Western nations have warned Russia that another Kremlin-directed cyberattack could result in a full-scale war.
The North Atlantic Treaty Organization (NATO) on Friday announced that it will establish a rapid-response force of several thousand soldiers to deter and, if need be, respond to further Russian aggression. As part of the announcement, NATO members also reiterated their support for a policy adopted in June that classifies Russian cyberwarfare as legitimate grounds for a military response.
“Today we declare that cyber defence is part of NATO’s core task of collective defence,” said NATO Secretary-General Anders Fogh Rasmussen, reports Reuters.
#Nato chief announces plans to create “spearhead” rapid response force and to make cyber security part of core task of collective defence
— Sky News Newsdesk (@SkyNewsBreak) September 5, 2014
The announcement, which came during the latest meeting of the 65-year-old alliance in Wales, is the boldest move yet by the Western coalition to deter cyberattacks. In the past, NATO activities on cybersecurity were limited to coordinated defensive preparation. NATO’s website says that it “works with national authorities to develop principles, criteria and mechanisms to ensure an appropriate level of cyberdefence” for state-level infrastructure.
“NATO conducts regular exercises, such as the annual Cyber Coalition Exercise, and aims to integrate cyberdefence elements and considerations into the entire range of Alliance exercises,” the page reads.
By asserting that its new cyberdefense policy could lead to allied military action, NATO’s leadership is hinting at Article 5 of the North Atlantic Treaty, which reads in part, “an armed attack against one or more [NATO members] in Europe or North America shall be considered an attack against them all.” This article, which forms the cornerstone of the alliance’s collective security agreement, has only been invoked once: in the aftermath of the September 11, 2001, terror attacks in the United States.
The past decade has seen several failures of NATO’s cyberdefense policy: In May 2007, for example, when hackers believed to be operating on behalf of the Russian government crippled the Estonian state, business community, and media with three weeks of cyberattacks.
NATO responded by sending cybersecurity experts to Tallinn, the Estonian capital, but it did not respond in any meaningful way. At the time, the Estonian defense minister, Jaak Aaviksoo, told the Guardian, “NATO does not define cyberattacks as a clear military action. This means that the provisions of Article 5 of the North Atlantic Treaty, or, in other words collective self-defence, will not automatically be extended to the attacked country.”
A year after the attacks, in May 2008, NATO established its Cooperative Cyber Defence Centre of Excellence in Tallinn.
In July 2008, cyberattacks devastated the servers of the Georgian government, which, along with the rest of the international community, blamed Russia. On August 7, 2008, armed hostilities broke out between Georgian and Russian forces in the contested regions of South Ossetia and Abkhazia. The New York Times, citing “Internet technical experts,” called this “the first time a known cyberattack had coincided with a shooting war.”
NATO members did not describe the exact conditions under which online aggression could precipitate a physical response to Russia, but Kenneth Geers, the U.S. representative to NATO’s cybersecurity institute in Tallinn, told Ars Technica that this vagueness was likely to enhance the policy’s deterrent effect.
“You actually create deterrence,” he said, “by putting a question in the mind of the attacker. Is what they are going to do going to offend you enough to lead to retaliation?”