This week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.
Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.
In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.
However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.
“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.
“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”
That said, I think it’s still an important step.
Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.
“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.
Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.
“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.
“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”
The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.
Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.
As Limnéll said, these are necessary steps given the relative immaturity of the industry.
“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.
“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”
Last week APT and anti-malware firm FireEye announced the creation of a new Cyber Security Centre of Excellence (CoE) in partnership with the Singaporean government. It didn’t make many headlines outside of the city state but I think it’s worth a second look for a few reasons.
First up, FireEye is pledging 100 trained security professionals to this new regional hub, to provide intelligence to help the local government protect its citizens and infrastructure from attack as well as benefitting the vendor’s customers across APAC.
FireEye is one of the few infosec companies I’ve spoken to in this part of the world that is prepared to talk at length about the specific problems facing organisations in the region. More often than not when I try to go down this avenue with a vendor I’ll be told about how threats are global these days and attacks follow similar patterns no matter where you are on the planet.
While I know this is true to an extent, it was nevertheless refreshing to hear FireEye’s APAC CTO Bryce Boland tell me that the reason for building a team in Singapore was to have the necessary local language and cultural skills to deal with specific regional threats.
“We have a lot of countries here, many of which have tense relationships, so we see a lot of that boil over into cyber space,” he told me.
As well as the various hacktivist skirmishes that periodically hit the region, such as those between the Philippines and Indonesia or China and Japan, there are also more serious IP-stealing raids which stems from the fact that APAC represents more than 45 per cent of the world’s patents, Boland added.
As a result, regional organisations face almost twice as many advanced attacks as the global average.
Another reason the news of FireEye’s new CoE warrants attention is what it says about the approach to cyber security by the respective governments of Singapore and Hong Kong.
Although Hong Kong threw HK$9 million (£730,000) at a new Cyber Security Centre in 2012, my impression is that Singapore is more proactive all round when it comes to defending its virtual borders.
It was a view shared by Boland, who pointed to Singapore’s ability to attract and support infosec players looking to build regional headquarters there, as well as its efforts to attract globally renowned speakers to an annual security expo.
In my experience, what few events there are in Hong Kong are poorly attended, attract few speakers from outside the SAR, and rarely provide the audience with anything like compelling or useful content.