NATO Stance on Cyberattacks is Strengthening | LMG Security
Map of NATO member countries, shaded in blue (via Wikimedia Commons)
In a reflection of the shifting, increasingly digital landscape of modern warfare, the North Atlantic Treaty Organization (NATO) announced that a large-scale, state-sponsored cyberattack on a participating nation may be considered an attack on the alliance. As such, it may warrant a military response under NATO’s collective defense policy. NATO Secretary General Anders Fogh Rasmussen told reporters, “Today we declare that cyber-defense is part of NATO’s core task of collective defense.”
NATO stance on cyberattacks validates state-sponsored cyberattacks as a form of international attack on par with physical military action. In a world where most nations–not to mention individuals–store their most sensitive information on computers, cyberattacks function as a 21st-century form of spying, stealing information, and obstructing enemy objectives.
For many journalists and analysts, the announcement recalled the 2007 cyberattacks (most of them distributed denial-of-service attacks) against NATO member state Estonia, which many suspect were wielded by the Kremlin. The attacks occurred in the wake of Estonia’s disagreement with Russia over the relocation of a Soviet-era war memorial, the Bronze Solider of Tallinn. Without direct evidence, Estonia’s Foreign Minister accused the Russian government of instigating the attacks. There is no proof of the Kremlin’s involvement.
The ambiguity surrounding the 2007 attacks exemplifies the difficulty of proving that an attack was actually government-sponsored. Governments carrying out cyberattacks will try to distance themselves in order to avoid blame, so NATO will have a daunting task in trying to link an attack to the suspected government.
Given the difficulty of proving guilt in the case of a cyberattack, NATO’s announcement can be viewed as a more symbolic than concrete policy change. It represents the increasing gravity of cyberattacks in governments’ eyes and more clearly identifies these attacks as acts of aggression. Despite the challenges of policy implementation, taking cyberattacks more seriously is a critical step in addressing this growing threat.
