A group of NATO members are considering altering cybersecurity policies to allow governments to attack back, rather than working only in a defensive capacity.
The U.S., UK, Germany, Norway, Spain, Denmark and the Netherlands are working on a set of cyber warfare principles, according to Reuters. These principles would guide their respective militaries on when cyber-attacks would be justified, in much the same way as existing rules for conventional warfare.
The countries concerned are looking to agree on the principles by early 2019. The organisation has already recognised cyber as a domain of warfare, alongside land, air and sea, but not in a detailed way.
“I need to do a certain mission and I have an air asset, I also have a cyber asset. What fits best for me to get the effect I want?” said NATO Cooperative Cyber Defence Centre of Excellence head of strategy, Michael Widmann.
“There’s a change in the (NATO) mindset to accept that computers, just like aircraft and ships, have an offensive capability.”
The discussions take place against a backdrop of constantly increasing cybersecurity activity, including the growth of state-sponsored attacks. There have been consistent accusations that hackers are coming from within Russia, China and North Korea. Earlier this year, Symantec found that a hacking group with close ties to Russia had been making targeted attacks against western security infrastructure.
It is not unheard of for western states to carry out cyber-attacks – it has been widely alleged, though never confirmed, that the U.S., with possible assistance from Israel, worked to disable Iranian nuclear centrifuges through a virus called Stuxnet.
Though these discussions are taking place within NATO, the organisation’s chiefs will not themselves develop an arsenal of cyber weapons. Instead, they will be able to request that member nations allow them use of their weapons.
However, security industry insiders urge caution. Brian Chappell, senior director at cybersecurity firm BeyondTrust, commented: “Defence is, and should remain, the first and primary course of action when looking at any conflict. Unfortunately, as has been proven and continues to be proven, a heavier-handed response is often required with more aggressive responses being needed.
“Let’s be under no illusion, cyber weapons have the potential to cause mass destruction. Weapons of mass destruction remain as a deterrent for many countries. Cyber weapons of mass destruction would hopefully fulfil the same role, not to be deployed but held as a deterrent to those looking to go on the offensive.”