NATO Can’t Agree On What A Cyber Attack Is

Uploaded on 2018-10-01 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-Defence, FREE TO VIEW

Estonia’s new ambassador-at-large for cyber security, Heli Tiirmaa-Klaar, recently explained to the Wall Street Journal that “compared to many other security fields, in cyber we have reached maybe 10 percent of total readiness to understand the threats, to respond to threats and also to prevent the threat or maybe deter the threat. We have lots of room for development.” 

She’s right; just look at the most basic of metrics: How do governments count cyber-attacks? How do they classify them?

The problems, imprecision of language, and a lack of policy, can be seen in a trio of official quotes from a single month last year. On Jan. 7, French Defense Minister Jean-Yves Le Drian warned that 2016 had seen 24,000 cyberattacks against French defense targets, and that the attacks were doubling every year. 

On Jan. 8, the Financial Times reported off an interview with EU security commissioner Sir Julian King that “there were 110 separate attempts to hack the European Commission’s servers in 2016, a 20 percent rise on the year before.” And on Jan. 19, NATO Secretary General Jens Stoltenberg told Die Welt that “there was a monthly average of 500 threatening cyber-attacks last year against NATO infrastructure that required intensive intervention from our experts. That’s an increase of 60 percent compared to 2015.”

Clearly, the figures were all over the place. But why? Did all three officials count cyberattacks differently? And if so, what standards and metrics did they apply? 

So in October, I emailed their institutions to ask what incidents were included in their numbers (pings, port scans, phishing emails, malware infections, DDoS, etc.) and whether their standards and metrics were public. The French MoD never got back to me. 

The NATO press office said it could answer the question, because the alliance does “not comment on the nature of attacks or the methodology that NATO uses to qualify some incidents as attacks.” The European Commission’s IT Security Directorate politely explained that “we report internally on these figures but we do not publish this detailed information.”

But without published standards and discernable metrics, such warnings are of no real value to the public. We simply do not know whether 6,000 annual attacks against NATO’s infrastructure is a lot or whether any of the 24,000 attacks against the French MoD were serious. All we know is that something was counted by someone somehow to somewhat explain the threat environment.

To widen my inquiry, I also got in touch with the Dutch National Cybersecurity Center and Estonia’s Information System Authority, or RIA. The Dutch center coordinates the government response to cyber crises in the Netherlands and also serves as the Dutch central government’s Computer Emergency Response Team. Similarly, RIA coordinates the development and administration of Estonia’s information system and handles security incidents that have occurred in Estonian computer networks. Both adhere to certain baseline standards and metrics to count and categorise cyber incidents that are reported to them, and summarize their findings in annual reports.

When asked, these organisations whether their respective governments had a single set of reporting standards and metrics, they said no. 

Officials with the Netherlands center emailed to say that “there is no single definition which applies to all Dutch ministries on what constitutes a cyber-attack or critical incident” and that “Ministries are responsible for their own incident registration, including definitions and escalation procedures.”

RIA responded similarly, “there is no formal, universally applicable classification criteria for cyberattack/incident in Estonia that would apply across all government agencies or private sector parties”, but also noted that the government’s computer emergency response team has “an internally defined classification that allows for a reasonable level of consistency.” 

This is borne out, somewhat, on the quantitative side by RIA’s 2017 Cyber Security Assessment, which indicates that the CERT team handled 9,135 incidents in 2016, of which 1,687 related to government institutions.

In contrast, the 2017 Cyber Security Assessment Netherlands reported a mere 623 incidents, of which 254 occurred under the more general category of “public organisations.” However, the key difference between the annual reports is that Estonia’s notes whether incidents were low priority, medium, high, or critical, while the Netherlands’ does not.

The next question: does a “critical cyber incident” constitute a “cyberattack”? The Tallinn Manual, a collection of expert analyses on international cyber law, offers the widely accepted definition that a cyberattack is “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” 
And according to the RIA report, “There were no critical cyber incidents that would have posed a threat to people’s life or health in 2016.” 

While this might seem like a clear-cut case for equating the terms, there is a caveat. The Estonian report says there were also “348 high-priority incidents that affected the functioning of a service or website considered important for the state,” including “interruptions or attacks against vital service providers’ information systems.” From a government perspective, those 348 incidents are attacks that have to be resolved in a matter of minutes to contain their destructive effects. Based on that report, then Estonia’s president could have told the public that the government had faced 9,135, 348, or zero cyberattacks in 2016.
So why is this a serious problem that needs fixing?

The first major concern is that when government officials, such as the NATO Secretary General or the French Minister of Defense, are presenting cyberattack figures, they are bound to significantly over- or under-report the occurrence of relevant cyber incidents. 

Clearly, the French MoD did not experience 24,000 critical cyber incidents in 2016, nor can we simply assume that any of the 500 critical cyberattacks against NATO were expected to cause injury or death to persons or damage or destruction to objects.
Imprecision therefore severely hinders the public’s ability to understand the threat environment. As a writer for Forbes asked in 2010: “Just how big is the cyber threat to the US Department of Defense?” 

The article cites the then-leaders of US Cyber Command as drawing a line between probes and scans, while then-Deputy Defense Secretary William J. Lynn III called them all attacks. “What’s a probe? What’s a scan? How do they differ? How serious is each type of incident? How many of each type of event are we seeing on a daily basis?”

Imprecision also hinders cyber defense efforts within governments and between militaries. If NATO and EU member states lack common standards and metrics for reporting and categorising cyber incidents, then statistics on national threat landscapes are destined to be both incomplete and non-comparable. Third, imprecision blurs the rules of engagement for responding to a cyberattack. Just because Estonia categorizes an incident as critical, which might prompt Tallinn to invoke NATO’s Article 5, hardly means the other 28 allies will evaluate the incident in the same way. 

We have already seen this playing out during the DDoS attacks against Estonia in 2007. Essentially, policy analysts divided into two sides: Those who believed that the attacks were the beginning of war, and those who argued that such attacks were already commonplace. 

The bottom line is this: While NATO member states are embroiled in discussing cyber deterrence frameworks, offensive operations, and creating norms and rules for state behavior in cyberspace, they have still not reached consensus on how to actually count and categorise cyber incidents across the alliance. 

Two things are for certain even in cyberspace: The alliance cannot manage what it does not measure, and it has to understand what it is trying to solve.

DefenseOne

You Might Also Read: 

Ukraine Detects A Cyber Attack On A NATO Member:

NATO Could Go To War In Response To A Cyber Attack:

 

« Major Facebook Breach: 50m Users Compromised
UK Newspaper Industry Demands Levy On Tech Firms »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

Zscaler

Zscaler

Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud first world.

Canadian Centre for Cyber Security (CCCS)

Canadian Centre for Cyber Security (CCCS)

The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure, the private sector and the public.

CloudCheckr

CloudCheckr

CloudCheckr is a next-gen cloud management platform that unifies Security & Compliance, Inventory & Utilization and Cost Management.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

VigiTrust

VigiTrust

VigiTrust is a security firm specializing in cloud based eLearning programs, security compliance portals and providing security assessments.

Nullcon

Nullcon

Nullcon provides an integrated platform for exchanging information on the latest attack vectors, zero-day vulnerabilities and unknown threats.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

Capsule8

Capsule8

Capsule8 is the only company providing high-performance attack protection for Linux production environments.

AppOmni

AppOmni

AppOmni is the only SaaS CSPM solution that gives teams all the tools they need to be successful – from security posture management to monitoring and detection to continuous compliance.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

M.Tech

M.Tech

M.Tech is a leading cyber security and network performance solutions provider. We work with leading vendors to bring optimal solutions to the market through a channel of reseller partners.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.