NATO, we hear, is updating its cyber defence policy. A very serious cyber attack, some people in the Atlantic Alliance seem to suggest, should be treated like an invasion. “For the first time we state explicitly that the cyber realm is covered by Article 5 of the Washington Treaty, the collective defence clause,” Jamie Shea told ZDNet. He’s NATO’s deputy assistant secretary general for emerging security challenges.
The goal? “It’s certainly meant as a deterrent,” Shea said, “It’s not meant to be escalatory.” Defence ministers apparently already agreed on a formula. NATO is set to endorse the changes in Wales in September.
But will it work? — Probably not, I’m afraid.
We haven’t seen the document yet. But the new policy is likely to produce exactly the opposite of the intended effect: it may contribute more to escalation than to deterrence. For at least four reasons.
First, deterrence needs to backed up by a clear and credible threat of punishment. So far, NATO is doing the reverse: “We don’t say in exactly which circumstances or what the threshold of the attack has to be to trigger a collective NATO response,” Shea said, “and we don’t say what that collective NATO response should be.” Right. If you don’t know what that means, you’re not alone. Potential aggressors also will have no idea. And that means they will probably test out, inch by inch, where the red line actually is, again and again.
Second, deterrence needs to be practiced, not just announced. Cold War-style deterrence is out, criminal deterrence is in — I mean that as a conceptual guide. Deterring criminal offenses means the deterring party needs to use force regularly and predictably in order to enforce the law and keep the authority of the law intact. That means that the use of force isn’t a breakdown of deterrence (think H-Bomb) but necessary to maintain deterrence (think arresting armed robbers). You have to practice what you preach, reliably and regularly. That’s how we deter crime. It’s also how Israel has learned to deter political violence. Deterring cyber attacks is more like deterring crime, not nuclear war. Does NATO have the capabilities — and the will — to draw such line through practice against cyber attacks? That leads to another point.
The vast majority of all cyber attacks are forms of espionage — commercial or state-on-state — or they are forms of criminal behaviour. And here’s the problem. NATO isn’t in the business of SIGINT and counter-intelligence and it isn’t in the business of crime prevention and law enforcement. Sabotage is very rare, so far. We have only seen one single externally induced act of sabotage-by-cyber attack against industrial control systems that actually had a kinetic effect: Stuxnet. And this remarkable operation, ironically, was executed partly by a NATO member country. All others either didn’t have a kinetic effect or they were insider attacks. So what exactly is NATO trying to deter? A type of attack that hasn’t happened before? Oh, right, they didn’t want to answer that question.
Finally: NATO encourages probing for preparation of attacks. The new policy may not deter very well, but it certainly is sending a message in the subtext: we’re really scared, and this stuff is serious. If you see yourself as a major contender against us, NATO seems to be saying, you better invest in some hard-hitting cyber capabilities. Just this morning news of Dragonfly broke, an attack of unclear origin that seems to probe critical infrastructure in new and worrying ways to prepare capabilities for some later use. Counterintuitively, NATO’s new policy could encourage more such behaviour — especially when coupled with a still offensive mindset on cyber security in Washington.
So NATO seems to be escalating, not deterring.
Deterrence, even during the Cold War, wasn’t as easy as many a veteran seem to remember. The view that deterrence prevented nuclear war is highly controversial. Chatham House recently reminded those with a sense history that luck played a distressingly big role in keeping the Cold War cold.
The new policy, staff at SHAPE explained, is meant as “a signal that NATO is not defending itself only in 20th century terms.” At closer examination, sadly, it very much seems to be a signal that NATO is thinking about defence in 20th century terms.
No comments:
Post a Comment