NATO has made it clear a sufficiently serious cyberattack can be treated as a physical one, and trigger a response as such. That means not even nuclear war is off the table, and an international treaty is urgently needed.
A recent statement by NATO Secretary General Jens Stoltenberg drives home the chilling reality that cyberattacks, proven or alleged, have the potential to lead to a nuclear conflict that would make even the worst cyberattack pale in comparison. During a visit to the US, Stoltenberg said NATO had “decided that a cyberattack can trigger Article 5…[i]t doesn’t matter if an attack is kinetic or cyber, we will assess as allies when it meets the threshold … and it sends a message that we are cyber-allies.”
Stoltenberg had already written an article in August 2019 in which he declared that NATO, in “adapting to this new reality” (i.e. cyberattacks), was embracing a policy whereby “a serious cyberattack could trigger Article 5 of our founding treaty” – the collective defense clause in the NATO Charter that states that an attack against one ally is treated as an attack against all. “We have designated cyberspace a domain in which NATO will operate and defend itself as effectively as it does in the air, on land, and at sea,” Stoltenberg wrote.
The problematics of that statement aside, Stoltenberg and NATO were taking steps to equate a cyberattack with armed aggression. This dangerous escalation cannot simply be pushed aside and ignored as hyperbole. In February 2018, the Trump administration published its Nuclear Posture Review document, which allowed for the use of nuclear weapons to respond to devastating non-nuclear attacks on American infrastructure, including crippling cyberattacks of the kind envisioned by the United States when targeting Russia and other nations, such as Iran. Given there is a record of US cyber weapons being re-purposed for use against US targets, it is not inconceivable that the US could be hit by a devastating cyberattack using its own US-made cyber weapons, and that this attack could prompt an American nuclear response.
There has never been a greater need or urgency than now for a cybersecurity treaty or agreement between the US and Russia. The White House has said that President Biden plans on making alleged Russian cyber activity a topic during his upcoming meeting with President Putin. Washington is accusing Russia of harboring the perpetrators of a recent spate of ransomware attacks – either instigating them directly, or failing to crack down on the criminal groups.
For his part, President Putin is expected to respond to any discussion of cyberattacks with a list of grievances of his own, along with a proposed solution in the form of a four-point “comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies” that Putin first raised this past September.
For over a decade now, Russia has been pushing for a cyber treaty based on the model of the Chemical Weapons Convention (CWC). In a 2009 speech, Vladislav Sherstyuk, a deputy secretary of the Russian Security Council, set forth Russia’s baseline conditions for such a treaty – namely, the banning of any country secretly embedding malicious codes or circuitry that could be remotely activated during time of war.
Russia’s worries were far from theoretical – classified documents released by whistleblower Edward Snowden show that, as of June 2010, the National Security Agency’s Tailored Access Operations (TAO) unit, responsible for offensive cyber operations, would intercept “shipments of computer network devices (servers, routers, etc.) being delivered to our targets throughout the world,” which would then be diverted to a secret location where they would install “beacon implants directly into our targets’ electronic devices.” Photographs contained in the documents showed NSA employees opening the shipping box for a Cisco router and installing beacon firmware.
Cisco was a major supplier of high-tech internet equipment at the time, providing sophisticated internet switches similar to those modified by the NSA to Russian customers, allegedly including the Federal Security Service and Ministry of Defense.
The activities of the NSA’s TAO appear to be part of a comprehensive offensive cyber program initiated under President Obama that targeted Russia in two ways: first, by implementing operations that were designed not to cause significant damage and intended to be detected, thereby sending a signal about the potential reach of US cyber capabilities. The second cyber pathway was more ambitious, involving the employment of the kind of “implants” mentioned in the Snowden documents, penetrating critical Russian networks “that would cause … pain and discomfort if they were disrupted.” These implants were designed so they could be remotely triggered in response to any Russian cyber-based aggression.
It goes without saying that the US resisted Russia’s proposal for a CWC-style cyber treaty, since, if it had been implemented along the lines proposed by Russia, the US would have found its entire cybersecurity strategy undermined, since it is firmly founded in the principle that the best defense is a good offense. In short, if offensive cyber operations were banned by international law, the US would suddenly find entire organizations and tens of thousands of dedicated cyber spies and warriors out of work. It is for this reason that the US position regarding international cooperation on cyberattacks has been to treat the matter as a law-enforcement issue, with the US State Department endorsing as a model the 2004 Council of Europe Convention on Cybercrime, which has been signed by 22 nations, including the United States – but not Russia. Russian objections were founded on notions of sovereignty, specifically that the convention allows law enforcement agencies from other countries to investigate suspected cyber-based criminal activity originating inside Russia without first informing Russian authorities. But the real reason could be as practical as those of the US hesitancy regarding a CWC-style cyber treaty – by entering a convention that required Russia to work with outside agencies regarding criminal cyber activity originating in Russia, Russia would be hampering the work of private hacking groups allegedly attacking its rivals from its territory, whether in direct affiliation with the state or not.
When the two presidents get together in Geneva on June 16, one can only expect that Putin will give as good as he gets when it comes to cybersecurity. Hopefully, the two world leaders will be able to avoid the temptation of repeating Biden’s theatrical “Putin is a killer” moment from earlier this year, and realize that the threat from cyberattack is real and mutual, and, if not resolved, could lead to instability that could quickly tumble into things much more devastating than cyberattacks.