A NATO member is under attack.
Normally the meaning of this would be frighteningly clear, but this is an attack with a difference: not a physical attack, but a cyber attack; and working out what a cyber attack means is never simple.
Transport and media websites have been hit, as have the websites of various state institutions such as the Lithuanian tax service, which had to pause its operations yesterday.
A Russian hacker group known as Killnet claimed responsibility for the attacks, claiming on its Telegram channel that the attack was retaliation for Lithuania’s decision to stop the transit of some goods to the Russian territory of Kaliningrad on the Baltic coast.
The politics of this situation are extremely complicated. Kaliningrad is Russian-owned, but it isn’t connected to the main body of Russia – it’s a small piece of Russia surrounded by NATO countries.
The Lithuanian government says it is simply enforcing European Union sanctions on goods, but Russia has responded with outrage, saying it is being stopped from accessing its sovereign territory.
Russia promised to respond in a way that would “have a serious negative impact on the population of Lithuania”.
Then, a few days later, came this cyber attack.
Does that mean Russia attacked a NATO member?
Not so fast.
For a start, the group that claimed responsibility denies any connection to the Russian state, saying it is “not affiliated with any law enforcement authorities”.
The Russian government has long used third-party criminal groups to conduct hacks and cyber attacks, so it would not come as a surprise if it was involved. Nevertheless, on the surface at least, its hands are clean.
Then there’s the nature of the attack. Reports so far suggest that it’s a distributed denial of service (DDoS) attack, a crude attack which involves throwing huge amounts of traffic at a website until it is forced offline.
The attack has been described as “massive”, which is technically true, because in order to work a DDoS attack has to be large, but that doesn’t mean it will have a massive effect.
DDoS attacks are so common that most websites nowadays have protection against them as standard. Even if an attack does work, it won’t steal any data. It’s a blunt force instrument, little more.
Less worrying than we are often led to believe
Cyber attacks aren’t like physical attacks, where the size of the damage roughly corresponds to the size of the assault. Online, being “massive” doesn’t really mean that much. Ditto “intense”, another word used to describe the attack.
This is one reason why, for all the frightening rhetoric that surrounds them, many experts believe that cyber attacks are generally much less worrying than we are often led to believe.
Yes, in theory it’s possible to “turn the lights off”, but in practice it would be almost impossibly hard. And if they were turned off? Well, we would probably just turn them back on again. It’d be annoying and frightening, but not catastrophic.
Even though we use military language to describe them, cyber attacks aren’t like conventional assaults. They’re much closer to espionage and subversion than anything that involves guns and armies. Even if you do know who’s doing it, it’s often hard to be sure exactly what damage it did and for how long.
That’s why, while the Lithuanian cyber attack is an attack on a NATO member, it is not the kind of attack that will provoke a military response. We are not at that stage yet.
Could the situation deteriorate
Yet that does not mean we aren’t moving towards that point, nor that a cyber attack cannot lead us there.
Another way in which cyber attacks are different to physical attacks is that once they are started they can spiral out of control. Unlike a bomb or a bullet, a virus can spread in ways that even its makers don’t intend.
Almost exactly five years ago, the costliest ever cyber attack was launched: a malware attack called Not Petya.
It is believed to have begun when Russian operatives infected a small piece of Ukrainian accounting software, intending to disrupt Ukrainian businesses. But from there it spread to companies around the world, including shipping giant Maersk and food conglomerate Mondelez.
By the time it was done, Not Petya had caused $10bn in estimated damages.
Would an attack like that be considered equivalent to a military attack in today’s tense atmosphere?
Let us hope we don’t have to find out.