This week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.
Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.
In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.
However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.
“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.
“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”
That said, I think it’s still an important step.
Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.
“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.
Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.
“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.
“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”
The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.
Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.
As Limnéll said, these are necessary steps given the relative immaturity of the industry.
“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.
“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”
All the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.
So what can we say about it?
Well, according to the security experts I spoke to we can summarise as follows:
- It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
- The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
- It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
- Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.
Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.
“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.
“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”
For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.
“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.
“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”
For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.
“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.
“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest. If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”
News of the World private investigator Glenn Mulcaire was this week revealed to have gone to extraordinary lengths to hide his illegal tapping of celebrities’ voicemails: hacking an ATM to use its phone line.
I covered the story here for Infosecurity Magazine but thought it was worth including some extra comments.
Mulcaire’s cover was finally blow when BT sent a bill for the landline to the ATM owner, who forwarded it to the convenience store in which it was located, in a scruffy part of south London.
Sophos senior security advisor, Paul Ducklin, explained to me that Mulcaire probably chose an ATM line rather than tapping a copper phone line via other means, for several reasons.
“1. Unlike a fax machine the line never plays through a speaker for feedback purposes. Fax machines usually play their modem noises for a few seconds as part of the ‘user interface’.
2. If you interrupt a data transmission, the system will probably sort itself out automatically later on and no-one will realise that it was deliberate, rather than just a glitch. And you’ll hear the modem trying to come on-line, so you can hang up temporarily to get out of the way.
3. It’s likely to be a rented service that bundles in the phone line, so the bills probably go through a convoluted route to the person where the line is actually installed, making detection more complex – as happened here.”
He stressed the important of business owners checking their phone statements, just as one should bank statements or those belonging to online accounts, for any signs of suspicious activity.
“Cybercriminality usually leaves traces, and the one thing you can be sure of if you don’t make a habit of looking for those traces is that you won’t find them,” Ducklin told me.
“In various recent high-profile credit card breach cases, the afflicted retailer found out because someone outside the organisation noticed suspicious patterns of fraud. Best not to wait until someone else finds out before you do.”