back to article NATO nations 'will respond to a Cyber attack on one as though it were on all'

NATO is set to agree a new cyber defence policy that would mean any severe cyber attack on a NATO member could be considered tantamount to a traditional military attack and invoke the alliance's collective defence provisions. Article V is the collective defence clause of the NATO treaty by which an attack on one member is …

  1. I ain't Spartacus Gold badge

    I'd imagine this is about the most worried NATO nations (the Baltic states probably), trying to secure help from the likes of NSA and GCHQ, should another attack happen. Especially if it lasts for weeks, rather than days.

    I also wonder if it's about NATO offensive cyber-capabilities. I've read a few things about us and the Americans putting money into this. I'm sure we're not the only ones. So NATO might well respond to a cyber attack with one of its own. As well as trying to work out joint defensive measures.

    Just think of the horror if we cut off Facebook and Twitter access to our enemy's ruling elite? Plus their wives and children. I'm sure they'd surrender right-sharpish-double-quick after the ferocious combined nagging that would ensue. Even worse, we could try to disrupt their access to porn! The horror! The horror! Although surely that would be a heinous breach of the geneva conventions on war crimes.

    It would be a bit like the Lysistrata, but with fewer jokes about Spartan cipher rods, and more about dongles...

    1. Yet Another Anonymous coward Silver badge

      So if , for example, Germany's leader was hacked by foreign powers - Nato would attack them?

      1. I ain't Spartacus Gold badge

        Equally, when the Germans hack John Kerry...

        Seriously though, no. Spying is different to warfare.

  2. Elmer Phud
    Mushroom

    Cyber attack?

    Wasn't there a teenager some time back that caused the U.S. military to cack its collective pants?

    1. Triggerfish

      Re: Cyber attack?

      I guess it would be off putting to get up one morning look out your window and find the collected armed forces of several countries parked on your front lawn.

      1. Ole Juul

        Re: Cyber attack?

        I guess it would be off putting to get up one morning look out your window and find the collected armed forces of several countries parked on your front lawn.

        Yes, and they would all be focusing on their laptops cyber attacking away.

  3. Brian Miller

    But it's my neighbors what's done it!

    Once upon a time, a while back, I set up a honeypot on my connection to see what bots were rapping and tapping at my virtual door. It wasn't a raven, but a crowd of my neighbors! The vast majority of bot net zombies were, in fact, in my IP neighborhood.

    So who is the military going to nuke when a DDOS happens?

    I just can't help but imagine that some 12yo is going to start WWIII for shits and giggles.

    1. Eddy Ito

      Re: But it's my neighbors what's done it!

      I just can't help but imagine that some 12yo is going to start WWIII for shits and giggles.

      Especially when it turns out the kid was sponsored by the likes of the CIA in a black op that went as plannedwrong

  4. Trainee grumpy old ****
    Mushroom

    Cardiff?

    >> a NATO summit in and around Cardiff, Wales later this week

    It is in Newport. Many South Walians get a little touchy about their neck of the woods being identified as the 'diff.

    1. I ain't Spartacus Gold badge
      Devil

      Re: Cardiff?

      Well, it's close enough for targetting purposes. So long as you use a large enough nuke...

      1. Anonymous Coward
        Anonymous Coward

        Re: Cardiff?

        in order to take out Newport, whilst dropping the bomb on Caerdiff, you'd need a 5 megaton (Chinese current ICBM) not the wimpy USian 320kt or 1200kt, at least according to this tool

        http://nuclearsecrecy.com/nukemap/?&kt=5000&lat=51.481581&lng=-3.17909&hob_opt=1&hob_psi=5&hob_ft=17519&ff=50&zm=11

        1. Trevor_Pott Gold badge

          Re: Cardiff?

          The Chinese have a 5 megaton nuke that fits on an ICBM? How the hell big is that ICBM?

    2. Anonymous Coward
      Anonymous Coward

      Re: Cardiff?

      That explains why there is a warship parked 100m outside my office and we're surrounded by walls, fences, armed police and NATO security....

      ....in Cardiff.

  5. Primus Secundus Tertius

    But if we attack THEM

    I am wondering whether, if we launched a cyber attack on our enemies, it would succeed. Have there been any trial runs, I wonder? (Disguised as accidents.)

  6. This post has been deleted by its author

  7. Hargrove

    Set to Agree?

    On what?

    Facile analogies between cyber and conventional warfare do not work.

    Not only do we lack the knowledge needed to determine in real-time who attacked, what damage was done, and to assess the practical effect a military response, we don't have a bloody clue how to go about figuring those out as yet.

    This is like the police deciding that they will shoot to kill in response to crimes, without specifying what actions is considered capital offenses and defining clear criteria for determining that one has actually been committed. (Oh wait. . . )

    Remember Miriam Carey. Now imagine turning that mindset loose at national discretion on a global scale.

    This is not to suggest that robust and effective strategic and tactical plans for military response to cyber attack are not needed. I personally believe that the only thing that will stop the hackers (and the damned telemarketers) is the threat of grievous bodily harm. But, the process needs to start with investigation and analysis, and proceed in an orderly fashion to development of strategic plans, practical objectives, and finally tactics. Agreeing to do something without any understanding of what it is you are agreeing to do is just damned silly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Set to Agree?

      Problem with "Cyber Attack" is that once you blow your little wad of exploits in anger, they are Gone, Used Up - except for the side effects:

      Countermeasures will be designed, the code will be be captured and analysed, your own code or mutated versions of it will be released on "innocent" bystanders or allies to show the incompetence of the hackers releasing this attack.

      Standard munitions, you just buy more off and fire it off - it will work pretty much the same way always. "Cyber"-weapons ... it's like the B2, too special to use in case they get shot down.

      1. Trevor_Pott Gold badge

        Re: Set to Agree?

        There are standard munitions.

        DDoS, BGP route poisoning, etc. etc. They just aren't "clever". But they work. Just like slitting someone's threat still works, a million years after we first did it.

  8. Bucky 2

    Wake me when they actually do something

    This is one of those "I'll belive it when I see it" things. Attacks happen constantly, every single day, many by what some consider to be state-sponsored hackers.

    Like the privateers of old, the states that sponsor them just cross their fingers behind their backs and say, "oh, golly, those are just criminals acting against our wishes."

    1. Hargrove

      Re: Wake me when they actually do something

      Attacks happen constantly, every single day, many by what some consider to be state-sponsored hackers

      And things happen in the normal course of business, every single day, that those who govern, whether from paranoia or profit, characterize as attack by forces of e-vil.

      Back in the day, when China was just beginning to re-engage with the rest of the world, one of the things the Chinese Academy of Sciences did was crawl the Web looking for whatever information was available. From their perspective, this was a logical thing to do to play catch up. Search engines do the same thing. The technology to block robotic spidering existed and we used it. That didn't stop certain elements in the government from getting their knickers in a knot over the threat of industrial espionage. Eventually they got over it and got marginally better at focusing on serious targeted efforts.

      A corollary to Hanlon's razor (Never attribute to malice what can be explained by simple stupidity) is Grandpa Hargrove's "Never attribute to malice what can be explained by greed and self interest."

    2. I ain't Spartacus Gold badge

      Re: Wake me when they actually do something

      Bucky 2,

      I think you're failing (along with others) to differentiate between state-sponsored espionage and cyber-warfare. A bit of hacking and eavesdropping is the normal course of daily business. It's why all powers have intelligence and counter-intelligence agencies. Normally all that happens is some ambassadors get interviews without coffee, or in the worst cases, expelled.

      Cyber-warfare means attacks on government networks, banking and infrastructure. So far this has mostly been deniable, small-scale and limited duration. But an attack lasting for weeks, that damages sewerage, water and power infrastructure might call for a more robust response. It might be sanctions or cyber-retaliation. But there's nothing particularly disproportionate in saying, "you broke my power station with your computers, so I'm going to lob a cruise missile at one of yours".

      More likely would be economic damage. So sanctions would seem the better tool. But if Russia (we all know who they're talking about) believes it can get away with this stuff consequence-free, they're much more likely to try it.

      1. veti Silver badge

        Re: Wake me when they actually do something

        The problem with that scenario is in determining, to the satisfaction of a dispassionate observer, who was responsible for a cyber-attack.

        With a conventional attack, it's pretty hard to disguise who's doing it, as Comrade Putin is currently demonstrating so amply. But a cyber-attack is, typically, completely invisible to most people, and even those who do notice it may have the dickens of a time to deduce, let alone prove, where it's coming from. And "who's sponsoring it" is a whole layer of obfuscation further even than that.

        So really, this provision would be enacted - basically - at the politicians' word, with absolutely no question of independent verification.

        The cruise missile you lob in retaliation, on the other hand...

      2. This post has been deleted by its author

        1. I ain't Spartacus Gold badge

          Re: Wake me when they actually do something

          Stuxnet did the most serious damage it could do. It wrecked thousands of extremely expensive centrifuges. I don't know what the risk was of it also contaminating the 2 enrichment sites, but that ought to be unlikely, with proper design, and pretty easy to deal with.

          This is where relative power comes in. For example, Russia can happily bash Ukraine, because there's not a great deal Ukraine can do about it. Anything they do to escalate, Russia can trump. They're biggest card is to cut-off/destroy the gas pipeline between Russia and its European customers. But Ukraine is desperately trying to get support from the EU and NATO, so cutting their fuel supply might not help.

          That's not quite true with the US and Iran, as there are things the US can't politically do. But you have to consider what governments want. Iran wants sanctions removed, as they're buggering-up the economy, and making them very unpopular with the middle classes. - who've already had one go at a limited revolution. So how do they retaliate over Stuxnet when they want access to EU and US financing and industry to update their oil industry?

          Thirdly there's proportionality. Stuxnet was better than the alternatives. Iran chose to break the Nuclear Non-Proliferation treaty it signed up to. Them getting nukes is not an optimum solution. Israel trying to bomb Iran's nuclear program could be as bad, though Israel might not see it that way. And as the US would get large chunks of the blame if Israel did it, I think there was a lot of argument in Washington that the US could do a much better job (with fewer casualties and more damage), so better to get hung for a sheep as a lamb, and do it themselves.

          Stuxnet appears to have been a very good idea (so far). It's killed no-one, and delayed things enough for diplomacy to work. It was also a limited attack, with limited objectives. Is it any worse than massive sanctions on the Iranian oil and finance industries? It's cost the Iranian government much less.

          But in the end, international relations is much less about right-and-wrong, and much more about can-and-can't (and will-and-won't). NATO has the power to retaliate, and deal with the consequences of escalation. So NATO needs to decide whether it has the will to do so. Iran has the capability to retaliate, and the will to deal with the consequences, but limited ability to deal with escalation.

          1. This post has been deleted by its author

            1. I ain't Spartacus Gold badge

              Re: Wake me when they actually do something

              Fukushima was serveral nuclear reactors that got hit by the world's biggest recorded earthquake and then a fucking huge tsunami. Being old designs, and working when hit, they still needed active cooling for at least a month in order to shut down safely. The contamination has mostly come from venting of coolant (as steam and water), in order to keep the reactors from melting down. Hence the contamination.

              Iran will be centrifuging sub-critical amounts, unless they wanted fission inside their factory. So the risk is of direct contamination from uranium. Not from uranium fission products. Uranium's an alpha emitter, rather than beta or gamma radiation. From which your skin will mostly protect you, and a plastic suit and mask will do the rest. Therefore clean-up is easy.

              As I understand it, the software wasn't even supposed to be breaking the centrifuges. Just mis-aligning them slightly so they required massive extra maintenance.

              As to how Iran should respond? I did answer it. What do Iran want? Who knows? But they appear to desperately want sanctions to stop, so they can rebuild their economy. Therefore their response should be to grin and bear it. Dismantle their nuclear weapons program, and get sanctions lifted.

              Alternatively they could start funding terrorists to attack the US and EU, and continue to devlop nukes. Then the US would probably agree with Israel that there was no better option, and bomb their nuclear plants. Or they could threaten to close the Persian Gulf, and stop Saudi oil exports. The last time they tried that NATO put a small fleet in, escorted the tankers, and kept the exports going. They could up the ante, and start using their air-force and surface-to-surface missiles to destroy the ships. Then the US, UK, France and gulf allies would probably bomb their air-force and missile sites. As well as blockade their oil exports.

              They're not good options. I don't think Iran wants to escalate.

              1. This post has been deleted by its author

                1. I ain't Spartacus Gold badge

                  Re: Wake me when they actually do something

                  Why does my thought process scare you? Just because of "big bad scary nuclear", doesn't mean that all nuclear things are equally dangerous. Reactors make more of a mess than spilled uranium enriched to 5% then 20% purity.

                  If you're talking about my comments on Iran's options - I don't think I made any justifications. I personally believe that the world is a worse place with more nuclear powers. Since we can't disinvent the damned things, we're stuck with having some nuclear powers though. But if Iran gets them, then Saudi and Turkey may do the same. The Middle East is already in a mess as it is.

                  In this situation I believe Iran hasn't retaliated because the leadership doesn't see any advantage in doing so. There's no diplomatic or economic sanctions they can use. So that leaves military ones. The biggest threat they can make is to Saudi and Kuwaiti oil supplies. Threatening to bring down the Western economies is likely to lead to a limited war. Which they'd probably lose. They did in the 80s. That's international politics as I understand it. I've made few assertions about morality.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Wake me when they actually do something

                  "@ I ain't Spartacus....Your thought process & justifications scare me, I can see why the world is the way it is."

                  I wouldn't worry. Our non-Spartican friend seems to give credit to the idea of a cyber attack that disables all of our critical infrastructure. Given the motivations and morality of many of the baddies of this world, if it were feasible it would have been done. Sure you can DDOS a bank. Big deal. You can hack many companies, big deal. You can demonstrate vulnerabilities in some SCADA kit, big deal.

                  But the idea that the whole modern world is simply waiting to be hacked and crashed is bollocks. I've worked in infrastructure for most of my career, with an initial spell in high security defence computing, so I like to think I have a good feeling for the extent of the risk, and I say the prophets of imminent cyber doom are talking out of their arses.

                  1. I ain't Spartacus Gold badge

                    Re: Wake me when they actually do something

                    Ledswinger,

                    I don't believe a cyber-attack could turn off our whole infrastructure. But I'm pretty sure it's possible to quite a lot of damage, with some forward planning. Mostly it's going to be annoyances. But if you can disrupt the economy for a week, that could be the difference between low growth for the year and recession. It's not the end of the world, but costing an opponents economy a few tens of billions for the outlay of a few tens of millions is something to be concerned about.

                    DDoS is inconvenient but seems to be posible (sometimes easy) to work around. Although some of them seem to have got bigger recently, but I'd imagine that'll just shut a few websites, then slow things down a bit for everyone. No big deal.

                    SCADA kit worries me. Security doesn't even seem to have been an issue with the design, and I'm not sure it's that high a priority now. it'd be interesting to know how much of this stuff is actually hooked up to the net. Hopefully not much. Damaging offline stuff with a long-term infection via the update process (as with Stuxnet), would seem to be less of an immediate threat. But if you can get live access to various national systems, there is a possibility you could do some serious damage.

                    If you can control pumping systems, you can cause pressure spikes, and break pipelines in multiple places. Water, oil, and sewage have momentum. By playing around with pumps and control valves, you should be able to get serious water-hammer (I assume with sewage it's called poo-hammer?). Do that repeatedly and you start breaking pipe joints. Hopefully these control systems are properly secured. I do wonder though.

                    Are the 999 systems all safe from attack? Even if you can't get at the emergency systems, I'm sure you could have some fun buggering up less important government big IT. These have so many people that access them, that I'm sure a determined hacker can get in and break things.

                    You can also do some major disruption to the economy by attacking large companies IT. Even more if you're willing to spend the time and effort on attacking small company IT. They won't have the resources to fix things, and many are probably running without backups. Bankrupt a few thousand smaller companies, and watch the recession happen.

                    Therefore the kind of people that we pay to worry on our behalf should be worrying about cyber-attacks, and how to deal with them.

  9. Cipher

    "Cyber attacks are best handled through diplomatic channels, according to one seasoned IT security pro"

    Because diplomacy always works so well...

    The correct response would tit for tat, with tit being > than tat by a factor of 10...

    1. I ain't Spartacus Gold badge

      Depends on your objectives. Escalation is a choice. And not always the best one. As are the means of escalation. Warfare can be cyber or economic, as well as military. You may decide that you'd prefer to put up with this level of damage, rather than risk things getting worse.

      I guess it depends on if you count sanctions as economic warfare of diplomacy though? I guess this is where your von Clausewitz comes in. War is simply another tool of diplomacy. Although I guess that would mean that nuking someone would also count as diplomacy? Hmmm.

      As someone has said earlier, it's much harder to prove where cyber-attacks are coming from. Particularly if you do most of the work via a bot-net. Although it's usually obvious. Unless a country has two enemies, both intent on destabilising them with massive cyber-attacks. Europe is rather peaceful at the moment, and the only power that's aggressively expansionist is Russia - so that makes things a little easier to work out.

      But then diplomacy is also about how things look. So bombing someone for a cyber attack you can't prove they did, is going to look rather bad. Particularly as you're unlikely to get UN approval. It's easy to sow some doubt, and spout lots of propaganda. See Russia over Ukraine for an example, where there's far more concrete means of gathering evidence. Also the fuck-up over the Iraq war still haunts the diplomatic landscape.

      1. Trevor_Pott Gold badge

        "and the only power that's aggressively expansionist is Russia"

        Tell that to Taiwan.

        Remember, China may have little interest beyond what it considers to be it's "historic range", but that's still a lot of territory, people and resources it needs to conquer to get where it wants to go. A Sino-Russian military alliance that allows both nations to "recover lost territory" is not out of the question at all.

        The west looks weak; all talk, no action, and the time for the powers to start fighting over the last remaining (easily accessible) natural resources is upon us. This is why China and Russia are spamming money and aid all up and down Latin America and Africa. They're earning friends the hard way, while western powers use fear and intimidation on those same countries.

        The major non-western powers are girding up for war, they just aren't quite ready to jump yet. They learned from the mistakes made by the Axis in World War II; they'll make sure to set the playing feild up before running loose on it.

      2. Queasy Rider

        it's much hit's much harder to prove where cyber-attacks are coming from

        "It's much harder to prove where cyber-attacks are coming from," and that scares me the most. Lord knows how many times in history some force has faked an attack on itself to use a pretext to strike an adversary, but we all know the Nazis did it, and the Americans did it in Vietnam (Gulf of Tonkin). A fake cyber attack is the perfect war monger's tool.

  10. Anonymous Coward
    Anonymous Coward

    what is their policy on FalseFlag operations?

    i.e, say NATO allowed a bunch of rebuls under their corntrol to DDoS a Malaysian embassy website inside a NATO counry, would NATO then attack itself? again??

  11. HereWeGoAgain

    'the Iranian nuclear weapons programme'

    Iran doesn't have a nuclear weapons programme. Please get your information from somewhere other than Fox 'News'.

    1. I ain't Spartacus Gold badge

      Re: 'the Iranian nuclear weapons programme'

      Pull the other one, it has got bells on it.

      They may not have the ultimate intention of building a bomb, it's almost impossible to prove intentions, particularly in a dictatorship. Which is why intelligence deals with capabilities. They have a rocket program (space or ICBM). They built a secret uranium enrichment site, hardened against military attack, and failed to declare it to the IAEA as they are supposed to by a treay they signed (NNPT). They have been working on precision triggering of explosives, also required for nukes - and I'm not even sure if that has a civilian use. That's also from the IAEA reports. They've also refused to dismantle their uranium enrichment program when offered treaty-guaranteed cheaper nuclear fuel deals from Russia (who're building their reactor), paid for by the US.

      So even if they don't have a nuclear weapons program (which they patently obviously do), they've been doing everything to make people think that they have a nuclear weapons program.

      There's a theory that the Iranian leadership want the ability to build a bomb, without actually doing it. Then they can have the threat of it, without the consequences, or use it as a bargaining chip for something they want. But if true, that policy is indistinguishable from planning to build a bomb, so the response ends up being the same.

      Negotiation is hard when you cheat, and then get caught. It'll be incredibly tough to get a solution to the Ukraine crisis, because Putin has blatantly, and often contemptuously, lied at every stage of the conflict. So no one is going to trust him - which makes it hard to come to any deal.

      Iran has a similar problem. No-one believes its denials about its nuclear program because it's broken the terms of its treaty saying it wouldn't develop nuclear weapons, and then says it only broke the treaty in order to develop a civilian nuclear program in secret. And none of the secret stuff was military, honest guv.

      Lying poisons diplomacy. If Blair and Bush had said we're going to war with Iraq for reasons of policy there'd have been much fewer problems. There were plenty of justifications to use, but none that would get a UN resolution. Going the chemical weapons route, when there was little intelligence about the state of the program was a huge risk. Everyone knew the UN had only destroyed about 80% of Iraq's stocks in the 90s, and they still had the scientists and knowledge to make more. But basing so much on such limited intelligence, and being wrong, has done massive damage to the credibility of the US and UK. And has buggered-up international diplomacy for at least the 2 decades.

      1. Trevor_Pott Gold badge

        Re: 'the Iranian nuclear weapons programme'

        "declare it to the IAEA as they are supposed to by a treay they signed (NNPT). They have been working on precision triggering of explosives, also required for nukes - and I'm not even sure if that has a civilian use"

        Deep bore mining. Very important if you want to sink boreholes because you are a tiny little country and most of your resources are covered in sand and burning.

        "Lying poisons diplomacy."

        Hence why politics sucks everywhere you go, and has since before our species was verbal.

      2. HereWeGoAgain

        Re: 'the Iranian nuclear weapons programme'

        Well in fact you are completely wrong.

        The Americans have said there are things that Iran would have to do to produce a bomb, and it has not done them. Therefore there is no nuclear weapons program. There is just suspicion that they might. Well so might anyone.

        As for being in breach of the various treaties, America is also in breach. It has provided nuclear assistance to India, despite India having an undeclared nuclear weapons program. That is a clear breach of the treaties, by America.

        Nobody believes America any more. Bush 'We don't torture'. Obama: 'we tortured some folks'. America has no credibility.

        As I wrote, please get your information from somewhere other than Fox News.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon