As cyberattacks start to resemble traditional acts of war in their destructive power, initiatives like the EU’s planned Joint Cyber Unit will prove inadequate to the task of preventing cyberwarfare from reaching more destructive levels. Only a bold doctrinal innovation of Article 5 of the NATO treaty will.
The most recent global pandemic to hit the headlines and unleash widespread panic has nothing to do with “wet markets” or “labs leaks”. A surge in criminal gangs launching ransomware attacks, and increasingly damaging state-sponsored cyberattacks against strategically-sensitive targets in NATO member states has metastasized into a new kind of security threat for which there is no vaccine on the horizon.
Political and military leaders can no longer pretend that cyberspace is a secondary or tertiary theatre of conflict when it comes to national defence. Cyberwarfare is the state-of-the-art of modern warfare. It must be treated as such.
As early as the Russian military campaign in Georgia in 2008, it was clear to anyone paying attention that cyberattacks had become a critical element of conventional warfare strategy. Instead, the Kremlin’s brazenness in using military force to show that Georgia would be broken up before joining NATO shocked us, while the EU’s attempts at instant war diplomacy distracted us.
In late February 2014, moments after the flames of another distraction – the Sochi Winter Olympics – flickered out, Russia began a multi-year, multi-front military campaign in Ukraine that quickly updated the meaning of “hybrid warfare”. The country became the Kremlin’s favourite testing ground for the weapons of cyberwarfare in support of conventional military aggression.
Russian military hackers, including several currently under indictment in the US, quickly escalated their cyberwar against Ukraine. They unleashed a large-scale power outage in winter; attacked the Ukrainian electoral process; and in the case of the “NotPetya” malware attack, they hacked government, financial, energy and global logistics networks. The total estimated cost of repairing the damage was $10 billion.
One US Navy cybersecurity expert, who referred to Ukraine as a “live-fire space” for the testing of Russian cyberweapons, claimed that: “[NotPetya] was the most damaging attack in history, of a scale and cost that would far exceed a missile fired from the Donbas into Kiev.”
New weapons of potential mass destruction – and little fear of using them
In contrast to the decisive responses to the invention of modern weapons of mass destruction (the 1925 Geneva Protocol, “Mutual Assured Destruction” and the Nuclear Non-Proliferation Treaty of 1968), the rapid rise of high-tech cyberweapons has caused mostly confusion, indecision and paralysis. This has encouraged their use with impunity, despite their potential for causing mass destruction.
The SolarWinds “supply-chain hack” of 2020, for example, in which Russian Foreign Intelligence (SVR) operatives penetrated and monitored multiple private sector and US government agency networks for nine months – including allegedly secure networks at the Pentagon, Department of Homeland Security, State Department and Department of Energy, which oversees the US nuclear arsenal – showed a previously unseen level of stealth, patience and technical sophistication. The degree of theft of classified data and possible damage to national security remains impossible to assess. US Senator Richard Durbin referred to the attack as “virtually a declaration of war”. The hack also drove home the lesson that, “you’re only as strong as your weakest vendor”.
The Russia-based DarkSide ransomware attack on the Colonial Pipeline, which supplies roughly half of all fuel used on the East Coast of the US, caused a six-day shutdown in early May, which resulted in an acute supply shock and panic buying of gasoline. It was the worst cyberattack on the critical fuel sector in US history. Not long after Colonial paid a 4.4-million-dollar ransom to decrypt their stolen data, another infamous Russia-based ransomware group, REvil, attacked the world’s largest meat supplier, which ultimately paid 11 million dollars to recover stolen data.
The biggest ransomware attack ever happened in early July when REvil exploited a security flaw in malware prevention code at the American software supplier Kaseya, which took down the networks of an estimated 800 to 1,500 companies in 17 countries. Ransom demands ranged from 45,000 to 5 million dollars, and included the benevolent offer of a “universal decryptor” for 70 million dollars in cryptocurrency. Shortly after the incident, President Biden communicated to Vladimir Putin that the US would no longer view ransomware attacks originating in Russia as merely criminal acts. They would henceforth be seen as national security threats that could possibly result in significant retaliation.
A few days after Biden warned Putin that the Kremlin must take action against ransomware gangs they allow to do business on Russian soil, REvil disappeared from the dark web. While it’s impossible to attribute this to Biden’s warning, and the shutdown may be a mere hiatus from cybercrime before REvil returns under another name, Kaseya’s sudden acquisition of a decryption key from a “trusted third party” raises questions about the ransomware gang’s future and possible pressure the Kremlin may have brought to bear on it.
Is effective deterrence possible in the age of cyberwarfare?
The Biden Administration responded to the SolarWinds hack – a major act of espionage aimed at the most sensitive US government computer systems – with economic and diplomatic sanctions. But the exposure of the Russian economy to the US remains low, and the incentives for sanctioned individuals and institutions to keep waging cyberwar in Ukraine and disrupt NATO and the EU with destabilising cyberattacks remain high.
As cyberattacks start to resemble traditional acts of war in their destructive power, initiatives like the EU’s planned Joint Cyber Unit aimed at “coordinated detection and response” will prove inadequate for dealing with the problem. Only a bold doctrinal innovation of the mutual defence clause in Article 5 of the North Atlantic Treaty, based on a clear and proportional deterrent which updates the contemporary meaning of “an armed attack”, will prevent cyberwarfare from escalating and compelling the use of even more destructive means of waging war in the foreseeable future.
Point 32 of the Brussels Summit Communiqué of 14 June 2021 announcing NATO’s Comprehensive Cyber Defence Policy (CCDP) takes the first tentative step toward doing this. The statement asserts that: “the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats… in accordance with international law.” The CCDP also recognises that “significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack”, and it “reaffirm[s] that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”
Despite the tough words, the communiqué merely reaffirms a strategically muddled and dangerously ambiguous ad hoc policy of crisis management, damage control, and maybe retaliating – but only “in certain circumstances”. An effective CCDP would instead delineate clearly where inviolable national boundaries lie in cyberspace; formulate what a “proportionate response” could look like after a debilitating attack on any of the 16 critical infrastructure sectors; and incorporate these policies into an updated mutual defence doctrine based on a revised version of Article 5.
China’s increasingly aggressive approach to cyber warfare – which has recently evolved from an established pattern of technology theft to Russian-style disruption employing a wide range of highly-skilled domestic hackers who attack without restraint – gives further context to the urgency of effective cyber deterrence.
We have a clear choice: the transatlantic democratic alliance will either vigorously deter potentially costly aggression in any theatre of conflict, including cyberspace, and defend the values fought for in two world wars and numerous other bloody conflicts since 1945; or we will surrender to the current assault on liberal democratic norms from Russia, China and their opportunistic allies, and accept their vision of a post-liberal, post-democratic world as our inevitable collective future, as we cede the new art of modern warfare to them.
The stakes could not be higher.