This week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.
Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.
In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.
However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.
“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.
“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”
That said, I think it’s still an important step.
Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.
“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.
Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.
“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.
“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”
The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.
Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.
As Limnéll said, these are necessary steps given the relative immaturity of the industry.
“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.
“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”