The United States has now given the strongest indications to date that cyber attacks against a NATO member nation could invoke retaliatory actions from other member nations under the treaty's mutual defense doctrine.
A newly released report titled the International Strategy for Cyberspace, which details the U.S. strategy to foster international cybersecurity cooperation, hints that cyber aggression against the networks of one NATO nation could trigger a unified response from other member nations similar to that of a military threat response.
The report states that "the United States will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits. We fully recognize that cyberspace activities can have effects extending beyond networks; such events may require responses in self-defense. Likewise, interconnected networks link nations more closely, so an attack on one nation’s networks may have impact far beyond its borders."
The report gives the strongest suggestion yet that the NATO alliance may be positioned to coordinate joint international cyber security efforts.
The issue first came to a head in 2007 following the network attacks that originated in Russia against Estonia, a NATO member. Since then, experts have debated whether the current mutual defense protocols outlined in the NATO treaties should apply to cyber attacks as well.
The new report seems to support the notion that the current NATO treaties do in fact provide a sufficient framework to compel member nations to provide mutual defense in the face of any threat of attack, including those based in cyberspace.
"All states possess an inherent right to self-defence, and we recognise that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," the report continues.
The International Strategy for Cyberspace also suggests that there is a great deal of work to be done to solidify the necessary infrastructure for establishing the mechanisms to control and deter cyber-based threats.
"The world must collectively recognise the challenges posed by malevolent actors' entry into cyberspace, and update and strengthen our national and international policies accordingly. Activities undertaken in cyberspace have consequences for our lives in physical space, and we must work towards building the rule of law, to prevent the risks of logging on from outweighing its benefits," advises the report.
Also outlined in the strategy are several principles aimed at providing a baseline for the free exchange of information, the protection of individual privacy, and the enforcement of copyright and intellectual property protections.
"The US will work internationally to promote an open, inter-operable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation" the report states.
The principles listed in the report include:
- Upholding Fundamental Freedoms: States must respect fundamental freedoms of expression and association, online as well as off.
- Respect for Property: States should in their undertakings and through domestic laws respect intellectual property rights, including patents, trade secrets, trademarks, and copyrights.
- Valuing Privacy: Individuals should be protected from arbitrary or unlawful state interference with their privacy when they use the Internet.
- Protection from Crime: States must identify and prosecute cybercriminals, to ensure laws and practices deny criminals safe havens, and cooperate with international criminal investigations in a timely manner.
- Right of Self-Defense: Consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace.
The Obama administration also last week delivered the long awaited comprehensive cybersecurity strategy to Congress.
The proposal is the culmination of over two years of effort by the White House to finish laying the groundwork for the protection of critical infrastructure in the face of increased threats posed by attacks on both public and private sector network systems.
Major challenges in drafting the proposal included how to best prioritize federal security initiatives, defining the government's role in protecting and regulating private sector networks which administer the majority of the nation's critical systems, and protect privacy and civil liberties in the process.