Cyber Attribution Could Tear Apart NATO

The United States still struggles to find effective policies for deterring cyber-attacks. Suggestions run the range from more widespread use of indictments and economic sanctions, despite their lackluster record of success, to less traditional but more risky policies that emphasise the asymmetric advantage America has in conventional military power.

Most of the discussion of cyber deterrence focuses on preventing a single catastrophic or cascading cyberattack that would threaten lives like disruptions to electricity transmission or clean water, altering election outcomes or grinding global finance to a halt. 

Yet the reality is that in the event of such an attack, the response would likely not come from the US alone but from the NATO alliance in concert. NATO’s cyber-defense mandate has evolved over time to update its collective defense commitment under Article V of the North Atlantic Treaty for the era of cyberattacks. 

In the latest effort to collectively impose costs on adversaries, the 2018 NATO Summit saw a commitment from heads of state and government “to integrate sovereign cyber effects, provided voluntarily by Allies, into Alliance operations and missions, in the framework of strong political oversight.” 

The newly updated White House National Cyber Strategy likewise envisions working together with a “coalition of like-minded states” to “ensure adversaries understand the consequences of their malicious cyber behavior.”

Therein lies the rub. Both formal alliances, such as NATO and more ad hoc arrangements, such as what the Cyber Deterrence Initiative imagines, will require members to share intelligence and eventually, to the best of their ability and perhaps in different domains, contribute to joint action against a presumably well-armed foreign aggressor. 

States including the United States, the United Kingdom, the Netherlands, Estonia, and Denmark have publicly declared their willingness to lend sovereign offensive cyber effects to deter, defend against and counter the full spectrum of threats.

Sharing intelligence and information is a key element of NATO’s core decision-making process enshrined in Article 4 of the Washington Treaty. Political consultations are part of the preventive diplomacy between member states, but they are also an avenue to discuss concerns related to the security threats member states face. These consultations can be a catalyst for reaching a consensus on policies to be adopted or actions to be taken, including those on the use of sovereign cyber effects to support a NATO operation. The alliance has a track record of collective action and cooperative security measures. 

For example, Operation Active Endeavour helped to deter, disrupt and protect against terrorist activity in the Mediterranean in the aftermath of the 9/11 terrorist attacks, in solidarity with the United States. 

In the United States, the greatest failures of response and deterrence to foreign aggression in cyberspace have not been caused by a lack of intelligence, capability or imagination. Rather, US policy has been serviceable in theory but impotent in practice because of an inability to translate technical findings and intelligence into public support for sufficiently tough responses ordered by elected political leaders. 

  • North Korea’s repeated operations targeting US companies and critical infrastructure have been met with public skepticism over their culpability, limiting the strength of retaliatory options needed to deter further events. 
  • Chinese cyber economic espionage continued for years despite widespread knowledge of China’s activities because political leaders found it difficult to confront Beijing without undermining US companies in return.  
  • Russian information operations did not sow enough doubt to mislead experts, but they succeeded in exacerbating the partisan polarisation of an already-divided electorate and its leaders.

That inability to translate the findings of cyber experts into public sentiment and therefore political action has sidelined America’s cyber-warriors, by far the most technologically advanced and well-resourced in the world. 
How can a commander achieve a common operational picture to authorise the use of sovereign effects in a NATO operation if all the allies are not on the same page with respect to critical attribution and other technical information needed for a use of effect in an operation? 

We all know what a tank looks like on a shared satellite image, but if you ask three cyber experts to interpret the attribution for a set of indicators, you are likely to get at least four answers. 

For most US allies in Europe and elsewhere, there is simply a dearth of technical know-how within the government when it comes to cyber attribution and operations. This is already a challenge for the United States, with a massive defense budget, Silicon Valley innovation and an educated workforce to pull into government service. 

But for many US allies, tech-savvy public servants will have long fled for the private sector, non-governmental organisations (NGOs) and academia before reaching ministerial positions.To its credit, the US National Cyber Strategy does propose capacity-building measures to support allies. This means building up law enforcement, intelligence, and military operational and investigative capability. 

But even with successful capacity-building programs, many nations could, in a crisis, end up in the same place the United States is, with good options stuck on the shelf while political leaders and their electorates lack a critical mass of informed voters to trust, understand and act on expert findings.

Long-Term Thinking
In the long run, though, the US and its more technologically advanced allies, such as its fellow Five Eyes (Australia, Canada, New Zealand and the UK), France and Japan, will have to make important policy changes in the interests of furthering alliance cooperation in cyberspace. 

There needs to be a willingness to sometimes risk sensitive sources and methods in order to get cyber threat intelligence into the hands of other countries better positioned to take policy action, an end to classifying public information like IP addresses solely because of their acquisition via classified means, and greater transparency on their own decision-making. NATO’s essential and enduring purpose is to safeguard the freedom and security of all its members by political and military means. 

Tolerating cyberattacks, especially those deliberately targeting civilians and the political legitimacy of governments, without the alliance having the capability to jointly discuss attribution and have the confidence to act and assist one another, undermines this core purpose of the alliance. 

Likewise, pursuing only deterrence and response without an active role for the alliance in reaching peaceful diplomatic agreements with potential adversaries abrogates member responsibilities to their citizens but is impossible without a common language and operational picture to discuss enforcement of such agreements. The US is stronger with allies, and with attention to these issues its cybersecurity can be too.

Lawfare

You Might Also Read: 

NATO Cyber Command Fully Operational In 2023:

 

 

« Zuckerberg Has Failed
Israel's Cyber-Hotline »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Arxan Technologies

Arxan Technologies

Arxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT), Mobile, Desktop, and other applications.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

Conference-Service.com

Conference-Service.com

Conference-Service.com provides a categorised calendar of conferences and events which includes Information Security.

Aves Netsec

Aves Netsec

Aves is a deceptive security system for enterprises who want to capture, observe and mitigate bad actors in their internal network.

ID Experts

ID Experts

ID Experts is a leading provider of identity protection and data breach services for companies and individuals throughout the USA.

GreyCastle Security

GreyCastle Security

GreyCastle Security is a leading cybersecurity services provider dedicated exclusively to cybersecurity and the practical management of cybersecurity risks.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

Fortra

Fortra

Fortra (formerly HelpSystems) is your cybersecurity ally, unified through the mission of providing solutions to organizations' seemingly unsolvable cybersecurity problems.

Digital Law

Digital Law

Digital Law is the only UK law firm to specialise solely in online, data and cyber law.

BLOCKO

BLOCKO

BLOCKO is a blockchain specialized technology company that has experienced and achieved the largest amount of business in South Korea.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

Cyber Coaching

Cyber Coaching

Cyber Coaching is a community for enhancing technical cyber skills, through unofficial certification training, cyber mentorship, and personalised occupational transition programs.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.