WASHINGTON ― The banks were broken. In 2007, financial institutions across Estonia had difficulty carrying out the simplest of tasks. The banks’ servers were overloaded by a swarm of digital requests, called a distributed denial-of-service attack. Simple account withdrawals suddenly became feats of digital heroics. The banks were not alone.
Email inboxes of Estonian journalists were flooded with spam. The Ministry of Defence’s website went down. The Estonian government blamed Russia for the digital blitz. The crippling cyberattack lasted for three weeks and at the time was known as perhaps the most brazen act of cyber aggression by one state on another. But more than a decade later, the alleged Russian cyberattack on Estonia is seen as a rallying cry for NATO to bolster its cyber prowess.
Today, the alliance counts cybersecurity as one of its core missions. It has placed a new cyber research center in the heart of the Baltic nation.
But amid what is viewed as a sustained campaign of Russian digital warfare on the West and the trans-Atlantic alliance ― whose foundations are being questioned through a surge of populism ― the very future of NATO’s cyber strategy is left intentionally murky.
During a May speech, NATO Secretary General Jens Stoltenberg said he is often asked under what circumstances the organization would trigger Article 5 in the case for a cyberattack.
Article 5 is the alliance’s principle of collective self-defense; an attack on one member nation is considered an attack on all member nations.
“My answer is: We will see. The level of cyberattack that would provoke a response must remain purposefully vague, as will the nature of our response,” Stoltenberg said. “It could include diplomatic and economic sanctions, cyber responses, or even conventional forces, depending on the nature and consequences of the attack.”
Questions over how NATO will respond to a cyberattack come as the alliance takes steps to bolster its digital protocols. In its joint air power strategy, unveiled in late June, NATO added cyberwarfare to its joint operations programs. The document boasts of the historic threat the organization faces: “For the first time since the end of the Cold War, the Alliance has to be able to conduct operations.”
In 2014, the alliance said for the first time that a cyberattack could trigger the organization’s collective-defense mechanism. It has proven a successful deterrent to combat large-scale digital attacks like the reported Russian cyber assault on Estonia in 2007, said Sorin Ducaru, a former assistant secretary general of NATO. But he added that the alliance has to be more creative in deterring medium- and low-grade cyberattacks “because that is the world we are living in.”
For Estonia, an aggressive NATO cyber policy could be the difference between the smooth withdrawal of cash or a disturbing “error” sign flashing on an ATM screen. An Estonian intelligence report from earlier this year predicts Russia will continue its campaign of aggression in Eastern Europe and the Baltic states through a combination of cyberattacks and information warfare.
When it comes to digital threats, “each country has faced them alone. NATO has not adopted a unified response,” former Estonia President Toomas Hendrik Ilves said during a May conference.
Today, nations are still loath to share information on cyberattacks, Ilves said, recounting a story about how as president he reported a hack on Estonia to NATO. “The response was: ‘Oh, you, too.’ I don’t think that’s how we should be doing things.”
Ilves is among those who have called for a cyber NATO ― an alliance of nations cooperating in digital defense.
The top civilian of Estonia’s Ministry of Defence also told Defense News that international cooperation could help thwart cyberattacks.
“I think people are realizing that we need international cooperation, and without international cooperation we simply cannot succeed in this new domain,” Jonatan Vseviov said.
Yet a bolstered NATO cyber response could mean a wave of new tension with Russia and China, which are seen as two of the alliance’s biggest digital challengers.
It is unclear under existing NATO rules how the alliance could be more aggressive in response to cyberattacks, said Alex Crowther, a senior research fellow at the National Defense University.
“In order for Article 5 to be voted on, it has to be something major. It pretty much has to be an armed attack or a use of force as discussed in the U.N. Charter. The most commonly adopted point of view is that people have to be hurt or killed, or property is damaged or destroyed,” Crowther told Fifth Domain, a sister publication of Defense News. “I have met people who say that the only attack that meets that criteria was the Stuxnet attack because it caused damage to Iranian centrifuges.”
Even the hack on Estonia did not meet the criteria for triggering the principal of collective self-defense, Crowther added.
Aaron Mehta contributed to this report.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.