6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Ulf Haeussler<br />
Alliance and Allies rely with countering – later rephrased as responding to – cyber attacks using its<br />
own cyber defence capabilities as well as leveraging linkages between NATO and national authorities<br />
(NATO 2008, paragraph 47 and NATO 2009, paragraph 49), and – envisaged since 2009 –<br />
appropriate partnerships and cooperation (NATO 2009, ibid.).<br />
NATO policy developed since 1999 is correctly based on the observation that NATO and its Nations<br />
rely significantly on information and communication systems, reliance susceptible to exploitation. It is<br />
worthwhile mentioning that the observation referred to is not a reference to the notion of 'cyber<br />
exploitation' which by definition captures non-destructive information gathering activities which may be<br />
performed by strategic competitors and potential adversaries (Owens et al. 2009, 1). Conversely, in<br />
using the term 'disrupt', NATO’s Strategic Concept 1999 had introduced language which covers both<br />
potential destructive effects of cyber attacks and other adverse effects of the same scale and gravity.<br />
(Note that the term 'to disrupt' is defined as 'to cause disorder in something' (Oxford 1989, 348);<br />
'causing disorder' in ICT is tantamount to causing its losing part or all of its operability.) The language<br />
used at a later stage does not indicate a change of this appraisal of the possible consequences of<br />
cyber attacks. In particular, the notion of countering cyber attacks, used in the Bucharest Summit<br />
Declaration 2008, is sufficiently close to the general doctrinal notion of counterattack to suggest that<br />
its drafters had the idea of counter-offensive in mind. The fact that NATO later substituted the notion<br />
of 'responding' to cyber attacks for the initially used term 'countering' them does not contradict this<br />
assessment since countering cyber attacks is but one possible option for responding to them.<br />
Actually, 'responding' is broader in scope; in addition to counter-offensive measures it also captures a<br />
wide range of other measures including those of a political and diplomatic nature.<br />
Taking the different points of view regarding the legal nature of cyber attacks into account, NATO's<br />
policy documents help consolidating the developing consensus regarding the interpretation of the law<br />
of armed conflict in cyber matters. Fully aware of the unsettled legal nature of cyber attacks, NATO<br />
has agreed to multiple documents which in unison do not rule out that cyber attacks – initially referred<br />
to as information operations – may be considered as destructive, or potentially destructive, in nature.<br />
Now that the capacity to be destructive, or potentially destructive, in nature is a quintessential<br />
characteristic of both armed attacks as defined for the purposes of the jus ad bellum and attacks as<br />
defined for the purposes of the jus in bello, NATO's policy declarations necessarily imply the<br />
Alliance’s tacit endorsement of the view that cyber attacks – at least theoretically – can have the<br />
nature of armed attacks and/or attacks, as the case may be. It is important to note that, depending on<br />
the circumstances, an act opening hostilities may coincidentally be an armed attack from a jus ad<br />
bellum perspective and an attack from a jus in bello perspective. However, this coincidence would be<br />
one of fact rather than an amalgamation of these notions which belong to different branches of<br />
international law and hence warrant separate assessment.<br />
International treaty law often captures new factual developments through subsequent agreement<br />
regarding the interpretation of a treaty or the application of its provisions (cf. Article 31(3)(a) of the<br />
Vienna Convention on the Law of Treaties). Whilst NATO policy does not represent agreement which<br />
would bring all cyber attacks within the ambit of the North Atlantic Treaty and other relevant<br />
international agreements, it does a fortiori not exclude individual cyber attacks from being considered<br />
as an armed attack and/or an attack.<br />
NATO's Strategic Concept 2010 confirms and reinforces earlier policy. Its assessment of the security<br />
environment states that cyber attacks 'can reach a threshold that threatens national and Euro-Atlantic<br />
prosperity, security and stability', and that foreign militaries can be 'the source of such attacks' (NATO<br />
2010a, at paragraph 12). In addressing Article 5 of the North Atlantic Treaty, NATO stresses its<br />
responsibility 'to protect and defend our territory and our population against attack' (id., paragraph 16).<br />
Whilst critical infrastructure is captured by the notion of territorial defence, the reference to the<br />
population should be read as to comprise key elements of statehood such as governability – essential<br />
to human security – and the integrity of democratic decision-making – an essential tenet of<br />
participatory democracy (Häußler 2010). NATO has also expressly embraced the need to further<br />
develop its 'ability to prevent, detect, defend against and recover from cyber-attacks' (NATO 2010a,<br />
paragraph 19) and its aim to 'carry out the necessary … information exchange for assuring our<br />
defence against ... emerging security challenges'. The notion of 'emerging security challenges',<br />
though not expressly defined, is illustrated by the portfolio of the recently established NATO<br />
Headquarters directorate carrying the same name, which comprises challenges arising in and out of<br />
101