In southern Estonia, Maryland Guard cyber warfare operators from the 175th Wing’s Cyber Operations Group support Exercise Hedgehog on May 7, 2018.

In southern Estonia, Maryland Guard cyber warfare operators from the 175th Wing’s Cyber Operations Group support Exercise Hedgehog on May 7, 2018. U.S. National Guard Photo by Maj. Kurt Rauschenberg

In Cyberspace, Governments Don’t Know How to Count

NATO’s governments can’t agree on what constitutes a cyber attack, and that’s a big problem.

Estonia’s new ambassador-at-large for cyber security, Heli Tiirmaa-Klaar, recently explained to the Wall Street Journal that “compared to many other security fields, in cyber we have reached maybe 10 percent of total readiness to understand the threats, to respond to threats and also to prevent the threat or maybe deter the threat. We have lots of room for development.” She’s right; just look at the most basic of metrics: How do governments count cyber attacks? How do they classify them?

The problems — imprecision of language, and a lack of policy — can be seen in a trio of official quotes from a single month last year. On Jan. 7, French Defense Minister Jean-Yves Le Drian warned that 2016 had seen 24,000 cyberattacks against French defense targets, and that the attacks were doubling every year. On Jan. 8, the Financial Times reported off an interview with EU security commissioner Sir Julian King that “there were 110 separate attempts to hack the European Commission’s servers in 2016, a 20 percent rise on the year before.” And on Jan. 19, NATO Secretary General Jens Stoltenberg told Die Welt that “there was a monthly average of 500 threatening cyber attacks last year against NATO infrastructure that required intensive intervention from our experts. That’s an increase of 60 percent compared to 2015.”

Clearly, the figures were all over the place. But why? Did all three officials count cyberattacks differently? And if so, what standards and metrics did they apply?

So in October, I emailed their institutions to ask what incidents were included in their numbers (pings, port scans, phishing emails, malware infections, DDoS, etc.) and whether their standards and metrics were public. The French MoD never got back to me. The NATO press office said it could not process my question, because the alliance does “not comment on the nature of attacks or the methodology that [NATO] use[s] to qualify some incidents as attacks.” The European Commission’s IT Security Directorate politely explained that “we report internally on these figures but we do not publish this detailed information.”

Related: Who’s Leading the Western Response to Russia’s Warbots? Estonia

Related: ‘Every Country Should Have a Cyber War’: What Estonia Learned from Russian Hacking

Related: How to Survive a Russian Hack

But without published standards and discernable metrics, such warnings are of no real value to the public. We simply do not know whether 6,000 annual attacks against NATO’s infrastructure is a lot or whether any of the 24,000 attacks against the French MoD were serious. All we know is that something was counted by someone somehow to somewhat explain the threat environment.

To widen my inquiry, I also got in touch with the Dutch National Cybersecurity Center and Estonia’s Information System Authority, or RIA. The Dutch center coordinates the government response to cyber crises in the Netherlands and also serves as the Dutch central government’s Computer Emergency Response Team. Similarly, RIA coordinates the development and administration of Estonia’s information system and handles security incidents that have occurred in Estonian computer networks. Both adhere to certain baseline standards and metrics to count and categorize cyber incidents that are reported to them, and summarize their findings in annual reports.

But when I asked these organizations whether their respective governments had a single set of reporting standards and metrics, they said no. Officials with the Netherlands center emailed to say that “there is no single definition which applies to all Dutch ministries on what constitutes a cyber attack or critical incident” and that “Ministries are responsible for their own incident registration, including definitions and escalation procedures.”

RIA responded similarly — “there is no formal, universally applicable classification criteria for cyberattack/incident in Estonia that would apply across all government agencies or private sector parties” — but also noted that the government’s computer emergency response team has “an internally defined classification that allows for a reasonable level of consistency.” This is borne out, somewhat, on the quantitative side by RIA’s 2017 Cyber Security Assessment, which indicates that the CERT team handled 9,135 incidents in 2016, of which 1,687 related to government institutions.

In contrast, the 2017 Cyber Security Assessment Netherlands reported a mere 623 incidents, of which 254 occurred under the more general category of “public organizations.” However, the key difference between the annual reports is that Estonia’s notes whether incidents were low priority, medium, high, or critical, while the Netherlands’ does not.

The next question: does a “critical cyber incident” constitute a “cyberattack”? The Tallinn Manual, a collection of expert analyses on international cyber law, offers the widely accepted definition that a cyberattack is “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” And according to the RIA report, “There were no critical cyber incidents that would have posed a threat to people’s life or health in 2016.” While this might seem like a clear-cut case for equating the terms, there is a caveat. The Estonian report says there were also “348 high-priority incidents that affected the functioning of a service or website considered important for the state,” including “interruptions or attacks against vital service providers’ information systems.” From a government perspective, those 348 incidents are attacks that have to be resolved in a matter of minutes to contain their destructive effects. Based on that report, then Estonia’s president could have told the public that the government had faced 9,135, 348, or zero cyberattacks in 2016.

So why is this a serious problem that needs fixing?

The first major concern is that when government officials, such as the NATO Secretary General or the French Minister of Defense, are presenting cyberattack figures, they are bound to significantly over- or under-report the occurrence of relevant cyber incidents. Clearly, the French MoD did not experience 24,000 critical cyber incidents in 2016, nor can we simply assume that any of the 500 critical cyberattacks against NATO were expected to cause injury or death to persons or damage or destruction to objects.

Imprecision therefore severely hinders the public’s ability to understand the threat environment. As a writer for Forbes asked in 2010: “Just how big is the cyber threat to the [US] Department of Defense?” The article cites the then-leaders of U.S. Cyber Command as drawing a line between probes and scans, while then-Deputy Defense Secretary William J. Lynn III called them all attacks. “What's a probe? What's a scan? How do they differ?... How serious is each type of incident? How many of each type of event are we seeing on a daily basis?”

Imprecision also hinders cyberdefense efforts within governments and between militaries. If NATO and EU member states lack common standards and metrics for reporting and categorizing cyber incidents, then statistics on national threat landscapes are destined to be both incomplete and non-comparable.

And third, imprecision blurs the rules of engagement for responding to a cyberattack. Just because Estonia categorizes an incident as critical – which might prompt Tallinn to invoke NATO’s Article 5 – hardly means the other 28 allies will evaluate the incident in the same way. We have already seen this playing out during the DDoS attacks against Estonia in 2007. Essentially, policy analysts divided into two sides: Those who believed that the attacks were the beginning of war, and those who argued that such attacks were already commonplace.

The bottom line is this: While NATO member states are embroiled in discussing cyber deterrence frameworks, offensive operations, and creating norms and rules for state behavior in cyberspace, they have still not reached consensus on how to actually count and categorize cyber incidents across the alliance. And two things are for certain even in cyberspace: The alliance cannot manage what it does not measure, and it has to understand what it is trying to solve.

NEXT STORY: The World According to Trump

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.