The Democratic National Committee (DNC) gets hacked, WikiLeaks dumps emails, and Netflix and Twitter freeze throughout the North East United States. With such a precedent, by the time the United States’ presidential election day came many worried that a hack of vote registering and tallying infrastructure was next. Most recently, both German Chancellor Angela Merkel and French President Francois Hollande expressed concern that similar hacks could happen in Germany and France, respectively. Russian hacking is now the topic of the day, but it’s not only Russia that hacks, and as cyberattacks move from not only disrupting our elections but also our day-to-day lives, they have fueled a public debate on how to respond, and especially how to respond when the attack comes from another state. Strangely enough, the US and many other NATO members have no public standard for what constitutes a cyberattack in peacetime. As a result, state and non-state actors probe to find our sweet spot: maximum damage with minimal risk of retaliation.
There’s more to be done to solve this problem than one might think. NATO governments must start by defining what specific actions constitute a cyberattack that requires a certain type of response, and making it clear to foreign powers that if they cross our red line, NATO will respond. There should be no grey area.
It’s already a well-worn fact that the Obama administration and American intelligence community blamed Russia for the DNC hack and email release through Wikileaks. The Director of National Intelligence went as far as to name Russian President Vladimir Putin personally as the one who ordered the hacks. And although he has continually skirted responsibility for a hack that most believe was at least enabled by his government, Putin has made his overall position clear: the US is in a state of decay, and these “anonymous” hackers are doing a public service by revealing this truth. Putin has even denied the importance of determining “whodunit” in this case, emphasizing that “The important thing is the content given to the public.” Really? As former Ambassador to Russia Michael McFaul retorted: if you’re given a stolen car, you don’t only care about how it runs. You care just as much about who took it. That same concept applies to hacked data, too.
Of course the content of the leaked emails did not go unnoticed: it ended careers, fueled conspiracies, and contributed to heightened feelings of mistrust across the spectrum of the American electorate. Yet, as much as Mr. Putin may wish otherwise, the question of “who did it” remains fundamental to the discussion of this hack.
Attribution of responsibility is important in the cycle of cyber deterrence because it enables us to identify and threaten the culprit. Traditional deterrence is relatively straightforward, since the threat is attributable and tangible. If my opponent has significant arms, soldiers, or weapons, I’ll think twice before resorting to military conflict. I know if I cross my opponent’s red line, they will retaliate. Cyber deterrence is intrinsically different: even if my opponent has significant cyber capability, that capability doesn’t stop me from attacking or probing for weaknesses. Unlike traditional deterrence, there is no trip-wire – no obvious border to cross. I can’t see your cyber abilities like I can see your tanks, and there is no clear border between states in cyberspace. If a state were to bomb DNC headquarters, the US would certainly retaliate in force. But when Russia hacked the DNC, released the hacks’ contents to the public and arguably altered the course of the election, the US fumbled for a response, failing to name Moscow publicly for weeks. On the other hand, when North Korea hacked Sony, the US government reportedly shut down North Korea’s internet for a day. Each attack is different, but cyberattack responses must be made consistent in order to be made credible.
What’s the standard for retaliation? US government officials have said in the past that different types of attacks require different responses. That’s fair, but if our officials themselves have a hard time predicting US government responses, how can we expect foreign governments to anticipate them? And more importantly, how can we expect foreign governments to think twice to avoid such responses, if there’s no rhyme or reason to what they might be?
Our challenge is not simply one of strategy. Rather, it goes much deeper. We have a failure of language. We have not yet delineated the differences between an act of cyber war and an act of espionage. What is a cyber-attack, and what is not? This is not simply semantics. Words have meaning; cyber, however, has become a Velcro prefix, attached to anything and everything and repackaged as a shiny new internet fad. This tendency has left us with a myriad of terms, but a dearth of utility.
Now, more than ever, NATO states must surmount this definitional hurdle and create a unified, public cyber deterrence strategy. But first, we must define what constitutes a cyberattack. Does a hack of a private enterprise count as an attack? A hack of a government agency? Or does the consequence need to be something more sinister, like causing a malfunction in the power grid in order to shut down electricity to millions of homes, or adjusting vote tallies at polling stations in order to alter the results of national, state, or local elections? We need clearer benchmarks.
Second we should express clearly that if another state conducts a cyberattack then NATO will respond in force. The standard for a cyberattack must be made public. Classic deterrence works because a red-line is drawn that a state knows it can’t cross without facing some form of retaliation. Article 5 of the NATO treaty specified that an attack on one NATO member was an attack on all. That article continues to safeguard NATO member states from the bulk of state-sponsored attacks and has done so for the past 60+ years. Just as we have shown other states to be careful when probing NATO borders, we must show them to be careful when probing the NATO cyber frontier.
Many public officials shy away from unveiling a public cyber strategy because they fear revealing cyber capabilities. That’s a real concern. However, there is no need to indicate exactly how NATO will respond to a cyberattack. Rather, we must simply show clearly that, under stipulated conditions, NATO will respond, and respond forcefully. NATO states could utilize cyber retaliation, economic tools, military action, or anything else – the exact method would be determined case by case. A red-line doesn’t give away capabilities; it serves as a warning, a deterrent. Having developed an effective warning system, we can take further steps to determine norms of behavior surrounding responses. But first of all, we must develop an effective warning system.
For all our strength and ability to project force across the globe, NATO appears weak when defending cyber infrastructure from state-sponsored attacks. Foreign-state-hackers have grown bolder, pushing the envelope to see what we will and won’t tolerate in cyberspace. They shouldn’t have to probe. We must clearly communicate what constitutes a cyberattack, and demonstrate to our friends and foes where the threshold for retaliation lies.
The opinions articulated above represent the views of the author(s), and do not necessarily reflect the position of the European Leadership Network or any of its members. The ELN’s aim is to encourage debates that will help develop Europe’s capacity to address the pressing foreign, defence, and security challenges of our time.