September 2014
NATO Cyber-Defence Policy 2014
04/09/14 16:52
Day One of the NATO Wales Summit is nearing an end. A good deal of the media coverage has focused on Ukraine, Afghanistan and IS. However, NATO has also revised its Cyber Defence Policy and in so doing clear up Article 5 ambiguity questions.
Whilst a clear statement that a cyber attack could be covered by Article 5 the all important question of what constitutes an ‘attack’ and what capabilities can be provided is dodged. NATO maintains the position that providing too much clarity on the threshold of violence for an ‘attack’ would encourage lower level attacks (cyber-disruption) and could actually reduce the deterrent effect of the policy.
What are NATO’s obligations in the face of a cyber-attack on a member country? This clear question remains unanswered. The Estonian cyber-incident of 2007 (some would call it a cyber-attack) was not considered serious enough to warrant Article 5 support, even though it was requested by the member government. The NATO CCD COE, based in Tallinn, has sought to add clarity to the debate, and establish international norms, by publishing the Tallinn Manual. They clearly set the bar for a cyber-attack as ‘a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’. A kinetic effect must take place for the threshold of violence to be breached. Has NATO officially adopted this position now? The answer is maybe, if so then no cyber-incident that has taken place meets this criteria so any Article 5 protection would not cover the historic incidents of cyber-attacks that have been seen, or is likely to be seen in the near future.
Therefore, does NATO’s affirmation of Article 5 for cyber-defense have any real meaning unless the threshold for implementation is clearly established?
Whilst a clear statement that a cyber attack could be covered by Article 5 the all important question of what constitutes an ‘attack’ and what capabilities can be provided is dodged. NATO maintains the position that providing too much clarity on the threshold of violence for an ‘attack’ would encourage lower level attacks (cyber-disruption) and could actually reduce the deterrent effect of the policy.
What are NATO’s obligations in the face of a cyber-attack on a member country? This clear question remains unanswered. The Estonian cyber-incident of 2007 (some would call it a cyber-attack) was not considered serious enough to warrant Article 5 support, even though it was requested by the member government. The NATO CCD COE, based in Tallinn, has sought to add clarity to the debate, and establish international norms, by publishing the Tallinn Manual. They clearly set the bar for a cyber-attack as ‘a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’. A kinetic effect must take place for the threshold of violence to be breached. Has NATO officially adopted this position now? The answer is maybe, if so then no cyber-incident that has taken place meets this criteria so any Article 5 protection would not cover the historic incidents of cyber-attacks that have been seen, or is likely to be seen in the near future.
Therefore, does NATO’s affirmation of Article 5 for cyber-defense have any real meaning unless the threshold for implementation is clearly established?