pixel_dreams - Fotolia

Security community urges caution on offensive cyber defence

Some Nato countries are reportedly considering responding to cyber attacks with offensive cyber strikes, but security industry commentators warn of dangers

Seven of the 29 Nato countries are reportedly considering using cyber attacks designed to bring down enemy networks in response to state-sponsored cyber attacks.

The UK, the US, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles, according to Reuters.

The group of Nato countries aims to reach agreement by early 2019 about what justifies deploying cyber attack weapons.

News of the move comes after months of growing accusations that countries such as Russia, China and North Korea are using hacking groups to undermine Western democratic processes and steal intellectual property.

UK officials said recently that they have intelligence showing persistent Russian cyber hacks aimed at UK and other European energy and telecommunications networks, coupled with online disinformation campaigns.

“There is a change in the [Nato] mindset to accept that computers, just like aircraft and ships, have an offensive capability,” said US navy commander Michael Widmann at the Nato Cooperative Cyber Defence Centre of Excellence.

As far back as 2011, UK officials revealed that the UK was developing cyber weapons to help counter growing cyber threats to national security, while the US is also known to have cyber weapons, with US officials also declaring in 2011 they would respond to hostile cyber attacks.

Some Nato allies reportedly believe that shutting down an enemy power plant through a cyber attack could be more effective than air strikes.

Cyber threats are one of the most pressing priorities for Nato, Sorin Ducaru, the organisation’s assistant secretary general for emerging security challenges, told the CyberSec European Cybersecurity Forum in Krakow in October 2017.

Cyber threats have been on Nato’s radar since 2002, he said, but it was only in 2014 that cyber was linked to Nato’s mission of collective defence, and in the 2014 update to the cyber defence policy, Nato made an explicit link between cyber attacks at a certain threshold and the invocation of a Nato article 5 collective defence as part of the treaty.

Article 5 of the North Atlantic treaty requires member states to come to the aid of any member state subject to an armed attack, which has included cyber attack since 2014, but Ducaru said Nato’s defensive mandate remained unchanged, and, like the other domains, everything it does remains in line with international law.

However, he added that although Nato would not develop or acquire any other capabilities other than purely defensive, like the other domains, it could rely on “voluntary contributions” of a range of capabilities from allies to support operations and missions.

Bill Evans, senior director at security firm One Identity, said that while Nato adversaries are certainly developing cyber weapons, there are risks to responding in kind.

“Unlike smart bombs that can pinpoint the damage to an airstrip or enemy fortress, cyber attacks are far less specific,” he said. “Consider an attack at an enemy’s power station. Surely this will cut off power to the enemy’s ground forces, but it might also pull the power from a local hospital or senior citizens’ facility – certainly not the moral high ground that Nato prefers.”

Over time, Evans believes cyber warfare will become more focused, just as bombs have in the past 50 years. “But today, consideration should be given to the possible collateral damage cyber warfare might cause before a deployment decision is made,” he said.

Lee Munson, security researcher at Comparitech.com, said that given how notoriously hard it is to attribute so-called nation state attacks to any given country, rather than bad actors within it, or even a false flag operation, this move by Nato is a potentially dangerous one.

“Especially given the fact that Nato is, in my opinion, lagging behind many of the nations it would wish to attack in terms of ability and resources,” he said. “What is more, escalation in this arena is only likely to lead to more sophisticated and damaging attacks being developed by all sides, something which could potentially see critical infrastructure becoming a more valid and reachable target.”

Read more on Hackers and cybercrime prevention