The North Atlantic Treaty Organization contains the combined military might of 28 member countries, including Germany, the United Kingdom, and France. All three of those nations, and the United States, possess huge armies, nuclear weapons, and are committed to Article Five of NATO's charter:
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked.
Yet reading NATO's new draft general report on cybersecurity, one gets the impression that what the alliance worries about most these days is not an "armed attack," but a cyberattack on its network servers, or the infrastructure of any of its member countries.
"In this Information Age, the North Atlantic Alliance faces a dilemma of how to maintain cohesion in the environment where sharing information with Allies increases information security risks," NATO's Information and National Security survey observes, "but where withholding it undermines the relevance and capabilities of the Alliance."
And WikLeaks and Anonymous get top billing as visible threats to NATO's efforts to control its information perimeters.
"The time it takes to cross the Atlantic has shrunk to 30 milliseconds, compared with 30 minutes for ICBMs and several months going by boat," the report warns. "Meanwhile, a whole new family of actors are emerging on the international stage, such as virtual 'hactivist' groups. These could potentially lead to a new class of international conflicts between these groups and nation states, or even to conflicts between exclusively virtual entities."
The irony of 9/11
Authored by Lord Michael Jopling, Rapporteur for NATO, the study begins with an irony. Following the attacks of September 11, 2001 on New York City and Washington, DC, the United States government concluded that one of the reasons that the plot succeeded was because information about its perpetrators wasn't widely shared among US intelligence agencies, especially the Department of Defense, CIA, State Department, and Federal Bureau of Investigation.
And so the US opened up its data sharing practices. This made matter worse, Jopling appears to suggest. It "resulted in an exponential number of people obtaining access to classified information." Over 850,000 functionaries now enjoy some kind of "top-secret" security status, he claims. Many have access to the DoD's Secret Internet Protocol Router Network (SIPRNet), dispenser of embassy cables.
The study cites critics of SIPRNet who say that it lacks the ability to detect unauthorized access. "Thus, those in charge of the network design relied on those who had access to this sensitive data to protect it from abuse. These users were never scrutinized by any state agency responsible for the data-sharing system."
Jopling doesn't explicitly blame this openness policy for WikiLeaks phenomenon, but his narrative leads right into Private Bradley Manning, accused of providing documents for the outfit, prompting the group's famous publication of a continuous stream of State Department cables.
Not surprisingly, he thinks that this is bad:
The Rapporteur believes that even if one is in favour of transparency, military and intelligence operations simply cannot be planned and consulted with the public. Transparency cannot exist without control. The government, and especially its security agencies, must have the right to limit access to information in order to govern and to protect. This is based on the premise that states and corporations have the right to privacy as much as individuals do and that secrecy is required for efficient management of the state institutions and organizations.
Hacktivity
A big chunk of the assessment is devoted to the activities of Anonymous, most notably its denial-of-service attacks against PayPal, MasterCard, Visa, and Amazon.com for shutting down financial and server space services to WikiLeaks. Next comes the Anonymous assault on HBGary Federal, which had been planning some methods to take down WikiLeaks and expose Anonymous. It didn't turn out that way, of course. Instead, Anonymous penetrated the security company, erasing data, publishing e-mails, and wrecking its website.
The author seems confident, however, that the notorious group's days are numbered. "It remains to be seen how much time Anonymous has for pursuing such paths," Jopling writes. "The longer these attacks persist the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted."
But the larger question hovering over this document is what NATO should do if one of its over two-dozen member nations is cyberattacked. The US has lately been pondering this dilemma as well.
"Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," says a White House strategy report published in mid-May. "When warranted, the United States will respond to hostile acts in cyberspace as we would any other threat to our country."
This NATO draft seems to want to go in a similar direction—especially if something on the scale of a Stuxnet malware attack is deployed against a member nation. Designed to penetrate software for industrial equipment, researchers believe that it was originally intended for Iran's nuclear program.
"Some argue that Article 5 should not be applied with respect to cyberattacks because their effect so far has been limited to creating inconvenience rather than causing the loss of human lives and because it is hard to determine the attacker," Jopling notes. "However, The Rapporteur believes that the application of Article 5 should not be ruled out, given that new developments in cyber weapons such as Stuxnet might eventually cause damage comparable to that of a conventional military attack."
reader comments
152