictional scenario occurred in 2007, when Estonian government and financial Web sites were crippled by a cyber attack during a dispute with Russia. That incident never escalated to this hypothetic level, however: The source of the attack was unclear, physical harm did not occur and Estonia never invoked Article 5.
The incident did, however, get other NATO members thinking: When would they be required to rise to the defense of an ally during a cyber attack?
Last year, a working group led by former U.S. Secretary of State Madeline Albright was formed by NATO to study the future of the alliance in a post Cold War world. When the group issued its report last month, aimed at helping NATO form a new "Strategic Concept," the thorny issues raised by cyber war were listed as one of the three toughest challenges facing the alliance. NATO is expected to approve the Strategic Concept this November during a meeting in Lisbon, and cyber war issues will be hotly debated.
Mutual defense is the heart of the NATO alliance, formed in 1949 in the wake of World War II, largely to combat the aspirations of an expanding Soviet Union. Article 5 lays out the obligations of members in plain language:
"The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them ... will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area."
Despite all the attention Article 5 has received during the 60-plus years of NATO, it has been invoked only once -- after the 9/11 attacks. That led to an alliance attack to remove the Taliban from power in Afghanistan.
That means the odds of a rudimentary botnet attack against a NATO member leading to war are quite small. They are not zero, however. The Albright group's report, titled "NATO 2020," was stark in its assessment -- ignoring the issue would probably only encourage attackers.
"The next significant attack on the Alliance may well come down a fiber optic cable," it reads. "A cyber attack that leads to chaos in one city may inspire copy-cat criminals in another. Due to the reach of modern media, even terrorist groups and pirate bands now have public relations specialists and NATO, when and wherever it acts (or fails to act), will do so with a global audience."
Among the report's recommendations(PDF): Give NATO military leaders pre-delegated authority to respond "in an emergency situation such as a missile or cyber attack."
'What is the threshold for crossing the cyber line?'
Roger Cressey, a former member of the U.S. National Security Council, said there is a long list of unanswered questions that NATO hasn't begun to resolve.
"If there is a cyber attack, does NATO respond in kind? Do the NATO allies with the most advanced cyber capabilities respond on behalf of the member that was attacked?" wondered Cressey, now a consultant with Good Harbor Consulting and an NBC analyst. "Should a response be limited only to cyberspace or should kinetic options be on the table too? This raises some very important issues -- do you attack another country with missiles and aircraft in response to a cyber attack? What is the threshold for crossing the cyber line and into physical responses?"
An even thornier issue, he said, is "attack attribution." As was the case of the Estonian attacks and more recent attacks on Google and other big tech companies, it's often difficult to positively identify cyber-attackers. So foreign governments or other enemies can easily blame cyber attacks on rogue groups.
"Doctrine on cyber attack is a very problematic issue, one that the Pentagon is struggling with right now," Cressey said. "If individual countries haven't figured it out yet, then it's a guarantee that collective defense entities like NATO will be even further behind in coming up with an agreed upon approach."
NATO lawyer: A high bar
Lawyer Eneken Tikk is in a unique position to understand the nuances of the Article 5 mutual defense debate. She is the acting policy chief at a NATO training center called the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, which was founded in 2008 in the wake of the 2007 cyber attack. She believes there is undoubtedly a legal basis for a mutual defense response to a cyber attack -- but the threshold for invoking such a response is very high. For starters, she said, mere electronic disruptions probably wouldn't clear the bar. Involving other NATO nations would require "a cyber attack on a country's power networks or critical infrastructure (that) resulted in casualties and destruction comparable to an armed attack," she said.
And even casualties might not trigger treaty obligations, she said.
"There is no clear threshold of a cyber armed attack - and even a kinetic attack is not always what the U.N. Charter considers as a threshold for invoking the right to individual (or collective) self-defense," she said. She pointed to research that suggests an attack "has to be of enough scope, duration and intensity ... to satisfy the accepted criteria of an armed attack under international law." Neither an overnight border skirmish nor a troublesome but temporary denial of service attack would qualify, she suggested. That why the Estonian government did not invoke Article 5 in 2007, she said.
The Albright report makes allowances for all these gray areas, but hints at a formula it suggests could be put in place to arrive at more delicate decisions.
"There is, of course, nothing ambiguous about a cross border military assault by the combined armed forces of a hostile country," it said. "However, there may well be doubts about whether an unconventional danger -- such as a cyber attack or evidence that terrorists are planning a strike -- triggers the collective defense mechanisms of Article 5. In the event, this will have to be determined by the ... nature, source, scope and other aspects of the particular security challenge."
'Can a cyber attack invoke a physical response?'
Mark Rasch, former head of the Justice Department's computer crimes unit and now a consultant at Secure IT Experts, said that NATO's attempt to clarify members' obligations during cyber attack is further complicated by the fact that low-level cyber attacks are happening constantly. Some are better described as espionage or spying than cyber war, and many come from corporations or curious kids. On the other hand, some of those "curious kids" are state-sponsored, he said.
"We've been having low-level cyber for 30 years," Rasch said. "There's been penetration testing, Web defacements, denial of service attacks, propaganda attacks. But we haven't yet had a cyber attack where a nation-state mobilizes to attack the critical infrastructure of another nation."
It's possible that means the NATO treaty is already working in the cyber world. Article 5's chief purpose, Rasch said, is not to drag countries into war but rather to act as a massive deterrent - and given its rare implementation, it's generally considered a success. By establishing rules of cyber war engagement, NATO is "throwing down the gauntlet" to enemies, making it clear that a cyber attack by a government could result in a powerful response -- a position designed to scare off would-be attackers. There are a couple of flaws in that position, however.
First, most cyber attacks are asymmetric, meaning the consequences of a counterattack are often very small. A single computer can be used to attack hundreds of computers. A denial of service attack would likely come from millions of hijacked machines, so the risk of a counterattack against the attacker is quite minimal.
"It's kind of like when Hamas fires rockets from residential neighborhoods," Rasch said. "(The attackers) might not have infrastructure that you can go after."
Also, while Rasch supports a NATO effort to clarify member nations' obligations under Article 5, he believes the effort could backfire.
"Because the rules are vague right now there is plenty of wiggle room," he said. "Right now, the U.S. could say, 'We don't think (Article 5) applies' if asked to enter a conflict. But by defining it more precisely, it increases the chances we'll get dragged into a cyber war."
Naturally, none of these issues was contemplated by the authors in the NATO agreement in the 1940s, and clearly the alliance will have a difficult time striking a delicate balance of mutual security vs. entanglements as it debates the role of cyber-alliances. The Albright report calls for the alliance to have "expert teams" ready to aid member nations threatened by cyber attacks, and technical assistance might go long way towards diffusing many cyber conflicts. But there is an inevitable question hanging over the effort.
"The big question is can a cyber attack invoke a physical response?" Rasch said. "The answer is we don't know what the appropriate response is to cyber war against a NATO ally, or what is the appropriate response by a NATO ally to an attack on us. We need to define those things."