Don’t Let Cyber Attribution Debates Tear Apart the NATO Alliance

The United States still struggles to find effective policies for deterring cyberattacks. Suggestions run the gamut from more widespread use of indictments and economic sanctions, despite their lackluster record of success, to less traditional but more risky policies that emphasize the asymmetric advantage America has in conventional military power.

Most of the discussion of cyber deterrence focuses on preventing a single catastrophic or cascading cyberattack that would threaten lives (like disruptions to electricity transmission or clean water)—or our way of life—altering election outcomes or grinding global finance to a halt. Yet the reality is that in the event of such an attack, the response would likely not come from the U.S. alone but from the NATO alliance in concert.

NATO’s cyber-defense mandate has evolved over time to update its collective defense commitment under Article V of the North Atlantic Treaty for the era of cyberattacks. In the latest effort to collectively impose costs on adversaries, the 2018 NATO Summit saw a commitment from heads of state and government “to integrate sovereign cyber effects, provided voluntarily by Allies, into Alliance operations and missions, in the framework of strong political oversight.” The newly updated White House National Cyber Strategy likewise envisions working together with a “coalition of like-minded states” to “ensure adversaries understand the consequences of their malicious cyber behavior.”

Therein lies the rub. Both formal alliances, such as NATO, and more ad hoc arrangements, such as what the Cyber Deterrence Initiative imagines, will require members to share intelligence and eventually, to the best of their ability and perhaps in different domains, contribute to joint action against a presumably well-armed foreign aggressor. States including the United States, the United Kingdom, the Netherlands, Estonia, and Denmark have publicly declared their willingness to lend sovereign offensive cyber effects to deter, defend against and counter the full spectrum of threats.

Sharing intelligence and information is a key element of NATO’s core decision-making process enshrined in Article 4 of the Washington Treaty. Political consultations are part of the preventive diplomacy between member states, but they are also an avenue to discuss concerns related to the security threats member states face. These consultations can be a catalyst for reaching a consensus on policies to be adopted or actions to be taken—including those on the use of sovereign cyber effects to support a NATO operation.

The alliance has a track record of collective action and cooperative security measures. For example, Operation Active Endeavour helped to deter, disrupt and protect against terrorist activity in the Mediterranean in the aftermath of the 9/11 terrorist attacks, in solidarity with the United States. For the seventh time, the Atlantic Council’s Cyber Statecraft Initiative will be among the organizations privileged to organize an event on the sidelines of the Feb. 15–17 Munich Security Conference. This year in particular, the Atlantic Council’s event, “Defending Human Dignity: Limiting Malicious Cyber Activity Through Diplomacy,” will complement the topics high on the agenda of the main conference, such as transatlantic collaboration, the consequences of a resurgence of great power competition and the future of arms control.

In the United States, the greatest failures of response and deterrence to foreign aggression in cyberspace have not been caused by a lack of intelligence, capability or imagination. Rather, U.S. policy has been serviceable in theory but impotent in practice because of an inability to translate technical findings and intelligence into public support for sufficiently tough responses ordered by elected political leaders. North Korea’s repeated operations targeting U.S. companies and critical infrastructure have been met with public skepticism over their culpability, limiting the strength of retaliatory options needed to deter further events. Chinese cyber economic espionage continued for years despite widespread knowledge of China’s activities because political leaders found it difficult to confront Beijing without undermining U.S. companies in return. Russian information operations did not sow enough doubt to mislead experts, but they succeeded in exacerbating the partisan polarization of an already-divided electorate and its leaders.

That inability to translate the findings of cyber experts into public sentiment and therefore political action has sidelined America’s cyberwarriors, by far the most technologically advanced and well-resourced in the world. Imagine the political response of an ally that is asked to burden-share in response to cyber aggression but is probably much closer to any resulting kinetic fight than the United States.

Now imagine the response of that ally when it’s being asked to take causus belli on faith: The United States is presenting attribution for a cyberattack elsewhere in the world, but perhaps is depending on the ally lacking critical details due to classification, and is presenting that information alongside a request for help that might well put the ally in the crosshairs of its own cyberattack or lethal action. How can allies with different capabilities to collect, analyze and understand intelligence be part of a consensus on using sovereign cyber effects to support a NATO operation? How can a commander achieve a common operational picture to authorize the use of sovereign effects in a NATO operation if all the allies are not on the same page with respect to critical attribution and other technical information needed for a use of effect in an operation? We all know what a tank looks like on a shared satellite image, but if you ask three cyber experts to interpret the attribution for a set of indicators, you are likely to get at least four answers.

For most U.S. allies in Europe and elsewhere, there is simply a dearth of technical know-how within the government when it comes to cyber attribution and operations. This is already a challenge for the United States, with a massive defense budget, Silicon Valley innovation and an educated workforce to pull into government service. But for many U.S. allies, tech-savvy public servants will have long fled for the private sector, nongovernmental organizations (NGOs) and academia before reaching ministerial positions.

To its credit, the U.S. National Cyber Strategy does propose capacity-building measures to support allies. This means building up law enforcement, intelligence, and military operational and investigative capability. But even with successful capacity-building programs, many nations could, in a crisis, end up in the same place the United States is—with good options stuck on the shelf while political leaders and their electorates lack a critical mass of informed voters to trust, understand and act on expert findings.

For countries weighing whether to risk their own blood and treasure in support of an ally’s cyber attribution findings, this hurdle could well prove insurmountable if not addressed well before a crisis emerges. Many such countries will no doubt recall being burned when placing too much confidence in U.S. technical and human sources without an ability to evaluate the evidence for themselves, as with the Iraq weapons of mass destruction findings.

The private sector will probably play a crucial role in providing intelligence to support alliance responses to cyberattacks, especially as a stopgap over the next few years. FireEye and its peer competitors and partners regularly produce analyses of major world cyber events—many that fly below the radar of Western leadership, in fact—sometimes at a near-government quality and often covering much of the same “classified” evidence.

More important, private-sector analysts are accustomed to writing for impact with both their technical counterparts, like chief information security officers (CISOs) and threat hunters, and nontechnical stakeholders such as boards of directors, CEOs and other persons controlling the purse strings. In this sense, unclassified, private-sector and NGO-driven cyber threat intelligence can become the lingua franca of discussions. Relying on commercial reporting generated by international teams, rather than declassified government-generated reports, both broadens the audience enough to make alliance discussions feasible and mitigates against disparities in terminology across national lines—the tendency of even closely integrated allies to describe cyber “attack,” “information operations,” and attribution findings with different implicit assumptions or implications.

Long-Term Thinking

In the long run, though, the U.S. and its more technologically advanced allies—such as its fellow Five Eyes (Australia, Canada, New Zealand and the U.K.), France and Japan—will have to make important policy changes in the interests of furthering alliance cooperation in cyberspace: a willingness to sometimes risk sensitive sources and methods in order to get cyber threat intelligence into the hands of other countries better positioned to take policy action, an end to classifying public information like IP addresses solely because of their acquisition via classified means, and greater transparency on their own decision-making.

Government cyber leaders within the alliance should consider taking another page out of the private-sector playbook as well: running cyber-crisis exercises that involve more than the IT department. In the commercial world, the more successful practice runs involve leaders at both the CISO level and some presence from nontechnical teams that would weigh in during a crisis, such as communications and legal. The best exercises involve executives, too, who despite their busy schedules must see for themselves how their companies would survive and respond during a potentially ruinous cyberattack, and work through the minutiae of leading a response themselves. The experience and confidence is invaluable if ever called on during a real-life crisis, and the organizational introspection by involving decision-makers at all levels is irreplaceable.

Military-to-military cyber training as part of cross-country force standardization and joint operational planning could pull in more senior national leadership, beyond battlefield commanders, and be coupled with increased funding for foreign affairs-led training for nontechnical leaders.

The private sector could also meaningfully contribute during NATO consultations when developing Allied Joint Publications to make sure that definitions and requirements for threat intelligence incorporate the best practices of NATO member countries’ private sectors. If a U.S. diplomat reaches out to his or her counterpart in an allied country to ask for assistance responding to malware that’s damaging critical infrastructure, and that counterpart has to ask what malware is, the response isn’t going to happen.

***

NATO’s essential and enduring purpose is to safeguard the freedom and security of all its members by political and military means. Tolerating cyberattacks, especially those deliberately targeting civilians and the political legitimacy of governments—without the alliance having the capability to jointly discuss attribution and have the confidence to act and assist one another—undermines this core purpose of the alliance. Likewise, pursuing only deterrence and response without an active role for the alliance in reaching peaceful diplomatic agreements with potential adversaries abrogates member responsibilities to their citizens but is impossible without a common language and operational picture to discuss enforcement of such agreements. The U.S. is stronger with allies, and with attention to these issues its cybersecurity can be too.