Wednesday, June 20, 2007

NATO ponders cyberwarfare
[If I were good at kidding myself, I could imagine that NATO officials read my previous muse@nature.com article on the recent cyberattacks on Estonia. In any event, they seem now to be taking seriously the question of how to view such threats within the context of acts of war. Here’s my latest piece for Nature Online News.]

Attacks on Estonian computer networks have prompted high-level discussion.

Recent attacks on the electronic information networks of Estonia have forced NATO to consider the question of whether this form of cyberattack could ever be construed as an act of war.

The attacks on Estonia happened in April in response to the Baltic country’s decision to move a Soviet-era war memorial from the centre of its capital city Tallinn. This was interpreted by some as a snub to the country’s Soviet past and to its ethnic Russian population. The Estonian government claimed that many of the cyberattacks on government and corporate web sites, which were forced to shut down after being swamped by traffic, could be traced to Russian computers.

The Russian government denied any involvement. But NATO spokesperson James Appathurai says of the attacks that “they were coordinated; they were focused, [and] they had clear national security and economic implications for Estonia.”

Estonia is one of the most ‘wired’ countries in Europe, and renowned for its expertise in information technology. Earlier this year it conducted its national elections electronically.

Last week, NATO officials met at the alliance headquarters in Brussels to discuss how such cyberattacks should be dealt with. All 26 of the alliance members agreed that cyberdefence needs to be a top priority. “Urgent work is needed to enhance the ability to protect information systems of critical importance to the Alliance against cyberattacks”, said Appathurai.

The Estonian experience seems to have sounded a wake-up call: previous NATO statements on cyberdefence have amounted to little more than identifying the potential risk. But the officials may now have to wrestle with the problem of how such an attack, if state-sponsored, should be viewed within the framework of international law on warfare.

Irving Lachow, a specialist on information warfare at the National Defense University in Washington, DC, says that, in the current situation, it is unclear whether cyberattack could be interpreted as an act of war.

“My intuition tells me that cyberwarfare is fundamentally different in nature”, he says. “Traditional warfare is predicated on the physical destruction of objects, including human beings. Cyberwarfare is based on the manipulation of digital objects. Of course, cyberattacks can cause physical harm to people, but they must do so through secondary effects.”

But he adds that “things get trickier when one looks at strategic effects. It is quite possible for cyber attacks to impact military operations in a way that is comparable to physical attacks. If you want to shut down an air defense site, it may not matter whether you bomb it or hack its systems as long as you achieve the same result. Thus it is quite conceivable that a cyberattack could be interpreted as an act of war – it depends on the particulars.”

Clearly, then, NATO will have plenty to talk about. “I think it’s great that NATO is focused on this issue”, says Lachow. “Going through the policy development process will be a useful exercise. Hopefully it will produce guidelines that will help with future incidents.”

1 comment:

JimmyGiro said...

Irving Lachow must have a new swagger to his gate as he struts down the hallways of the National Defense University in Washington DC (twinned with Warmington-on-sea). Only last week he was the runt of the faculties, as the staff of other departments like the schools for "Real war for real tough guys" and "Let God sort them out", would often chase poor Irving about the campus at lunch break with threats of Chinese burns or a KGB dead arm.

But the tables have turned, with NATO giving the green light on a new version of international pant-wetting, Irving... that is Professor Lachow to you worms... can be seen lording it over the martial prowess of the "Real Tough Guys" with his information warfare! "Watch it matey, I got a black belt in Expert Intuition. He was probably the first in line for the anti Y2K inoculation jab (cos he ain't scared of pricks see).

Or as Clausewitz might have put it if he were spawned a little later, "Politics is hacking by other means". Speaking of which, if we splice James Appathurai's comments with Lachow's, we have "In the current situation, it is unclear whether cyberattack could be interpreted as an act of war... but they were coordinated; they were focused, [and] they had clear national security and economic implications for Estonia... Thus it is quite conceivable that a cyberattack could be interpreted as an act of war"

Are you looking at my firewall? Just how "renowned" can Estonian expertise be if it got totally pwnd by a bunch of Russian script kiddies? And I am convinced that it was the Russian general public in a spurt of national pride, since "they were coordinated; they were focused" does not sit well with any government I'm aware of.