At a summit of NATO's defence ministers which took place in Warsaw on Tuesday June 14th, it was decided to recognise the reality of cyber warfare, with NATO designating cyber space as an ‘operational domain’.
Speaking after the summit NATO Secretary-General Jens Stoltenberg said that treating cyber as an operational domain would enable NATO to better protect its missions and operations.
“NATO as an organization does not have or does not develop offensive cyber capabilities,” explained Stoltenberg, “but what we are doing is that we are both enhancing our capabilities when it comes to defending our own networks, our own systems, and we help nations develop their capabilities to defend their networks. At our summit in Wales in 2014 we decided to make clear that a cyber attack can trigger Article 5, meaning that a cyber attack can trigger collective defence of the whole alliance because we regard cyber attacks as something that can be as devastating as a conventional attack. [Now] we have taken a step further and that is to recognize cyber as an operational domain, so we have air, land, sea and cyber as operational domains inside NATO and that will further strengthen our cyber capabilities and capacities.”
Industry comments following the NATO announcement include the following:
This is a welcome, if long overdue, recognition that cyber warfare is in fact an important and lethal domain. We would urge NATO and participating governments, as well as their technology providers, to take a modern approach that prioritises securing the data itself from unauthorised access. The threat of intruders taking over control of sensitive systems and commands by gaining access through legitimate accounts is a massive concern. Protecting the physical perimeter of any network has proven to be insufficient.
David Gibson, VP Strategy & Market Development, Varonis
NATO has a fundamental challenge in the cyber domain: The idea of NATO is a collective capability for defense, which, when any one member is attacked, can trigger the appropriate defensive military action. In cyber, NATO has none. Instead, individual member countries, to varying degrees co-operative or suspicious, more or less collaborate to share information on threats, so that each member can defend itself. This has nothing at all to do with the goal of NATO. The organization was founded to protect its members by, in extremis, deploying conventional non-cyber assets to effectively combat a threat on any member of the coalition. But NATO has no assets to deploy in the cyber domain. Each member has carefully managed its own cyber attack techniques, tools and strategies. They each know the vulnerabilities and weak spots of their foes, and all of their peers in NATO. NATO cannot deploy assets to mitigate a cyber attack – the organization is an anachronism from the era of the cold war, and has zero capacity to act in the cyber domain.
Simon Crosby, CTO and co-founder, Bromium