Brussels (Brussels Morning) As NATO formalised its cyber defence policy during this week’s summit in Brussels, experts warn that the threat of cyber conflicts spilling over into the real world is becoming greater than ever.
Prior to the summit, the alliance maintained a somewhat ambiguous policy on the issue of cyber attacks with regard to activation of Article 5 of the Treaty, which requires all NATO members to come to the aid of another member if attacked by an outside power.
An informal position, as interpreted by the legal experts in NATO’s Cooperative Cyber Defence Centre of Excellence think-tank in Tallinn, was that the threshold for activating Article 5 in case of cyber attacks would be reached in a similar manner as for kinetic force attacks – if the attack were to result in significant material damage or loss of life.
This interpretation fell short of being definitive, given its very vague parameters. Furthermore, it is also compounded by the recurring problem of accurate and precise attribution of responsibility for cyber attacks. It remains very difficult to prove direct involvement of a state in cyber attacks if the state acts through ostensibly independent groups, posing as criminals or third-party actors.
Monday’s joint communiqué by NATO leaders made it clear that a serious enough cyber attack would trigger Article 5, while the alliance also adopted a new “Comprehensive Cyber Defence Policy” to better position itself against cyber threats in the future. Deutsche Welle reports that the best indication that the alliance is taking the new theatre of conflict seriously can be discerned from the fact that the term “cyber” was mentioned no less than 25 times in the communiqué.
Of increasing concern is the realisation that, as command and control systems of major militaries have gone largely digital in recent decades, a cyber assault on nuclear weapon infrastructure could possibly, albeit unlikely, lead to an unwanted nuclear strike or a nuclear exchange.
In its most recent “Nuclear Posture Review” publication, the US has already warned that it would retaliate with a nuclear attack if its nuclear weapons command and control structure comes under cyber attack. By stating as much, this highlights the danger of compromising such systems in a security theatre where many actors potentially would be interested in compromising the US nuclear infrastructure.
Even when omitting the danger of nuclear weapon control systems, plenty of other targets remain that could cause significant economic damage, or cause massive loss of lives. A recent, failed attack on a water treatment plant in the US threatened to poison the water supply of a local community’s residents.
An energy grid attack during a winter storm could easily jeopardise thousands of lives, as evidenced by the Texas energy grid going offline this winter, causing at least 176 deaths, extensive material damage, and significantly contributing to the global semiconductor shortage with the long-term shutdown of three fabs.
Such an attack would not be unprecedented, A case in point is the well-known instance of a cyber attack damaging key infrastructure in the Ukraine in 2015. The attack on the country’s grid was deemed most likely to have been the work of Russian state actors.
Some experts have emphasised that the Ukrainian attack was relatively easy to pull off, since the country’s grid used Soviet-era control systems that were well-known to Russian agencies. However, there is concern that future attacks could come not only from malignant state actors aiming to do specific harm, but also from state actors attempting to put the blame on a third party, seeking to provoke a conflict instead of doing actual damage.
In the current geopolitical climate, where major powers remain distrustful of each other and invest significant resources in their cyber capabilities, mistakes in attribution would be easy to make, but could have global consequences.