NATO plans to reform its mutual protection policy to include the increasing threat of cyber attack. But while protecting member nations from computer viruses is a huge task in itself, it is far from the only challenge.
The emergence of the Stuxnet computer virus which some defense experts have already labelled the world’s “first cyber superweapon” has raised the very real prospect of cyber warfare making the leap from science fiction to security fact.
The mysterious electronic worm allegedly hit computerized industrial equipment in Iran last month, causing the regime in Tehran to claim it was part of a deliberate attack launched by one or more of its enemies against the Islamic Republic’s controversial nuclear program. The implication from Tehran was that the United States and/or Israel were behind the launch of the virus.
Stuxnet, which targets control systems made by German industrial giant Siemens commonly used in utility and energy systems, has since been reported in China where millions of computers around the country have become infected.
Stuxnet’s potentially global campaign once again highlights the vulnerability of computer systems and the potential financial and structural chaos a targeted virus can wreak.
In what was thought to be the first large-scale cyber attack on a sovereign state, Estonia was hit with a denial-of-service attack in 2007 whereby networks were flooded with useless information which eventually shut down government services and banks. While the attack came during a dispute with Russia over the removal of a Soviet-era war memorial in Tallinn, causing suspicion to fall on Moscow, the source of the virus was never discovered or proven. The attack was believed to have cost the Baltic state between 19 million and 28 million euros ($26m-$38m).
While the havoc created by the collapse of public and governmental infrastructure is worrying in itself, the application of viruses created to attack military systems is causing more concern.
NATO concerned by growing military applications of viruses
The threat of system-targeted viruses as a new weapon of war is being taken so seriously by NATO that it is considering adding cyber warfare to Article 5 of its charter which covers mutual protection of its members.
Should NATO agree to the inclusion of cyber attack in the article, the bloc would be honor-bound to respond to a cyber assault on any of its members – just as it would if a NATO nation was being conventionally attacked.
NATO, which experienced minor attacks by Serbian hackers during the Kosovo war in 1999, intends to discuss the increasing threat of cyber warfare at its summit in Lisbon next month.
“NATO will face a lot of problems if cyber attacks are inserted into Article 5,” Alex Neil, an expert at the Royal United Services Institute, a London-based security think-tank, told Deutsche Welle. “In terms of response, what we could see is a cooperative effort between members which have a cyber capability; some of which are more developed than others.”
“There has been a concerted effort by some nations to pursue covert offensive cyber capabilities and these could be harnessed by NATO as part of a joint response, although some nations may not want to show the level of their own capability, even to their allies.”
Protecting alliance members fraught with difficulties
While developing a new cyber strategy may make sense as the potential for attacks on defense systems grows, NATO faces significant implementation challenges if it decides to include cyber protection under Article 5, according to Derek Reveron, a cyber warfare expert at the US Naval War College in Rhode Island.
“It’s unclear how NATO might respond in a proportionate way,” Reveron told Deutsche Welle. “Most cyber attacks result in data theft or data loss. While dollar values are placed on data, there is clearly an important difference to an attack that produces human casualties or physical destruction.”
“Also, the potential for fratricide is great,” he added. “If NATO or an adversarial entity such as a country or a non-state actor launched a cyber attack, their own networks are vulnerable. Worms and viruses exploit vulnerabilities in commercially available software like Microsoft Windows. As the Stuxnet worm illustrates, infections cannot be contained.”
Identifying source of cyber attacks almost impossible
As the small number of publically recognized attacks has shown, identifying the source of the virus is currently almost impossible – which is both a huge advantage to the attacker and a massive disadvantage to those looking to retaliate. Identifying a cyber enemy is as much a problem as the damage one can cause.
“Retaliation would be problematic because defining the source of the threat or attack is very difficult,” Alex Neil said. “You may be able to target a particular server but there are so many levels of deniability involved and often attacks come through proxy countries or through third parties. Citing Article 5 could only really be applied if the cyber attack comes as part of a broader, conventional attack.”
“In the cyber world, individual hackers tend to pose the greatest danger to cyber security, but governments now include cyber war in their planning and operations. But unlike a conventional attack, there are no national markings on a computer worm,” Derek Reveron said
“Many countries, including Israel, Russia, China, and the United States, have dedicated cyber programs within their defense establishments. Largely focused on defending their own networks, these organizations are developing offensive capabilities. The greatest cyber capabilities lie in non-state actors and corporations though.”
Cyber attacks to be the opening salvos of future conflicts?
Security experts are predicting that while cyber attacks alone could cause systems to be severely compromised and disabled, the development of cyber warfare could lead to Stuxnet-type worms being released as the opening salvo in a conventional attack ahead of a traditional bombing campaign or land invasion.
“The most recent example of this was the cyber attack that accompanied Russia’s invasion of Georgia in 2008,” Reveron said. “As Russian tanks and aircraft were entering Georgian territory, cyber warriors attacked the Georgian Ministry of Defense. Though it had a minimal effect, the attack was a harbinger; future conflicts will have both a physical dimension and a virtual dimension.”
“In the worst scenario, a cyber attack would target industrial systems and attempt to control or destroy physical infrastructure. In the most likely scenario, cyber capabilities would be used to disrupt command and control of military forces and discredit governments through media manipulation.”
However, Alex Neil does not believe that all-out cyber war is imminent.
“The threat is a salient one but cyber warfare is not currently at the forefront of active operations,” Neil said. “What we’re dealing with at the moment is cyber espionage and sabotage rather than warfare, which suggests all-out conflict.”