Tallinn 2007 was indeed a wake up call for NATO. The massive amounts of distributed denial of service (DDoS) attacks against websites, communications, and even Estonian Parliament members’ fax machines, arising from Russian intimidation caused a lot of soul searching and ignited efforts to formulate cyber policies in many nations.
But the threat of cyber attack against critical infrastructure does not call for formulating scenarios of military response as this article claims NATO will discuss in their fall meeting in Wales.
Any military response to a perceived cyber attack against power grids, communications, or trains, planes, and traffic controls, especially the use of arms, in my view will be too much.
It is well nigh time for the owners, operators, and governments responsible for critical infrastructure to take steps to ensure that those systems are hardened against cyber attacks. It is astounding that seven years after Russia-Estonia demonstrated in microcosm what future nation state intimidation would look like that practically nothing has been invested in hardening vulnerable systems.
It is hard to change human nature. We have a built in mechanism that leads us to put off preventative measures in favor of reactive measures – just as a middle age sedentary man will not get serious about diet and exercise until after his heart bypass surgery. In contemplating military responses to cyber attacks NATO and the US are justifying building cyber military capabilities while the potential targets of those attacks are left dangling as tempting bait for any threat actor with a computer.
In their upcoming meeting NATO should be discussing ways for member nations to cooperatively defend critical infrastructure to the extent that bombs, tanks, and troops will never be called on in response to a cyber attack.