NATO leaders meeting in Wales this week, including US President Obama and UK Prime Minister David Cameron, are set to impose a much tougher cyber defence policy and declare that a cyber attack on any one member country is an attack on them all – a move that one leading UK expert calls potentially “one of most significant developments in cyber warfare”.
The move will mean that all 28 NATO nations treat a cyber attack as seriously as physical warfare, with much more serious consequences for any country that ‘bullies' a small NATO member.
The summit, which is being held at Newport's Celtic Manor resort on 4,5 September, is the largest gathering of international leaders ever to take place in Britain. The main venue has been surrounded by a 10-mile ‘ring of steel' of high-security fencing to protect against terrorist attacks.
And NATO has confirmed that the summit, which German Chancellor Angela Merkel and French President François Hollande are also due to attend, will “address issues which threaten NATO countries' national security, from terrorism to cyber attacks”.
The new ‘collective defence' policy will cement a NATO declaration in June that “cyber defence is part of the alliance's core task of collective defence and international law applies in cyberspace”.
The move has been flagged by publications including the New York Times, based on briefings with NATO officials. The NYT said this week: “NATO leaders are expected to ratify a far-reaching change in the organisation's mission of collective defence: for the first time, a cyber attack on any of the NATO nations could be declared an attack on all of them, much like a ground invasion or an airborne bombing.
“The most obvious target of the new policy is Russia, which was believed behind computer attacks that disrupted financial and telecoms systems in Estonia in 2007 and Georgia in 2008, and is believed to have used them in the early days of the Ukraine crisis as well.”
Perhaps significantly, the NATO summit is being attended by dozens of other countries ‘allied' to NATO - including Ukraine which is currently combatting pro-Russian insurgents.
The policy will give smaller NATO countries – including Albania, Bulgaria, Estonia, Hungary and Poland – the cyber security protection of the big hitters such as the US, UK, France and Germany.
It is not yet clear what scale of cyber attack will prompt what kind of retaliation, but the tough stance has been welcomed by UK cyber security experts.
Alan Woodward, a visiting professor at Surrey University's Computing Department and an adviser to Europol, told SCMagzineUK.com: “This could turn out to be one of most significant developments in cyber warfare.”
He explained: “To date cyber attacks by one nation on another have been taken as almost an annoyance. Now we have the whole of NATO agreeing that they will act as one in the event of member states being attacks. In effect, we have now entered a world where cyber warfare is just part of warfare.
“The consequences are serious – imagine a larger country ‘bullying' a smaller country with cyber attacks, which has been part of many of the conflicts on our daily news. If that smaller country is a member of NATO, the bully is likely to find themselves in a fight they didn't originally envisage.
“It should make non-NATO members think twice about attacking any member, but I suspect there will be a few unfortunate skirmishes before the lessons are learned.”
Professor Mike Jackson, an expert on cyber warfare from Birmingham City University, agreed the new approach will be vital to protecting NATO countries and will promote the information sharing needed to combat cyber attacks.
He told SCMagazineUK.com via email: “Cyber security will be key to protecting the Western democracies in the coming years. This makes clear that cyber attacks are not just annoyances but that they are significant at the strategic level. It also recognises that sharing information about the nature of attacks is important in defeating them.
“Traditionally organisations and countries have been reticent in admitting they have been the target of attacks as this might indicate weaknesses. By sharing information about attacks, NATO countries will be able to construct viable defences.”
Rob Cotton, CEO at global information assurance firm NCC Group, urged businesses to learn from NATO's hard-hitting reaction to cyber attacks.
“Businesses must take note of the strengthening of NATO's stance and realise that the threat posed has the potential to make a very real impact on each and every one of us,” Cotton said in a statement to journalists.
He added: "NATO's assertion that a significant cyber attack could be as devastating as a physical one is not alarmist. From logistics to power distribution, and the financial markets to transport signalling, systems are increasingly interconnected and therefore vulnerable.
"Historically too many organisations have relied on a risk-based approach, with key security decisions made by people with a lack of understanding or appreciation of how real-world attacks occur.”