Nato leaders are expected to accept that there is no distinction between cyber attack and physical attack at the organisation’s 2014 summit in Wales this week.
The endorsement of an enhanced Nato cyber defence policy is expected to be one of the main outcomes of the two-day meeting in Newport.
The update of the 2011 policy to keep pace with technology developments includes changing Nato’s mission of collective defence with respect to cyber attacks.
“The new cyber policy has already been endorsed by Nato’s 28 member countries, and I have no doubt the heads of state and government will do the same,” said Jamie Shea, Nato deputy assistant secretary general for emerging security challenges.
“For the first time we are making an explicit link in this policy between cyber attacks at a certain threshold and the invocation of a Nato article 5 collective defence as part of the treaty,” he told Computer Weekly.
Article 5 of the North Atlantic treaty requires member states to come to the aid of any member state subject to an armed attack, which includes cyber attack in the new cyber defence policy.
But at what threshold collective defence will be triggered, and how this threshold will be measured, will remain secret as a form of deterrent.
“We are keeping that ambiguous so a potential aggressor does not get the idea they can carry out cyber attacks up to a certain level with impunity,” said Shea.
This recognises that some cyber attacks could have the same level of disruption on Nato countries and economies as conventional warfare.
Shea outlined this and other aspects of Nato’s proposed cyber defence policy at pre-Nato conference hosted by the University of Cardiff.
The Nato after the Wales Summit conference brought together academics, government, defence and cyber security experts from around the world to debate how to prepare Nato for its role in the future.
Another key element of the enhanced cyber policy is to expand Nato’s cyber defence capabilities beyond the organisation itself to provide assistance to individual member countries.
“If Nato is to become a coherent cyber community, we have to narrow the differences between the cyber defence capabilities of the member counties,” said Shea.
Nato has agreed a series of actions that can be taken in the form of assistance to allies, he said, including training, education, exercises, malware intelligence sharing, early warning, and incident response.
To ensure this goal can be reached, Nato has used its defence planning process to get each ally to achieve specific cyber defence commitments by a certain date.
These commitments include actions such as putting in place the basics of a coherent cyber defence strategy, establishing a national computer emergency response team and building forensics capabilities.
To narrow the differences and create a community of trust, Nato had to construct a fundamental political agreement in which countries with cyber defence capabilities will make them available to allies in return for those countries upgrading their capabilities to a certain standard, Shea told pre-summit conference.
“Nato is not trying to become a substitute for a lack of national efforts, so it is offering help, but with the pre-requisite that all members make basic national efforts to upgrade their systems,” he said.
The third key element of the enhanced Nato cyber defence policy is multi-national co-operation in cyber defence, which includes the concept of “smart defence” through pooling and sharing capabilities.
Nato already has three cyber “smart defence” projects, involving 20 member countries. The first is looking at decision making in a crisis, the second is a training and education programme, and the third is a malware-sharing platform.
“This is aimed at enabling countries with a lot of cyber attack information to share it with other allies by breaking the information down into standardised, anonymised and actionable packages,” said Shea.
The multi-national co-operation element will also include a focus on industry through setting up a Nato cyber industry partnership (Ncip).
This Ncip will attempt to replicate at a Nato national level the private-public partnerships in member countries such as the UK’s cyber security information sharing partnership (Cisp).
The Ncip, which the UK is actively supporting, will enable Nato to work with industry on things like supply chain management, risk assessment, information assurance, and early warning best practices.
At Nato’s annual information assurance symposium later this month, the organisation plans to meet industry representatives to discuss the proposed Ncip to gauge their interest.
“We will discuss things like what benefits they would expect from the Ncip, what things could be shared, ways of building trust, and what level we can work with each other,” said Shea.
Finally, he said, the enhanced cyber defence policy factors cyber attack scenarios much more heavily into Nato’s military operational planning.
This means that all future Nato military exercises will involve a cyber component and look at the challenges of running military operations in a degraded cyber operating environment.