This post was originally published here by david appelbaum.
Here’s something a little scary to think about: NATO’s Secretary General, Jens Stoltenberg, said last month that a massive cyber attack could trigger Article 5 of the organization’s treaty. For those of you blissfully unaware of the ins and outs of international treaties, this is actually a much bigger deal than it sounds.
Let’s briefly discuss Article 5. There are 14 articles in the North Atlantic Treaty and #5 covers the collective defense of all NATO members. You can read a nice summary on NATO’s remarkably accessible website or you can read an even more summarized summary right here:
An attack on one is an attack on all. If one member of NATO is attacked, then all members of the treaty must come to that member’s defense.
There are some caveats: the North Atlantic Treaty is true to its name and does not extend to signee territory that lies south of the Tropic of Cancer, a circle of latitude that cuts through North Africa and runs just south of Florida. That’s why an attack on the United Kingdom’s Falkland Islands during its dispute with Argentina over those same islands was not an attack on all. Heck, Hawaii isn’t even covered by NATO since it’s also south of the Tropic of Cancer. And I’m not even making that up.
Article 5 is so rarely triggered that from the day the North Atlantic Treaty was signed on April 4th, 1949 until to today it has only been invoked once, and that was in response to the September 11th attacks on the United States. That’s pretty remarkable, right? In spite of the threats that hung over the world during the Cold War, the US, Canada, and Western Europe never invoked the treaty’s collective defense provision.
The scary part is not that NATO has decided that a cyber attack can be seen as an act of war but that it could trigger article 5. While anyone in Infosec knows just how much damage can be done through a cyber attack – since almost everything is now run by software. What remains unclear however, is just how crippling an attack would have to be to lead to a NATO response.
Given the serious concerns that Russia meddled in the 2016 US election the issue has far greater resonance now than it did a year ago. South Carolina alone saw 150,000 attempts to hack into their election infrastructure ahead of the November election. If Russia was directly attempting to sabotage the US election system in 2016, it seems pretty likely that they’ll try to do it again in 2018, 2020, and beyond, or that they’ll expand their ambitions beyond the US. Could Article 5 be invoked over an election related attack?
Our current President unwittingly highlighted the critical problem with all of this during the election last fall.
“I don’t think anybody knows it was Russia that broke into the DNC,” Trump said. “She keeps saying ‘Russia, Russia, Russia,’ and maybe it was. It could be Russia but it could be China, could also be lots of other people. It could be someone sitting on their bed that weighs 400 pounds.”
This quote isn’t necessarily as dumb as it initially sounds. It’s easy enough to discover where an attack is coming from (it’s clear that Russia was trying to interfere in the election, even if their motives for doing so aren’t) but it’s not that easy to determine who is sponsoring it. No government is likely to launch attacks from their own military installations. They’ll go through third parties, even third parties whose locations may not always correspond all that closely to the government on whose behalf they’re acting. That gives them plausible deniability, in a way that, say, launching a missile does not.
If a major attack caused serious damage to New England’s electrical grid and the attackers were tracked to Kazakhstan, how does NATO ultimately say with a 100% certainty that a state actor is responsible? Only time will tell. For now, NATO has said that an invocation of Article 5 in this context will only lead to defensive measures, so perhaps we’d simply see NATO nations sharing resources and information in the defense of one another. But this is just one more sign that we’re moving ever closer to the day that war is declared not because of a physical invasion, but because of a virtual one. It used to be that an invasion could only be mounted through land, sea, or air. Now it can be mounted on a USB stick.
Photo:GDK Network Systems
