Nato's ability to respond to cyber-attacks is dependent on the defence capabilities of its 29 member states. Dr James Shea, deputy assistant secretary general for emerging security threats, Nato, explained to delegates at the Cybersecurity for CNI symposium that each member has signed up to a ‘cyber defence pledge' which encompases its capabilities, training, skills and organisation with all the states developing a unified model of assessing capability - thus one nation may be an A, another C+ and the states are then able to benchmark themselves against their allies.
Shea note that one result has been a significant increase in expenditure on cyber security - helping overcome US objections to previous lack of defence spend by some members - with Nato NCIA playing a role in identifying and stress testing each technical solution, covering cost, life cycle, risk assessment, thus providing a list of trusted suppliers that are certified to provide assistance.
Standardisation is also sought in approach, thus a standardised attribution methodology will allow the countries to work together, and the example given by Shea was the UK response to the Novichok poisoning, in which the UK shared its attribution data with its allies which was credited as giving them the confidence to work together in a common response (expelling Russian diplomats) which was far more powerful than if the UK had acted alone.
Shea noted how, in the physical world, the possession of nuclear weapons by Nato had acted as a deterrent to attacks, whereas in the cyber-world, the perception was that the gains from cyber-attacks could be substantial while the risks of being caught or retaliated against were low - thus it is now necessary to identify what would act as a deterrent in this scenario, given that effective deterrence and effective response are key roles of the organisation.
“We need there to be a high risk and low gain; it needs to be likely you will be identified, named and shamed, have sanctions against you. Maybe we put malware on our own systems to steal the data back that gets stolen, or destroy it or render it useless. There are questions about whether the private sector should also be able to do that, or only the government. But we don't yet know in cyber what would be the deterrent [that works], so we are expanding our toolbox,” said Shea.
While no clear cut answers were offered, Shea clarified the problem for cyber-defenders. Because cyber attacks are mostly not considered article 5, able to trigger a military response, the issue is how to respond to them in a way that de-escalates rather than escalates the conflict - both for attacks on military and on CNI.