US calls on its Nato partners to help resist cyber-attacks

'Threat to one is a threat to all' treaty cited in White House report – but open net versus privacy analysis omits WikiLeaks

• Ewen MacAskill
• The Guardian, Tuesday 17 May 2011 http://www.guardian.co.uk/technology/2011/may/17/us-nato-cyber-attacks-report

The US has given the broadest hint yet that a cyber-attack on one Nato country will be regarded as an attack on all.

It is a potentially dangerous development, as cyber-attacks are increasingly common, with the Pentagon reporting millions of probes a day and actions by more than 100 foreign intelligence agencies.

In 2007, Estonia was almost crippled by a cyber-attack thought to originate in Russia. At the time, Estonia, a member of Nato, said it did not know if the alliance covered cyber-attacks, and the US, Britain and others danced round the issue.

The development is contained in a report by the Obama administration, International Strategy for Cyberspace, in which the US for the first time sets out a strategy for dealing with the expansion of the internet and what it describes as "arbitrary and malicious disruption". It notes the growing threats by individual hackers, companies and hostile states, and offers broad proposals on how to tackle these.

It suggests that existing US treaties such as the one that set up Nato, which requires an attack on one member state to be treated as an attack on all, also cover cyber-attacks. But it stops short of saying so categorically. "All states possess an inherent right to self-defence, and we recognise that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," it says.

The thrust of the report is on how to reconcile the US championing of internet freedom in places such as China and Iran with protection of privacy in the US. The report is thin on how to achieve this.

The Obama administration sets out a broad objective: "The US will work internationally to promote an open, inter-operable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free and innovation."

But the report continues: "The world must collectively recognise the challenges posed by malevolent actors' entry into cyberspace, and update and strengthen our national and international policies accordingly. Activities undertaken in cyberspace have consequences for our lives in physical space, and we must work towards building the rule of law, to prevent the risks of logging on from outweighing its benefits."

At present, international law largely does not cover the internet, nor do international treaties.

But WikiLeaks, though responsible for the biggest security breach in US history, is not mentioned and was not raised by any of the speakers at the launch of the report, including secretary of state Hillary Clinton. Instead, she spoke of a need for consensus: "There is no one-size-fits-all, straightforward route to this goal. We have to build a global consensus about a shared vision for cyberspace."

But what Clinton, who has underscored the centrality of internet freedom to US foreign policy, did highlight was the internet's role in grassroots mobilisation and attempts by governments to stop this: "While the internet offers new ways for people to exercise their political rights, it also, as we have seen very clearly in the last months, gives governments new tools for clamping down on dissent."

Commerce secretary, Gary Locke, nominated as next US ambassador to China, said he intended to keep pressing "to advance these goals and the broader set of cyberspace issues with our Chinese counterparts".

WikiLeaks was able to obtain a quarter of a million secret US state department files last year, published in the Guardian and other papers. Such a breach would not have been possible without the internet.

The report wants states to work together to give better protection. "When cybersecurity incidents demand government action, officials can detect those threats early and share data in real-time to mitigate the spread of malware or minimise the impact of a major disruption – all while preserving the broader free flow of information. When a crime is committed internationally, law enforcement agencies are able to collaborate to safeguard and share evidence and bring individuals to justice," the report says.

While condemning cyber-attacks, at the same time the US, along with Israel, is widely believed to have been responsible for the Stuxnet virus that Iran claims disrupted its nuclear programme.

The administration last week sent proposals to Congress to put pressure on companies to improve security.

The US funds schemes to develop new technologies and train activists to evade government controls. But activists accuse it of hypocrisy for insisting the internet must also have "rule of law": a signal that unauthorised breaches such as WikiLeaks will not be tolerated.