September 6, 2011
Now that NATO’s Operation UNIFIED PROTECTOR over Libya is winding down, it is worth noting how few cyber incidents were directed in protest against the Alliance.

 Certainly, there was a cyber component to the liberation of Libya, but it was more about content and Internet freedom (the most newsworthy elements here were the role of social media and the Libyan government taking large parts of the nation offline). But compared to past history, NATO cyber defenders had a relatively easy time.

NATO has not, however, had an easy 2011. Although there were three significant incidents we know about, none seemed to have been in direct response to operations over Libya:

1.       The hacker collective Anonymous publicly warned NATO not to challenge it after a report on hactivism specifically mentioned the group. Afterwards, Anonymous claimed to have intruded into a NATO server and extracted a large amount of data. Two files labeled “restricted” were apparently released.   Though this incident overlapped within the timeframe of UNIFIED PROTECTOR, neither the operation nor Libya was mentioned by Anonymous as reasons for their actions.

2.       Hackers intruded into one “NATO” website (actually the-bookstore actually run by an outside company and not actually part of NATO networks or infrastructure). The hacker group, LulzSec, subsequently posted online the names, usernames, and passwords of 12,000 registered users (though it is not certain if LulzSec conducted the intrusion itself).   Though they did reference NATO’s role in Libya, LulzSec seemed primarily driven by their own destructive and manic sense of humor.

3.       The Norwegian military suffered an attack by malicious software one day after beginning NATO bombing operations in Libya. Though the incident was called extensive and serious, it seemed to only affect a single computer. No groups took public credit and, other than the timing, there was no other link to NATO.

These are interesting, but a far cry from the first major NATO bombing campaign, during ALLIED FORCE in 1999 to force Serbian military units out of Kosovo.   In this operation, there was a flurry of cyber incidents against NATO and member governments and militaries, including a defacement of the webpage of Supreme Headquarters Allied Powers Europe. In 1999, defacements against the Department of Defense tripled. According to data I compiled at the Joint Task Force for Computer Network Defense, defacements spiked from a median of one per week to eighteen (including one Air Force site, one Joint, eleven Navy, one Marines, and four Army) over the six weeks of the ALLIED FORCE campaign. There was a similar spike against US government websites. 

Not only did defacements surge, but in large part they were done specifically to protest NATO’s actions, with groups like the Serbian Black Hand and the Russian Hacker Brigade being particularly notorious.  Some attacks were thought, at the time, to be directly conducted by the Serb military (though this claim is often made about incidents later proven to be conducted by non-states). Another set of attacks were clearly tied to nationalist Chinese hackers, furious over the NATO bombing of their embassy in Belgrade.

In addition to defacements, NATO also suffered denial of service attacks which attempted to take them offline. According to the NATO webmaster at the time, “[w]e have about 100 servers, and we're afraid all the NATO sites have been attacked,” forcing his team to swap in more capable servers and fatter network pipes to cope. Despite the variety and intensity of these attacks, none are known to have penetrated internal systems (as happened to the US Central Command in Operation BUCKSHOT YANKEE in 2008). 

What Has Changed Since 1999?

Hactivist groups supporting Arab and Muslim causes have been exceptionally active in the past, such as against Israel (as early as 1999) or against Western and other governments as part of the “e-Jihad” movement (like the hacker Irhabi 007). There are several possible explanations for the relative lack of hactivist response against NATO’s Operation UNIFIED PROTECTOR:

1.       NATO worked with Libya’s neighbors and the world. For Libya, NATO only became involved after securing a mandate from the United Nations Security Council and with approval from the Arab League. This credibility almost certainly defused anger from hactivist groups who saw the operation as one to help, not hurt, Muslims. By comparison, when NATO began operations in support of Kosovo, Slav nationalists were outraged and fuelled by comments from their political and cultural leadership. 

2.       Hactivist groups were distracted. Online hooligans that might otherwise have still wanted to counter perceived Western aggression in Libya were perhaps distracted by other events. Groups supporting Arab and Muslim causes might have been involved in other operations against the West (such as in support of Palestine, Iraq, or Afghanistan) or as part of the general Arab Spring uprisings. Other hactivist groups could have been engaged in the ongoing development of WikiLeaks, and the “anti-sec” campaign of Anonymous and LulzSec.

3.       NATO has better defenses. NATO’s cyber defenses still needs improvement, but they are far better than in 1999. It may be that they have been attracting many attackers, but have been able to fend them off. Indeed, it was partially the 1999 incidents during ALLIED FORCE that drove NATO’s leadership at the 2002 Prague Summit to create the NATO Computer Incident Response Capability (NCIRC).

Any or all of these explanations may be true and we may never know what the truth really is. At a minimum, though, NATO can take extensive credit for making the conditions possible for both the first and third explanations. The Alliance has acted in accordance with global consensus and in coordination with like-minded partners; it has also been working to improve its cyber defenses. It will have to continue doing both of these things if it is to avoid and survive future cyber assaults. 

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This blog is the first of a periodic series on cyber conflict history.