In May 2008, following sustained nation-state levels of cyber-attacks on Estonia the previous year, general James Mattis, Nato's supreme allied commander described the need for a cyber-defence centre to be “compelling.” The aim was to “provide a capability to assist allied nations, upon request, to counter cyber attack.” By October the centre was granted full Nato accreditation and the CCDCOE (Cooperative Cyber Defence Centre of Excellence) obtained the status of an international military organisation.
Since then the CCDCOE has sought to enhance the capability, cooperation and information sharing among Nato nations and partners in cyber defence via education, research and development, lessons learned and consultation. In particular, the Tallinn Manual aims to establish international law applicable to cyber warfare.
Former deputy director of legal services in the RAF, retired air commodore andan editor on the Tallinn Manual, WilliamH Boothby explains to SC Magazine UK: “The 2007 cyber operations against Estonia and the 2008 cyber events in Georgia demonstrated that this new medium of future warfare should be taken seriously. The Stuxnet operation that reportedly damaged Iranian nuclear centrifuges reinforced the point.”
Discussing the manual's conclusions, Boothby says, “Many of the established legal principles apply surprisingly well to this man-made environment. Certain cyber events could amount to a prohibited use of force under the UN Charter and they even amount to an ‘armed attack'. The law as to what warring parties can attack assumes that there is an act of violence. When using computers to cause harm, the experts concluded that it is the damaging or injuring effects of a cyber operation that are important. Consequently laws as to who or what may be attacked can also sensibly be applied to cyber warfare operations. If the law on attack can be applied to cyber-attacks, the law on weapons can also be sensibly applied to cyber weapons.”
Jamal Elmellas, technical director at Auriga explains to SC Magazine UK that worldwide, the most targeted verticals are government, energy, financial services and higher education. “We're already seeing sensors deployed on gas and electricity pipelines to monitor supply. These are based on IP and could be susceptible to attack. In addition to the increased attack surface, the stakes are also higher with intellectual property now a prized asset and key motivator.”
Elmellas explains that: “Investment in security hasn't kept pace. Many of the energy companies have inadequate risk management security policies and processes and even fail to maintain an updated anti-virus solution. In the UK alone, around 100,000 new pieces of malware are introduced every day. It can only be a matter of time before an attack against an entire nation's energy sector manifests itself.”