Mr. Chair, I think the mechanisms in the treaty allow for appropriate joint policy responses by the NATO members. I think a bigger issue is who is going to call for such a response and under what circumstances. I think, at least in the States, you're always waiting for a cyber Pearl Harbor, a major destructive event. It's much more akin to cyber trench warfare, only the people in the trenches are private citizens and companies, not soldiers or government actors.
What do you do with that? I think that's the problem the alliance has right now. It's not the legal mechanisms for invoking joint defence. That's being worked through and I think in a true emergency case would be invoked correctly anyway. Again, I think the bigger issue is that you could die a death by a thousand cuts, and no one would ever think it was worth raising as an article 5 issue.
A second much more tactical kind of issue to consider is that the U.S. and Canada both have significant cybersecurity intelligence capabilities in the private sector and in the government, but not all of the NATO allies do. If there were a major cyber-incident and you wanted to invoke article 5, how would we convince the other NATO members that anything had happened or that we had correctly attributed the event?
We might be highly confident in the U.S. and Canada in our joint analytic work on that issue. Many countries don't have enough people on the other side of the table to receive it, interpret it and take a political action.
Do they have the kind of experts that we do? I think that's an issue. How do you share that capability to understand and interpret the attribution of major cyber-attacks? Those are the two issues to me.