WASHINGTON — Following the Sept. 11 terrorist attacks in 2001, the United States became the first nation in NATO history to invoke Article 5, the organization’s premise that an attack on one country is an attack on all of its member countries.
But has any event come close to that level?
“Some of the things which have happened are very serious,” said Jüri Luik, Estonia’s defense minister. “Whether it would constitute an act of war, I think we haven’t risen to that level ― yet.”
Although small in size and budget, Estonia is widely acknowledged as a leader in cyber defenses, due in part to necessity. Among the most wired nations in the world, Estonia famously suffered a massive digital attack in 2007 that sent the country into a flurry of investing in digital defenses. The country is also home to NATO’s cyber center of excellence.
Luik, speaking to Fifth Domain during a recent visit to Washington, did however, raise concerns about what dangers may already be planted in existing systems.
“One also has to keep in mind that, you know, there are news coming out often that bugs are found, for instance, in the electricity grid or in some other systems. This is all preparatory work,” he said. “So if somebody wants to do something, then these are capabilities which are built over time to your system, so that at Point Zero, this can all be started very quickly.”
Like many other institutions, NATO faces the challenge of members who simply don’t want to share much information about their cyber capabilities.
“When you talk to each other about the attacks, then you usually also relay your weaknesses. And you don’t want everybody to know your weakness,” Luik said. “So people are quite cautious, actually, in describing attacks to their system.”
Andrea Thompson, U.S. Undersecretary of State - Arms Control and International Security, agreed that concerns about sharing are an issue, but expressed optimism it could be worked through.
“I think everyone recognizes it needs to be done. It’s just, ‘What is the method to get it done?,’” Thompson, told reporters Sept. 7. “We see it internally between public-private partnerships, between companies and defense. We’re not alone. we’re not the only ones that are going through that struggle.”
The upside, Luik said, is that NATO has “found a good way of exchanging information in a very sound, confidential setting,” which is helping to thaw that information sharing issue among the nations.
More than that, he said NATO is set for the near-term with how it handles cyber operations. He compared the current setup to to the structure that has existed for decades with the alliance’s nuclear capabilities in which NATO acts as an organizational hub but national governments offering their own capabilities.
“NATO itself doesn’t have a big cyber defense capability. These capabilities come from national governments and they can be used with the agreement of governments, especially the offensive” capabilities," Luik said. “NATO doesn’t have any offensive capabilities but there are NATO countries who have considerable offensive capabilities.”
And Luik sees another comparison between cyber and nuclear. “There has never been a real big cyberattack against another country which would utilize all the fearsome cyber weapons which are in the hands of many governments.
“People are cautious about it because they know that, you do it, it can be used against you as well. So there is actually this strange, strange balance of fear, not only of the nuclear issue, but also in cyber.”
Aaron Mehta was deputy editor and senior Pentagon correspondent for Defense News, covering policy, strategy and acquisition at the highest levels of the Defense Department and its international partners.