Even with the rising tide of nation-sponsored cyber attacks, NATO does not yet have a policy—let alone a definition—of what constitutes a cyber attack that would mandate a response under Article 5 of the alliance’s Washington Treaty, according to NATO officials. Article 5 defines an attack on a NATO member as “an attack on all,” requiring a response by all members against an aggressor.
The Wednesday morning keynote panel at the AFCEA International Cyber Symposium, being held June 24-25 in Baltimore, included four NATO officials examining issues affecting national and alliance cyberdefense. Lt. Gen. Mark O. Schissler, USAF, deputy chairman, NATO Military Committee, admitted that NATO does not know how to define Article 5 in a cyber context. The alliance realizes this is an important issue, he said, and it is working to address it.
Dr. Velizar Shalamanov, director, demand management, NATO Communications and Information Agency, allowed that it is difficult in this uncertain environment to define an Article 5 attack. He suggested that Article 4 (consultation) and Article 6 (crisis management) may be applied before Article 5 in a cyber attack.
Melissa Hathaway, president of Hathaway Global Strategies and former acting senior director for cyberspace with the National Security Council, noted the Tallinn Manual addresses some of the thresholds that must be considered. Developed in the wake of the Estonian cyber attacks seven years ago, the manual discusses issues that will affect future NATO policy making: the extent to which a disruption becomes an attack; at which point the interruption of financial services becomes an attack; and the degree of destruction that may constitute a physical attack.
Lt. Gen. Johannes Kert, military representative of the Estonian Delegation, NATO Cooperative Cyber Defense Centre of Excellence, offered the perspective of a nation that has faced a cyber attack. “When you are in crisis, it’s so difficult to identify how you are being attacked,” he related. “Later, you understand, but you may not catch it immediately.
“Cyber is such a complex thing, it is really difficult to identify who is behind an attack,” he continued. “Deniability is the beauty of the game, and attackers tend to use it.”