NATO unites to thwart cyber threats

Since the signing of the North Atlantic Treaty in 1949, the heart of NATO has been found in Article V, which states that an attack on one member of the alliance shall be considered an attack on all.

Article VI of the treaty goes on to define what an attack is and outlines attacks on territories, ships and aircraft, and troop formations. However, there is no guidance on what constitutes an attack in the cyber world. With serious cyber intrusions in 2007 and 2008 in Estonia, Latvia and Lithuania — all three of which are now NATO members — the alliance must seriously discuss cyberattacks in the context of articles V and VI.

“In this unsettled sea in which we sail, I believe it is more likely that an attack will come not off the bomb rack of an aircraft but as electrons moving down a fiber-optic cable,” Adm. James Stavridis, NATO's supreme allied commander Europe and the U.S. European Command's commander, said in February at the AFCEA West 2010 conference in San Diego. “The attacks against the Baltic republics illustrated one problem in understanding this cyber world, which that it is very, very difficult to attribute these attacks for all the obvious reasons.”

“This is a very real and germane part of this challenge that we face in the cyber world," Stavridis said. "I believe we’re going to see more of this, and we have to understand and define what constitutes an attack in the cyber world.”

Cyber in the context of articles V and VI is not a multiplicative function, Stavridis said. It is not 28 times more complicated, counting the number of member nations in the NATO alliance. Rather its complexity is raised by a factor of 28, or to the 28th power.

As a result, Stavridis said NATO members must address their cyber issues by launching ideas and technologies, not tomahawk missiles.

“There is tension in the world of cyber between the desire for openness and the very legitimate policy concerns to protect our networks,” Stavridis said. “All of us in the uniformed services today are wrestling with this. In other words, we want to be on Facebook, we want to be on Twitter, but on the other hand, we want to protect our networks. So finding that balance, dialing it in, is critically important.”

The balance of open, strategic social connections and network protection must exist at three levels: between national governments and militaries, among agencies within countries, and between private-sector companies and governments.

On the international side, NATO has taken a first step by setting up the Cooperative Cyber Defense Center of Excellence, based in Estonia. On the interagency side, Stavridis put the Homeland Security Department at the top of the list.

“We need to understand inside the uniformed military that we are not the drivers in this,” he said. “We are merely part of the team, and we are there in many ways to support other interagency actors. We need to understand cybersecurity in the larger interagency context and build a joint interagency task force.”

One model for an interagency architecture is the U.S. Computer Emergency Readiness Team. As part of DHS, U.S. CERT defends against cyberattacks that target federal government networks. It interacts directly with federal agencies, bringing them together with state and local organizations, research institutions and industry.