Estonia had one of two options: (1) take a defensive stance and try to prevent further cyberattacks from disabling and harming Estonia’s networked infrastructures or (2) take an offensive stance and invoke NATO’s Article 5, the “collective self-defense” clause. NATO’s Article 5 states:
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
If cyberattacks are classified as an “armed attack,” then state-sponsored cyberattacks against one NATO ally constitute an attack on all NATO allies, permitting the use of armed forces “to restore and maintain the security of North Atlantic area.” Kevin Poulsen, “‘Cyberwar’ and Estonia’s Panic Attack,” Wired, Aug. 22, 2007. The only time Article 5 has been invoked was following the September 11, 2001, attacks on the United States. NATO and Cyber Defence, supra, § 51. Estonia’s defense minister Jaak Aaviksoo considered invoking Article 5 as a response to the cyberattacks; however, there were two problems in using Article 5. Poulsen, supra. The first problem: There must be a general consensus among NATO’s alliance members agreeing that cyberattacks constitute an “armed attack.” Cyberattacks can cause as much damage, if not more, than physical armed attacks, yet there is not a unanimous agreement that cyberattacks are “armed attacks,” let alone an actual definition of what constitutes a cyberattack. The second problem: Estonia needed the support of NATO’s alliance members for any action to be taken as a response to these cyberattacks. The alliance members would have had to support Estonia’s right to protect itself against further attacks. NATO did not want its members to be at war with Russia. Ultimately, NATO did not support Estonia’s proposal to retaliate for these cyberattacks because there existed no conclusive evidence that linked Russia’s government to them.
A year after the Estonian cyberattacks, NATO made clear its stance on cyberattacks at the April 2008 summit in Bucharest. Ahto Lobjakas, “News Analysis: How Vulnerable Are Countries To Cyberattacks? Ask Estonia!,” Radio Free Europe/Radio Liberty, Apr. 29, 2008. During the summit, NATO decided that “the allies are not at the point where [a cyberattack] . . . would be considered an Article V crisis, leading to a call for mutual defense.” Gallis, The NATO Summit at Bucharest, 2008, supra, at 2–3.
NATO will provide assistance to NATO members that are targets of cyberattacks, but each member is responsible for protecting its own critical networked infrastructures. NATO is seeking to find an appropriate response to cyberattacks, but it has yet to come to a solution that has the agreement of its members.
Today, Estonia is at the forefront in establishing laws and preventive measures for handling cyberattacks against NATO alliance members. On May 14, 2008, NATO established the Cooperative Cyber Defense Center of Excellence (CCDCOE) in Estonia as a response to Article 47 of the Bucharest Summit Declaration of 2008. Press Release, NATO, “NATO opens new centre of excellence on cyber defence” (May 20, 2008). Previously, Estonia had tried to develop this center back in 2003, but the Estonian cyberattacks of 2007 sparked a renewed interest among NATO members. NATO Parliamentary Assembly, Mission Report, Visit to Estonia and Finland, 9–12 June 2008, Rep. No. 141 DSTC 08 E (July 1, 2008). As of November 11, 2008, eight nations had joined the CCDCOE: Estonia, Germany, Italy, Latvia, Lithuania, Spain, the Slovak Republic, and the United States. Press Release, CCDCOE, Poland and USA joint the Centre (Nov. 16, 2011).On October 28, 2008, the North Atlantic Council granted CCDCOE full accreditation and International Military Organization status. Press Release, CCDCOE, Centre is the first International Military Organisation hosted by Estonia (Oct. 28, 2008). The main tasks of the CCDCOE include the following:
1) Providing cyber-related doctrines and concepts for the Alliance;
2) Hosting and conducting training workshops, courses, and exercises for NATO member states;
3) Conducting research and development activities;
4) Studying past or ongoing attacks to draw up lessons learned;
5) Providing advice, if asked, during ongoing attacks.
NATO and Cyber Defence, supra, § 45.
The CCDCOE has “highlighted the development of a good legal framework as ‘perhaps the single most pressing need within the domain of computer network defence.’” Id. § 46. The main problem with the CCDCOE is that it does not provide immediate assistance to cyberattacks as the CCDCOE is “thought of as a research and learning centre where best practices are developed and shared.” Id.
As a complement to the CCDCOE, NATO established the Cyber Defense Management Authority (CDMA) in April 2008, one month prior to the establishment of CCDCOE. Id. ¶ 54. The CDMA is a “NATO-wide authority charged with initiating and coordinating ‘immediate and effective cyber defence action where appropriate’” for NATO members. Id. ¶ 52. On request, the CDMA is able to “coordinate or provide assistance in a concerted effort if an Ally or Allies fall victim to a cyber attack of national or Allied significance.” Id. For cyberattacks, the CDMA is the acting body while the CCDCOE is the thinking body.
The CCDCOE and the CDMA are not the only NATO bodies that have important roles in developing and influencing NATO’s legal framework on cyberattacks and cyber warfare. The North Atlantic Council maintains control over NATO’s policies and activities regarding cyber defense. NATO, “Defending Against Cyber Attacks,” 29 Jan. 2009, Web, 22 Mar. 2010. NATO’s Consultation, Control and Command Agency (NC3A) and the NATO Military Authorities (NMA) will implement any new policies; and NATO’s Computer Incident Response Capability (NCIRC) will respond to any cyber aggression against NATO. Id. NATO’s goal of establishing a legal framework for cyberattacks would be difficult as NATO’s policymakers want to maximize the levels of deterrence against cyberattacks while not limiting their options to respond. Myrli Report ¶ 61.
After extensive examination of the Estonian cyberattacks of 2007, Gadi Evron, a security specialist for Beyond Security and a leading investigator of the Estonian cyberattacks of 2007, believes that the Estonian cyberattacks came from “flash mobs,” a large mass of individual attackers, rather than from Russia’s government. Robert Vamosi, “The Estonia cyberwar: One year later,” CNET, May 20, 2008.He states that “anyone pointing fingers is wrong” concerning the identities of the attackers for the Estonian cyberattacks of 2007. Id. There is evidence that the first wave of cyberattacks was well organized and that it may have come from a single attacking institute, but Evron discovered that the vast majority of cyberattacks after the first wave were spontaneous and came from different sources, indicating that there were numerous participants. Id. These “flash mobs” were the main instigators for these cyberattacks that lasted for three weeks, he said. Id. Russia’s government may still have been responsible for some of these cyberattacks, particularly the first wave of cyberattacks, but to what extent is still unknown.
The main advantage to having an international legal framework for cyberattacks is that it establishes communication protocols that allow governments and alliances to discuss cyberattacks in a proper forum. These discussions can establish levels of acceptability for cyberattacks, increase political and public awareness of cyberattacks and cyber warfare, and promote the growth of newer and better technology for cybersecurity. Furthermore, these discussions allow for governments and alliances to determine the directions that international legal frameworks should head toward. Currently, the United States and Russia have contrary viewpoints for how the overarching international legal framework for cyberattacks should be developed. The United States wants an international legal framework that favors international law enforcement groups handling cyberattacks. John Markoff & Andrew E. Kramer, “U.S. and Russia Differ on a Treaty for Cyberspace,” N.Y. Times, June 27, 2009, at 1–2. Conversely, Russia desires an international treaty addressing cyberattacks. Id. The reason that the United States favors international law enforcement groups is that it already has such groups established through NATO, particularly the CCDCOE and CDMA. Because Russia does not have its own law enforcement groups, Russia favors an international treaty. Potentially, Russia could create an international treaty that may permit Russia or other countries to conduct certain types of cyberattacks. It is dangerous to put so much faith in an international treaty, especially given that cyberattacks will still happen with or without an international treaty. Strengthening international law enforcement groups would allow for rapid responses and prosecution against cyberattacks.
Governments and alliances need an international legal framework that does two things: (1) to be able to define and establish globally accepted laws, procedures, and punishments for cyberattacks; and (2) to be able to enforce, to respond to, and to prosecute cyberattacks efficiently. Legally, an international legal framework provides governments and alliances communication protocols to discuss cyberattacks and cyber warfare. Practically, an international legal framework creates and establishes international law enforcement groups and global standards of cybersecurity that prevent, respond to, investigate, and identify state-sponsored cyberattacks.
One thing is certain: Cyberattacks and cyber warfare will continue to happen, with or without an international legal framework.