NATO makes cybersecurity a priority

NATO makes cybersecurity a priority

NATO released a new Strategic Concept on Friday, which stated this about the internet:

12. Cyber attacks are becoming more frequent, more organised and more costlyin the damage that they inflict on government administrations, businesses,
economies and potentially also transportation and supply networks and other
critical infrastructure; they can reach a threshold that threatens national and
Euro-Atlantic prosperity, security and stability. Foreign militaries and
intelligence services, organised criminals, terrorist and/or extremist groups
can each be the source of such attacks.

By doing so, NATO is only the latest in a series of organizations to claim cybersecurity as a military function. The United States Air Force has already established a cyber command (and accompanying badge) so that it may "effectively establish, control, and leverage cyberspace capabilities." Not to be outdone, the superintendent of the US Naval Academy has said that he wants "his campus to become a center for cybersecurity education."

How did the internet become a military concern? The answer, surprisingly enough, can be learned from recent events in Iran and Estonia.

In September, the Iranian nuclear program was attacked by a virus with the aim of "disabling both Iranian centrifuges used to enrich uranium and steam turbines." Thanks to the ubiquity of the Siemens-produced equipment that was targeted, such an attack could render vulnerable any number of industrial machinery, which means that cross-border sabotage (or terrorism) could be carried out remotely and anonymously. Unsurprisingly, this is a vulnerability no state wants. But how does one appropriately respond to such an attack?

Estonia knows best. In 2007, the nation was hit heavily by a series of denial of service attacks, and the internets' reaction was apocalyptic. The country survived largely unscathed, but it took a concerted effort and time to stop more damage being done, and then make the systems safe again. Denial-of-service is a crude form of attack, especially when compared to sophisticated viruses like stuxnet, but they share both the anonymity of aggressor and arena of conflict, which is a not-insignificant overlap. The vulnerabilities they target suggest a need for governmental, some would even say military, response, but the skills needed to combat them are not those used in other military arenas. Which makes this the least-defined area of combat so far.

Speaking on cyber security, the Estonian minister of defense, Jaak Aviksoo, laid out the fundamental questions that need to be answered in treating this as war. "There are no smoking guns, no fingerprints in virtual reality. What is a cyber-dead or cyber-wounded? What is a cyber war? Has somebody to declare that? To what extent you can altogether formally verify who is attacking who."

It remains to be seen if NATO's entry into the field of cybersecurity will lead to more fixed definitions.

--Kelsey Atherton