Exploit a flaw or go to war? NATO's cyber battle rules raise more questions than they answer
Special Feature
Later this week, ministers are due to ratify NATO's new cyber defence policy. As exclusively revealed by ZDNet in June, the new policy means that a digital attack can now be considered as the equivalent of an attack with tanks or rockets — and thus could trigger NATO's collective defence clause.
Known as Article 5, the clause states an attack against one member of NATO "shall be considered an attack against them all". This concept is at the very heart of the organisation — the largest military alliance in the world — making the decision to add coverage of cyber attacks to the clause a significant move.
The new policy also includes some detail around cyber defence governance and how members would assist a country under cyber attack, plus the integration of cyber defence into operational planning, including civil emergency planning. NATO also wants to improve information sharing with industry.
The change in policy reflects how digital attacks have become a common element of many military campaigns, and is intended as a deterrent, because until now it's not been entirely clear if, say, hacking a nation's power grid could be considered to be an act of war.
As such, NATO will be hoping that by clarifying its policy it is issuing a warning to state-sponsored hackers, who have grown increasingly bold. But the new policy also leaves a number of tricky questions unanswered.
Firstly, NATO hasn't set out what kind of attack would trigger an the collective defence clause, and some — a former supreme allied commander at NATO — argue the policy does not go far enough.
That vagueness may be useful for its deterrent value, but in reality it may make it harder for the alliance to reach agreement about when to respond to a digital assault.
And it's often very hard to tell who is responsible for a cyber attack, and any military situation is likely to include a range of attackers from hackers pursuing their own agenda or those with implicit government backing, and military cyber units. Working out who has done what is extremely hard.
Also, it's not clear what form a response would take. for example, at what point would a digital attack on a member state trigger a response with conventional weapons? If NATO chooses to respond in kind, there are other complications: it doesn't have its own cyber weapons, but has to rely on members (which really means the US and the UK), who are reluctant to share details of what they have.
And, unlike conventional weapons, once a cyber 'weapon' is used (usually a package exploiting a zero-day flaw) it can't be used against another target because the software flaw it exploits will be patched immediately after the vulnerability becomes know. This makes it harder to maintain a deterrent because there is a finite number of weapons (and targets) available to use: while a bomb can be dropped on any target, digital weapons will have an impact on the particular systems they were designed to attack.
Still, NATO's policy may have a knock-on effect — it may make governments and law enforcement take IT security more seriously than they have before.
Not all NATO members have invested in cyber defence until now, which is why the new policy also sees the alliance helping member countries in their efforts to protect their own critical infrastructures by sharing information and best practices. It may also see some NATO members help others to develop their national cyber defence capabilities, potentially a good thing for cyber security in general.
More broadly, however, NATO's move will do little about the much bigger problem of cyber espionage, the campaigns of state-sponsored hacking aimed at stealing intellectual property, which has been gathering pace over the last few years. It may do little to stop NATO's rivals from preparing for cyber battle either — and may even encourage a few to start their preparations for fear of getting left behind.
NATO has said the new policy and its implementation will be kept under close review and will be refined and updated in line with the evolving cyber threat. If this version does not prove to be deterrent enough, a stronger stance may become necessary soon.