June 15, 2021

A Defence of Defence. NATO’s Response to Low-Grade Cyber-Attacks

AFP/Scanpix
NATO Secretary General Jens Stoltenberg gives a press conference during a NATO summit at the NATO headquarters in Brussels on June 14, 2021. Leaders of NATO countries warned Russia that there could be no return to normal relations between Moscow and the military alliance until it complies with international law, and that China's increasingly aggressive behaviour, including cyber warfare and building nuclear warheads, poses "systemic challenges" to international law and security.
NATO Secretary General Jens Stoltenberg gives a press conference during a NATO summit at the NATO headquarters in Brussels on June 14, 2021. Leaders of NATO countries warned Russia that there could be no return to normal relations between Moscow and the military alliance until it complies with international law, and that China's increasingly aggressive behaviour, including cyber warfare and building nuclear warheads, poses "systemic challenges" to international law and security.

Despite a barrage of cyber-attacks from state and non-state actors, NATO’s recent communiqué reaffirmed a defensive commitment to cybersecurity without proposing new offensive responses. While some may characterize this response as ineffective, pursuing diplomatic and economic retaliation to low-grade cyber threats offers the best outcome for the Alliance.

Following the June 2021 Brussels Summit, NATO Heads of State and Government released a communiqué reaffirming commitments to collective security, addressing current strategic issues, and highlighting NATO’s defensive role in cyberspace. NATO’s policy in cyberspace allows discussion of Article 5 “on a case-by-case basis” and recognizes that some cyber-attacks may “be considered as amounting to an armed attack” and invoke an Article 5 response.

However, the majority of cyber-attacks fall below a use of force threshold, leading many to wonder how NATO will proportionally respond to ‘low-grade’ cyber-attacks. While some may criticize NATO’s defensive posturing in cyberspace as limiting, responding to low-grade cyber-attacks outside of cyberspaces offers the least risks to the Alliance while affirming a commitment to collective security.

Low-grade cyber-attacks primarily steal information or financial resources. These attacks may be state-run or sanctioned, with Russia, China, or Iran often behind an attack. Low-grade attacks do not take lives and do not cause the lasting economic damage to warrant a full retaliatory strike.

Low-grade cyber-attacks should be addressed using diplomatic expulsion and economic influence at an Alliance level similar to that seen following the diplomatic expulsion of the Solar Winds hack and the sanctions in response to the annexation of Crimea. The scope magnitude of the response should be guided by the attack- if an attack costs $10 million it should be proportionally retaliated with $10 million in sanctions.

Allies should further coordinate their sanctions to ensure the maximum cost to aggressors with minimal cost to the Alliance. This response has had mixed results- it is difficult to determine what tangible ramifications sanctions and diplomatic expulsion have, especially as state-sanctioned attackers may not be under full control of the government.

However, there has been little escalation due to sanctions or diplomatic expulsion and both have empirically restored some stability to the system.

Some may argue that NATO countries develop and respond with proportional offensive cyber-attacks to threats. This path has numerous dangers. Offensive cyber-attacks are dangerous as they may spread beyond their intended target in ways that conventional attacks cannot. Furthermore, offensive attacks are single-use and allow opponents to patch vulnerabilities. Offensive cyber-attacks can escalate the situation, causing tit-for-tat responses that spiral out of control. Unless the situation is such that military force will be used, there is little reason to retaliate with cyber-attacks due to the dangers they pose.

Low-grade cyber-attacks cost NATO Allies information and financial resources. While the Alliance decides how to respond to these attacks, they should focus on diplomatic and economic measures to avoid escalating the situation and draining options. However, in the event of a large cyber-attack that takes significant lives or resources (i.e an attack on a power grid), NATO Allies should prepare to respond to their full capabilities.

 

Views expressed in ICDS publications are those of the author(s).