The NATO Cyberresponse Dilemma

It should come as no surprise that the North-Atlantic Treaty Organization (NATO) finds itself in a bit of a legal and procedural dilemma regarding response efforts and capabilities to the Russian invasion of Ukraine. And while Ukraine is not a NATO member, it is known that Russia is conducting cyberattacks against NATO members to disrupt their efforts to support Ukraine.¹

In today’s cyberfight, some countries are manipulating the gray zone (GZ),² or blurring the lines between what are considered acts of war within the cyber domain. These activities, coupled with proxy use, have hindered the ability to overtly respond to the majority of cyberattacks on US interests and increased the ability of some countries to maintain a pragmatic advantage within cyberspace operations. While the US stance has largely been a defensive one from a strategy and concept perspective,³ greater clarity is needed in terms of what response options, procedures and legal framework should be used to address the competitive advantage of GZ manipulation.

I use the GZ in place of strategic-level cyberoperations because the GZ encompasses attacks on nonmilitary targets or targets traditionally considered off-limits based on the law of armed conflict (LOAC). This level within the cyber domain is primarily where there are limitations or restrictions on possible response options to cyberactivities based on the legal and doctrinal concepts of traditional military domains. The cost of GZ attacks on private entities and organizations makes them more enticing for adversaries to use to force the opponent to concede or negotiate.

The current threat landscape is large and rapidly changing, but recently there has been more focus on strategic competition with peer-adversaries, which involves manipulation of the GZ.⁴ While private sector attacks remain focused on financial gains for attackers, military and government targets are being hit with exploitation and information extraction tactics related to intellectual property for technology advancements to avoid a full-scale kinetic military response.

Russia began to utilize the GZ in preparation for its invasion of Georgia in 2008.⁵ Since then, the Russian government has expanded its capabilities and utilized targeted GZ attacks against nations that do not support pro-Russian objectives, particularly any nations attempting to join NATO.

The following are several examples of how Russia has targeted the GZ to impact other nations:

• The May 2014 targeting of Ukrainian electric distributor Prykarpattyaoblenergo and all rail transportation operators
• The August 2014 attacks on Ukrainian state archives and regional government offices
• The December 2015 and 2016 Ukrainian power grid attacks focused on 3 electricity distributors, which effectively shut down power to over 200,000 residents for several hours
• The 2016 US Democratic National Committee (DNC) attacks utilizing compromised account credentials to remotely access the files and records of the DNC⁶

To combat attacks such as these and provide greater security of the GZ, several initiatives should be implemented:

• Clarify the LOAC regarding civilian data, equating it to the private sector’s critical infrastructure
• Formalize the parameters of the Article 5 clause of NATO related to cyberattacks, as this will help prevent situations such as in Ukraine in 2015
• Build the relationship between private and public sector entities to allow for collaboration regarding cyberactivities and preventing cyberattacks

Clarifying the LOAC

Data from private sector organizations involved in all aspects of the economy are targeted and attacked relentlessly by adversaries in cyberspace. The theft of intellectual property, money and destruction of systems costs the United States and its allies billions each year, but they are currently limited in their ability to respond to these attacks from a military perspective because private entity systems are not considered part of the LOAC related to utilization of military capabilities.⁷ There has been an ongoing argument for several years that private data are critical and should be considered a critical asset. We as security professionals protect private data the most in our organizations. Private data cannot be considered infrastructure because they do not meet the definition, but there must be a different consideration for critical assets that are being stolen and compromised as these data are valuable to national security, technology advancement and maintaining competitive advantages.⁸

Formalizing NATO Article 5

The Tallinn Manual provides some foundational work to formalize what constitutes invocation of Article 5 as it relates to cyberattacks on member nations.⁹ Recent discussions about the topic have shifted toward activities that fall below the threshold of member response, but it is much more complex in cyberspace than in other domains.¹⁰ Right now, each member state has its own interpretation of the threshold of an attack, which must be considered and agreed upon by the membership to begin formalizing procedures in cyberspace. From a maturity perspective, I do not see NATO as mature enough in cybercoordination to solve the issue, but recommend continued collaboration, exercises and information sharing while determining the thresholds from the strategic view.

Building Trust

Retired US Army General Keith Alexander discussed some of these ideas after leaving his position with the US Cyber Command. There continues to be a lack of adequate network capabilities necessary for the US government and private sector to collaborate at the appropriate levels to defend the United States today.¹¹ Much like in the space domain, partnerships with the private sector must be enhanced to advance capabilities and provide for mutual defense of critical infrastructure. There has been significant progress in collaborative sharing of threat information and public/private exercise participation, but the technology integration piece remains largely siloed.¹²

GZ utilization by Russia and others is a pressing cyberspace concern in several aspects related to policy, law and strategy. If members of NATO want to progress with a defend-forward strategy, they must address these issues to provide greater flexibility in responding to attacks and greater options to increase the deterrence of adversaries operating within the GZ. By addressing these policy gaps, NATO members will gain a clear understanding, as they have in the conventional warfare space, of what equates to an Article 5 response and what constitutes a different response level. The classification of private data as critical assets to national security that are worth protecting to a greater extent will allow for more response options and greater support to nongovernmental organizations targeted and impacted by GZ tactics. It will also provide less incentive for adversaries to consider before actions are taken. Building trust among the private sector and government is a challenge and always has been, but with the right mix of industry and government personnel who have a mutual understanding of where security posture needs to go in the future, this goal is achievable and must be made a priority.

Endnotes

¹ Zakrzewski, C.; J. Menn; “In the Wake of the Ukraine Invasion, Russia’s Cyberattacks Could Go Global,” The Washington Post, 24 February 2022
² Center for Strategic and International Studies, “Gray Zone Project”
³ Harknett, R.; J. P. Callaghan; R. Kauffman; “Leaving Deterrence Behind: War-Fighting and National Cybersecurity,” Journal of Homeland Security and Emergency Management, vol. 7, 2010
⁴ Nakasone, P. M.; “Statement of General Paul M. Nakasone Commander United States Cyber Command Before the Senate Committee on Armed Services,” United States Senate Committee on Armed Services, USA, 14 February 2019
⁵ Dodman, B.; “Moldova, Then Georgia, Now Ukraine: How Russia Built ‘Bridgeheads Into Post-Soviet Space,’” France24, 22 February 2022
⁶ Shackelford, S. J.; M. Sulmeyer; A. N. Craig Deckard; B. Buchanan; B. Micic; “From Russia With Love: Understanding the Russian Cyber Threat to US Critical Infrastructure and What to Do About It,” Nebraska Law Review, vol. 96, iss. 2, 2017
⁷ Graboritz, B.; J. Morford; K. Truax; “Why the Law of Armed Conflict (LOAC) Must be Expanded to Cover Vital Civilian Data,” The Cyber Defense Review, vol. 5, 2020
⁸ Boyd, A.; “Is Data the New Critical Infrastructure?,” Navy Times, 16 November 2016
⁹ The NATO Cooperative Cyber Defence Centre of Excellence, The Tallinn Manual, Cambridge University Press, 2017
¹⁰ Pomerleau, M.; “When Do Cyberattacks Deserve a Response From NATO?,” Fifth Domain, 3 December 2019
¹¹ Alexander, K. B.; J. N. Jaffer; J. S. Brunet; “Clear Thinking About Protecting the Nation in the Cyber Domain,” The Cyber Defense Review, 2017
¹² Ibid.

Donnie Carpenter, CISM, ITIL v4

Is an information security leader with more than a decade of experience across multiple security disciplines spanning security operations, threat intelligence and risk management. He has led information security teams in operations, network defense and risk assessment and has a passion for talent development.