NATO ponders cyberwarfare
[If I were good at kidding myself, I could imagine that NATO officials read my previous firstname.lastname@example.org article on the recent cyberattacks on Estonia. In any event, they seem now to be taking seriously the question of how to view such threats within the context of acts of war. Here’s my latest piece for Nature Online News.]
Attacks on Estonian computer networks have prompted high-level discussion.
Recent attacks on the electronic information networks of Estonia have forced NATO to consider the question of whether this form of cyberattack could ever be construed as an act of war.
The attacks on Estonia happened in April in response to the Baltic country’s decision to move a Soviet-era war memorial from the centre of its capital city Tallinn. This was interpreted by some as a snub to the country’s Soviet past and to its ethnic Russian population. The Estonian government claimed that many of the cyberattacks on government and corporate web sites, which were forced to shut down after being swamped by traffic, could be traced to Russian computers.
The Russian government denied any involvement. But NATO spokesperson James Appathurai says of the attacks that “they were coordinated; they were focused, [and] they had clear national security and economic implications for Estonia.”
Estonia is one of the most ‘wired’ countries in Europe, and renowned for its expertise in information technology. Earlier this year it conducted its national elections electronically.
Last week, NATO officials met at the alliance headquarters in Brussels to discuss how such cyberattacks should be dealt with. All 26 of the alliance members agreed that cyberdefence needs to be a top priority. “Urgent work is needed to enhance the ability to protect information systems of critical importance to the Alliance against cyberattacks”, said Appathurai.
The Estonian experience seems to have sounded a wake-up call: previous NATO statements on cyberdefence have amounted to little more than identifying the potential risk. But the officials may now have to wrestle with the problem of how such an attack, if state-sponsored, should be viewed within the framework of international law on warfare.
Irving Lachow, a specialist on information warfare at the National Defense University in Washington, DC, says that, in the current situation, it is unclear whether cyberattack could be interpreted as an act of war.
“My intuition tells me that cyberwarfare is fundamentally different in nature”, he says. “Traditional warfare is predicated on the physical destruction of objects, including human beings. Cyberwarfare is based on the manipulation of digital objects. Of course, cyberattacks can cause physical harm to people, but they must do so through secondary effects.”
But he adds that “things get trickier when one looks at strategic effects. It is quite possible for cyber attacks to impact military operations in a way that is comparable to physical attacks. If you want to shut down an air defense site, it may not matter whether you bomb it or hack its systems as long as you achieve the same result. Thus it is quite conceivable that a cyberattack could be interpreted as an act of war – it depends on the particulars.”
Clearly, then, NATO will have plenty to talk about. “I think it’s great that NATO is focused on this issue”, says Lachow. “Going through the policy development process will be a useful exercise. Hopefully it will produce guidelines that will help with future incidents.”