Recent developments have put cyber-related issues at the top of the international security agenda. Late last year, the US National Security Agency explicitly attributed the ransomware known as WannaCry, which had caused worldwide havoc, to North Korea (the country already identified as the source of the 2014 cyberattack against Sony Pictures). Earlier this year, a number of Western countries – starting with the UK and the US, soon joined by Australia, Denmark, Estonia, Japan, Lithuania and others - attributed NotPetya, malware which had inflicted considerable damage across the world a few months previously, to Russia.
Almost simultaneously, Latvia’s new e-health system was hit by a vicious cyberattack; German media reported an ongoing exploitation of the Federal Foreign Ministry servers allegedly perpetrated by Russia-based actors; and a number of ICT companies publicly disclosed critical security flaws, dubbed Meltdown and Spectre, affecting computer processors used worldwide in workstations, laptops, smart phones and more. If one adds to all this the recurrent political disinformation and radicalisation campaigns run through social media and the potential misuse of commercially available technologies by terrorist groups, it becomes evident that ‘cyber’ (a prefix covering a variety of digital, computer-related activities) has become ever more critical to our individual and collective security. In this brave new world [1], appropriate defences need to be developed at all levels.
Cyber threats may range from armed conflict proper (more likely as part of ‘hybrid’ warfare, as in 2008 Georgia or 2014 Ukraine) to espionage, sabotage, disruption and subversion operations. Their consequences may lead to anything from mere annoyance to potential fatalities. Indeed, not all cyberattacks are of equal importance, not all can be deterred, and not all pose significant threats to national or collective security. The cyber perpetrators themselves may range from states or state-sponsored groups to criminal organisations, from ‘hacktivists’ to terrorists.
International law has been recognised as applicable to cyberspace, yet the specificities of its application – notably in response to malicious activities – are still a moot point. Hostile cyber activities may not fit neatly in the category of ‘armed attack’ (art.51 of the UN Charter, framing the jus ad bellum) and do not necessarily entail or elicit the ‘use of force’, at least in a kinetic sense. It is sometimes even difficult to ascertain precisely what harm – intended as injury or death to individuals, as well as damage or destruction to property - is the result of a cyber operation: as Thomas Rid has observed, ICT has spectacularly lowered the entry barriers for new actors and extended the scope for hostile activities that were already quite common, but it has also decreased their overall level of violence [2]. And while there still is no specific legal framework for inter-state ‘cyber warfare’ proper (jus in bello), it is difficult to imagine any future armed conflict or high-end military operation without a significant enabling cyber component (cyber in warfare).
Moreover, governments themselves often prefer to keep their options open in terms of both assessing and responding to cyberattacks. Although some progress was made in the legal realm with the 2015 Report of the UN Group of Governmental Experts (UNGGE) and, on the academic side, the two iterations of the so-called 'Tallinn Manual' [3], subsequent efforts at either multilateral or scholarly level have not reached the same degree of consensus or support.
Generally speaking, global conventions governing new technologies tend to be crafted only after the technologies have been used for some time (the only exception being the outer space treaty, agreed at the start of the space age). More specifically, ongoing technological advances - from the advent of the ‘Internet of Things’ to the development of artificial intelligence and autonomous systems - are constantly expanding attack surfaces and vulnerabilities in what is a fast-moving and increasingly unpredictable environment.
This is to say that 'cyber' cannot and should not be seen in isolation. It is now both a domain in its own right, even in military terms (acknowledged as such by several Allies), and a domain within other domains (across sea, air, land and space, not to mention our daily lives and businesses). As such, however, it presents a number of specificities which need to be taken into account when it comes to debating, planning and implementing security and defence policies.
Cyber attribution and deterrence
The main vectors of cyberattacks are networks, supply chains, and human insiders (be they malicious or just careless). Attributing a cyberattack is a complex process that entails a sophisticated technical component (forensics) and, especially for states, an equally sophisticated all-source intelligence component (to assess circumstance and intent). Deception - through ‘spoofing’ and ‘false flags’ - is actually quite common: even knowing the true location of a machine is not the same as knowing the ultimate instigator of an attack. Attribution is a matter of degree, in other words, as well as a matter of political judgement – especially when it is made public by governments and specialized agencies. Disclosing forensic methods and/or intelligence sources may diminish or even compromise their value for future contingencies; not doing so, however, could open the door to plausible deniability and potential loss of international support. Moreover, public attribution unveils vulnerability and potentially elicits some form of retribution, preferably with tangible consequences for the perpetrator. And each case is likely to be different, thus requiring a tailored and targeted approach.
Most importantly, attribution is and remains a prerogative of individual states and governments. Collective attribution is not on the cards, at least as a legal competence: in the cyber domain there is no equivalent of dedicated multilateral agencies like the IAEA in Vienna or the OPCW in The Hague. Still, concerted or coordinated attribution is of course possible (as was the case with NotPetya), as are solidarity with and assistance to the stricken party [4].
To some extent, attribution is a form of strategic communication: it is about signalling – bilaterally and discreetly, or publicly by naming and shaming – and it is about perception. It does require credibility at source, including a retaliation capacity (arguably beyond the reputational damage). In other words, it is also about deterrence.
In principle, deterrence means broadly the same in the cyber world as everywhere: dissuading someone from doing something by indicating that the cost to them will exceed their expected benefit. Yet deterrence may take multiple forms [5]. Classical 'strategic' deterrence rests on two main mechanisms: a credible threat of punishment for an action, and denial of gains from an action. In the nuclear domain, where deterrence doctrines flourished in the first place, the latter was limited by the difficulty of mounting an effective shield against a large-scale nuclear attack – hence the emphasis on second-strike capability and mutually assured destruction, which eventually led to non-proliferation and arms control regimes. Crucially, the main actors were all states (and a few of them at that), with serious entry barriers for others. In the cyber domain, by contrast, a few lines of malicious code can be written (or purchased on the dark web) by any number of state or non-state actors.
As a result, deterrence by punishment is somewhat limited by the asymmetrical nature of the ‘battlefield’ (what retribution for state proxies from North Korea, where reliance on open networks is minimal?) as well as by the risk of unintended consequences, which exists also in cyberspace: just like chemical, biological or radiological agents, offensive cyber responses may affect innocent targets or even be ‘weaponised back’ by a skilled adversary, with danger of proliferation and possibly even escalation [6]. Unlike CBR agents, however, cyber ‘weapons’ are neither banned nor controlled internationally.
In other words, simple, mechanic intra-domain or in-kind retaliation poses significant challenges (regardless of whether it follows public attribution or not) and it may even prove insufficient. However, it should not be discounted as it may well constitute a component of a broader deterrence and defence toolbox, along with other types of retaliatory responses in the diplomatic, legal, economic or even military domain. Actually, it seems advisable to maintain a degree of deliberate ambiguity and flexibility vis-à-vis a potential perpetrator as to precisely what tool(s) would be employed in response to any cyberattack.
On the other hand, deterrence by denial - which is almost indifferent to attribution (public or not) - presents many advantages in the cyber domain. Although all cyber defences tend to be imperfect, good cyber defences can provide mitigation and build resilience to attacks, thus reducing the incentive by making them seem virtually pointless. In fact, increasing efforts, raising risks and reducing rewards are typical techniques used against criminal activities: they are not aimed at erasing crime entirely, of course, as much as cyber defences cannot pretend to stop malicious activities once and for all. But investing in resilience does indeed enhance deterrence: good hygiene, education and training, continuous surveillance and on-site control, combined with cooperation among relevant stakeholders, can make a lot of difference, especially vis-à-vis less sophisticated attackers.
Last but not least, the cyber domain - as distinct from air, sea and space – is a man-made ecosystem, mostly privately owned (and operated) and only partially governed. National authorities and public agencies definitely need to compare notes and exchange relevant information with private companies. It is important to think in terms of complex organizations and interaction of systems, rather than just unitary rational actors. And, as deterrence often depends on perception, complex organizations - whether private or public - often perceive the same actions (and the associated costs and benefits) from very different perspectives.
This already happened, for instance, with Iran’s Revolutionary Guards vs the Foreign Ministry, or with China’s Popular Liberation Army vs the Central Bank, whose respective estimates of the cost-benefit ratio of certain hostile actions against the West differed markedly. The Internet is not only a symbol but also a vector of global economic interdependence: appreciation of the status quo and its continuation may indeed vary significantly, affecting the calculation of actors, potentially raising the incentives for self-restraint and reducing the risks of escalation (Joseph Nye speaks, in this respect, of deterrence by entanglement).
For their part, ‘classical’ arms control-type arrangements seem inapplicable to cyber, as verification of ‘stockpiles’ would be virtually impossible, and compliance would be hardly enforceable (they could be quickly recreated). Interesting work is being done, notably within the OSCE, on confidence-building measures and early-warning mechanisms with a view to preventing miscalculation and escalation, but progress is extremely slow. In principle, more emphasis could be put on banning certain types of targets - rather than ‘weapons’ - in the name of common overarching interests based on humanitarian, commercial or other considerations.
Even if not enshrined in (new) international norms - a prospect that appears remote in the current international climate - such restrictions on state behaviour, based on a shared understanding among key stakeholders, could enter into accepted ‘netiquette’; their violation could thus come to represent a taboo at multilateral level – a taboo whose violation would entail and have consequences. In other words, deterrence by rules, however informal and non-binding, is not entirely unconceivable.
In other words, there is a large spectrum of means for reducing the likelihood, frequency and severity of malicious activities in the cyber domain. Some may help deter certain actors (and actions) but not others. These means can thus complement one another and be used in combination with other policy tools. In fact, much depends on who and what is to be deterred: the how, basically, follows. Meanwhile, however, the speed of technological innovation continues to reshape the whole environment, requiring flexible and constantly evolving responses: what seems impossible or inadequate now may indeed become feasible and acceptable in the very near future.
Allied resilience and defence
NATO is a political-military alliance with a common goal of preventing conflict and preserving peace, which it has now successfully met for almost 70 years. Its mandate in the cyber domain is defensive in nature and built upon two main pillars: protecting NATO networks, and enhancing the level of resilience across the 29 Allies.
Since the initial creation of NATO’s computer incident response capability (or CERT) in 2002, the Alliance’s approach has evolved from addressing cyber defence in primarily technical terms to viewing it as an integral part of NATO’s strategic context - from information assurance to mission assurance, so to speak. Allies have also recognised that cyberattacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability: for NATO, such threshold refers - implicitly or explicitly – to the possible invocation of art.5 of the Washington Treaty, which was discussed already in the context of the 2007 massive cyberattacks against Estonia. In this vein, cyber defence was recognised at the NATO Summit in Wales in 2014 as part of NATO’s core task of collective defence. On the occasion, Allies also affirmed that international law applies in cyberspace.
In an effort to bolster national resilience, Allies adopted a so-called Cyber Defence Pledge at the 2016 NATO summit in Warsaw. After nearly two years of implementation, the Pledge has demonstrated its value as a tool to attract strategic-level attention and promote investment (financial, human and political) in cyber defence, raising awareness that the Alliance is only as strong as its weakest link. Allies are currently self-assessing their efforts to implement the Pledge, which will inform a first progress report to be developed ahead of the upcoming NATO Summit in Brussels this July: what is already apparent is that virtually every member country has upgraded its cyber defence capabilities over the past couple of years, with a tangible multiplier effect across the Alliance. Although unconventional in nature (it rarely falls under the responsibility of defence ministries), cyber defence now represents part and parcel of a broader collective endeavour to bolster collective resilience against equally unconventional threats which are mostly situated, at least so far, below the art.5 threshold. In fact, Allies now find themselves in a sort of 'art.4 ½' situation - one which requires preparation, consultation, cooperation and readiness across agencies and across countries [7].
The Warsaw Summit also brought recognition of cyberspace as a specific domain of military operations in which NATO must be able to defend itself as effectively as it does in the air, at sea and on land. As part of a three-year roadmap to implement this decision, the Alliance is looking into (and developing further) how it thinks, trains, equips and collaborates in cyberspace. To support this work, NATO Defence Ministers agreed in November 2017 to a set of principles that would guide the integration of offensive ‘effects’ generated by national cyber capabilities for mission assurance purposes (most likely through embedded liaison officers), as allied forces and militaries are not immune to cyber risks and increasingly rely on cyberspace to carry out their mandate.
This does not and will not change the defensive posture of the Alliance. In cyberspace, just like in the other domains, NATO indeed relies on Allies to provide capabilities for its military operations and missions. Last February, as part of broader efforts to ensure the NATO Command Structure is fit for purpose, Defence Ministers endorsed the creation of a Cyber Operations Centre at SHAPE, NATO’s military headquarters. This centre will help integrate cyber aspects into NATO planning and operations, while the Tallinn-based CCD COE, as an autonomous military organisation accredited by the Alliance, fosters research and education, capacity-building, cooperation and information-sharing among 17 NATO members and a number of partners.
As an alliance of sovereign states, NATO is not expected to do (cyber) attribution, which remains a national prerogative. However, consultation and concertation among Allies - and beyond - in these matters is already a fact, and expressions of collective solidarity to a stricken country a strong possibility. NATO does not produce or promote norms either, although it acts in conformity with international law, follows the principles of restraint, proportionality and cooperation, and supports the diplomatic efforts underway in the UN and OSCE. In fact, cyber defence is a quintessential team sport, and the Alliance recognises that it cannot go it alone in cyberspace: partnerships are instrumental for strengthening resilience and deterrence. Cyber defence partnerships - including with like-minded countries, international organisations (starting with the European Union, with which a Technical Agreement was signed in February 2016) as well as industry and academia - constitute an important part of NATO’s approach to cooperative security, in full awareness that 21st century frontiers and fortresses are no longer what they once were.
[1] For a comprehensive overview of how the US, in particular, has operated in this domain see F.Kaplan, Dark Territory: The Secret History of Cyber War, Simon & Schuster, New York, 2016.
[2] T.Rid, Cyber War Will Not Take Place, Hurst & Co, London, 2013 and 2017.
[3] See respectively M.N.Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge UP, 2013; and M.N.Schmitt (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge UP, 2017 – both prepared under the aegis of NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE) based in Tallinn, Estonia, since 2008.
[4] On 16 April 2018, the EU Foreign Affairs Council adopted conclusions on ‘malicious cyber activities’ that explicitly mentioned hostile use of ICTs - including WannaCry and NotPetya (albeit without attribution) - and expressed ‘serious concern’ about the increasing ability and willingness of third states and non-state actors to pursue their objectives through cyber means (in June 2017 the EU had also adopted a ‘cyber diplomatic toolbox’ that included measures to respond to unacceptable behaviour). On the same day, the US and the UK issued a joint statement on ‘malicious cyber activity carried out by the Russian government’ offering i.a. bilateral technical assistance.
[5] For an essential contribution to the debate see J.S.Nye, Deterrence and Dissuasion in Cyberspace, ‘International Security’, Vol.41, No.3 (Winter 2016/17), pp.44-71.
[6] Some analysts believe that distributed denial-of-service (DDoS) attacks that disrupted some US financial institutions in 2012-13 were launched by Iran in retaliation for the 2010 Stuxnet operation against the Natanz nuclear facility - and that Iran was also behind the 2014 hacks into the Sands Corporation in Las Vegas, owned by the ardently pro-Israel billionaire Sheldon Adelson.
[7] In a similar vein, the kind of robust peacekeeping and crisis management missions and operations that became frequent in the mid-late 1990s were often labelled as ‘Chapter VI ½’ – with reference to Chapters VI and VII of the UN Charter.