Published online 23 May 2007 | Nature | doi:10.1038/news070521-8

Column

Does this mean war?

Cyber-attacks in the Baltic raise difficult questions about the threat of state-sponsored information warfare, says Philip Ball.

Is Estonia at war? Even the country's leaders don't seem sure. Over the past several weeks the Baltic nation has suffered serious attacks, but no one has been killed and it isn't even clear who the enemy is.

That's because the attacks have taken place in cyberspace. The websites of the Estonian government and political parties, as well as its media and banks, have been paralysed by tampering. Access to the sites has now been blocked to users outside the country.

This is all part of a bigger picture in which Estonia and its neighbour Russia are locked in bitter dispute sparked by the Soviet legacy. But the situation could provoke a reappraisal of what cyber-warfare might mean for international relations.

In particular, could it ever constitute a genuine act of war? "Not a single NATO defence minister would define a cyber-attack as a clear military action at present," says the Estonian defence minister Jaak Aaviksoo — but he seems to doubt whether things should remain that way, adding that "this matter needs to be resolved in the near future."

Declaration of war

When the North Atlantic Treaty was drafted in 1949, cementing the military alliance of NATO, it seemed clear enough what constituted an act of war, and how to respond. "An armed attack against one or more [member states] shall be considered an attack against them all," the treaty declared. It was hard at that time to imagine any kind of effective attack that did not involve armed force. Occupation of sovereign territory was one thing (as the Suez crisis soon showed), but no one was going to mobilize troops in response to, say, economic sanctions or verbal abuse.

Estonia's heavy reliance on IT infrastructure made it vulnerable to mass cyber-attack.Estonia's heavy reliance on IT infrastructure made it vulnerable to mass cyber-attack.Getty

Now, of course, 'war' is itself a debased and murky term. Nation states seem ready to declare war on anything: drugs, poverty, disease, terrorism. Co-opting military jargon for quotidian activities is an ancient habit, but by doing so with such zeal, state leaders have blurred the distinctions.

Cyber-war is, however, something else again. Terrorists had already recognized the value of striking at infrastructures rather than people, as was clear from the IRA bombings of London's financial district in the early 1990s, before the global pervasion of cyberspace. But now that computer networks are such an integral part of most political and economic systems, the potential effects of 'virtual attack' are vastly greater.

And these would not necessarily be 'victimless' acts of aggression. Disabling health networks, communications or transport administration could easily have fatal consequences. It is not scaremongering to say that cyberwar could kill without a shot being fired. And the spirit, if not currently the letter, of the NATO treaty must surely compel it to protect against deaths caused by acts of aggression.

Information overload

The attacks on Estonian websites, triggered by the government's decision to relocate a Soviet-era war memorial, consisted of massed, repeated requests for information that overwhelmed servers and caused sites to freeze — an effect called distributed denial of service. Estonian officials claimed that many of the requests came from computers in Russia, some of them in governmental institutions.

Russia has denied any state involvement, and so far European Union and NATO officials, while denouncing the attacks as "unacceptable" and "very serious", have not accused the Kremlin of orchestrating the campaign.

The attack is particularly serious for Estonia because of its intense reliance on computer networks for government and business. It boasts a 'paperless government' and even its elections are held electronically. Indeed, information technology is one of Estonia's principal strengths — which is why it was able to batten down the hatches so quickly in response to the attack. In late 2006, Estonia even proposed to set up a cyber-defence centre for NATO.

There is nothing particularly new about cyber-warfare. In 2002 NATO recognized it as a potential threat, declaring an intention to "strengthen our capabilities to defend against cyber attacks". In the United States, the CIA, the FBI, the Secret Service and the Air Force all have their own anti-cyber-terrorism squads.

But most of the considerable attention given to cyber-attack by military and defence experts has so far focused on the threat posed by individual aggressors, from bored teenage hackers to politically motivated terrorists. This raises challenges of how to make the Web secure, but does not really pose new questions for international law.

The Estonia case may change that, even if (as it seems) there was no official Russian involvement. Military attacks often now focus on the use of armaments to disable communications infrastructure, and it is hard to see how cyber-attacks are any different. The United Nations Charter declares its intention to prevent 'acts of aggression', but doesn't define what those are — an intentional decision so as not to leave loopholes for aggressors, which now looks all the more shrewd.

Irving Lachow, a specialist on information warfare at the National Defense University in Washington DC, agrees that the issue is unclear at present. "One of the challenges here is figuring out how to classify a cyber-attack," he says. "Is it a criminal act, a terrorist act, or an act of war? It is hard to make these determinations but important because different laws apply."

Lachow says that the European Convention on Cyber Crime probably wouldn't apply to a state-sponsored attack, and that whereas there are clear UN policies regarding 'acts of war', it's not clear what kind of cyber-attack would qualify. "In my mind, the key issues here are intent and scope", he says. "An act of war would try to achieve a political end through the direct use of force, via cyberspace in this case."

ADVERTISEMENT

And what would be the appropriate response to state-sanctioned cyber-attack? The use of military force seems excessive, and could in any case be futile. Some think that the battle will have to be joined online — but with no less a military approach than in the flesh-and-blood world. Computer security specialist Winn Schwartau has called for the creation of a 'Fourth Force', in addition to the army, navy and air force, to handle cyberspace.

That would be to regard cyberspace as just another battleground. But perhaps instead this should be seen as further reason to abandon traditional notions about what warfare is, and to reconsider what, in the twenty-first century, it is now becoming.