Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
EU Security The Military

NATO Secretary-General Warns Cyberattacks Could Trigger Article 5 (nbcnews.com) 73

NATO Secretary-General Jens Stoltenberg said Friday that cyberattacks could trigger Article 5 of the organization's charter, the so-called "commitment clause" that considers an attack on any NATO ally an attack on all. NBC News reports: Stoltenberg's comment comes as national security professionals and cybersecurity industry professionals remain on high alert for any major attacks. While conflict on the ground in Ukraine continues to escalate, little has been seen thus far in terms of major cyberwar activities. Still, some hacker and activist groups have sprung into action. One ransomware group announced Friday that it supported the Russian government and would respond to cyberattacks on Russia by going after "critical infrastructures of an enemy." As for attacks on Ukraine, the country's computer emergency response team said Friday that it had seen a large email phishing campaign from Belarus targeted at military personnel. The statement comes amid a major cyberattack on Nvidia that was initiated at the same time as the Russian cyber warfare division started their offensive against Ukraine. Security researchers are concerned that somebody could put something malicious in one of the software updates that are then sent out to Nvidia's clients.
This discussion has been archived. No new comments can be posted.

NATO Secretary-General Warns Cyberattacks Could Trigger Article 5

Comments Filter:
  • So then, when is a cyberattack an attack? Is it defined in the convention or are they assessed on a case by case basis? What's the threshold of real-world effects?
    • Re:degrees of cyber (Score:4, Interesting)

      by kot-begemot-uk ( 6104030 ) on Friday February 25, 2022 @06:18PM (#62304759) Homepage
      More interesting question is slightly differnet: When a cyberattack is legitimate retaliation.

      We had darling Hillary jumping up and down on prime TV yesterday that she would have ordered a cyberattack on Russia by now.

      So, do I get this right: cyberattack, retaliation, article 5, bequeathing the Earth to the Cockroaches.

      • cyberattack, retaliation, article 5, bequeathing the Earth to the Cockroaches I think China comes into the timeline sometime prior to the roaches. And maybe India and Pakistan will take the opportunity to duke it out while everyone else is distracted. Happy days.

        • Cockroaches aren't actually as radiation-resistant as the Fallout video game series would have you believe. The survivors will mostly be slightly mutated versions of things closer to fruit-fly size.

      • by Tom ( 822 )

        We had darling Hillary jumping up and down on prime TV yesterday that she would have ordered a cyberattack on Russia by now.

        She has no power, but she is heavily indoctrinated into the trans-atlantic US-superiority mindset.

        Let's not forget that there ARE forces in the west that WANT to see WW3 happen. And some of them are in positions of power.

        There are similar forces in Russia, of course. Both of them have been adding fuel to the fire that is Ukraine for years now. As always, millions now suffer because some assholes are playing with matchsticks.

    • Re:degrees of cyber (Score:4, Interesting)

      by ArmoredDragon ( 3450605 ) on Friday February 25, 2022 @06:28PM (#62304811)

      They'd probably need to define it, my guess is it would only include things to the effect of sabotage of some kind. Obtaining sensitive information without authorization from the data owner, also generally considered a cyberattack, would be more like spying than actual warfare.

      Though given Russia's and China's stances on independent actors within their country, it sounds like they're also asking for something akin to the Bush doctrine, only for computer crimes rather than traditional terrorism. Basically the way terrorists were able to operate prior to the Bush doctrine is they'd do the majority of their operations from within the borders of a sympathetic but otherwise disconnected government which, due to diplomatic reasons, can't be touched as they technically had nothing to do with it, nor are they interested in bringing them to justice. Effectively Russia's and China's stance right now for hackers within their borders that hit foreign targets.

      The Bush doctrine basically says this: If you (a foreign government) harbor terrorists within your borders, you have to assist us in bringing them to justice. There can't be a middle ground, you can't be neutral, either you're with us or you're against us, and if you don't help us, we'll come after you.

      ("Help us" can include allowing us to project military force within their borders, which can include anything from drones to boots on the ground.)

      That was the cassus belli for Afghanistan, and although the Taliban runs the country again, if they allowed somebody like Bin Laden to operate openly there again, that is pretty much automatic diplomatic justification for not only siccing the ol' drones on the terrorists within their borders, but also the Taliban itself. It's also the reason we have drones buzzing all over the middle east to this day without anybody making a peep about it.

      But back to the topic, without something like that, only for "cyber terrorism", all that China or Russia have to do is blame it on an independent actor.

    • If someone is attacking you by tank, you destroy the bridges and roads, soo..

      Each nation bordering Russian territory needs to cut the internet cables. Good luck getting everyone to do that. And there are satellites!
    • IT attacks are harder to prove. Plus No graphic CNN , Fox videos of carnage. The propaganda pimps will cook up some animations to illustrate, perhaps with help from agencies or other groups. Recall Colin Powell wmd theatrics, oops. Practically a fair amount of disruption and destruction can be done from a far, but it does take manpower to conceal but also detect sources. Then explain to decision makers. Better to focus on preventing attacks.
  • Most countries/corporations so far have not even begun to implement actual, technically effective security measures for their computer systems, but rely on snake oil and "policy bullet point lists to tick off" for their pseudo-security.

    If Russians now do some penetration testing for free, that should be welcome as rare occasions where actual security is tested, not just adherence to ill-advised policies.
    • by hey! ( 33014 )

      I think there is something to what you say; I'm sure Russia has list of vulnerable targets, but once it starts using that list it will start to shrink.

      There's a huge difference though: pen testers are not trying to cause economic or other harm. In modern society is not only possible to cost huge amounts of money with cyberattacks, it is possible to actually kill people.

      • by ffkom ( 3519199 )

        pen testers are not trying to cause economic or other harm. In modern society is not only possible to cost huge amounts of money with cyberattacks, it is possible to actually kill people.

        And those two are problems that should long have been addressed. The mentality "security just costs us money, let's just sign some insurance contract to save us from being held responsible" is why pen-tests usually have no real consequences, even if they uncover gaping security holes. And the fact that devices, which can actually kill people, are connected to a world-wide network is another gross security failure, which can ultimately too be attributed to "hey let's save costs by just remote controlling ou

        • by Tom ( 822 )

          which can ultimately too be attributed to "hey let's save costs by just remote controlling our XY critical infrastructure via InterNet!".

          In an age where even if you buy a point-to-point connection between two places, you don't actually get a physically seperated network but simply an MPLS tunnel over an otherwise public network, that's really not so much of a difference to a skilled attacker.

    • by Tom ( 822 )

      Effective security requires something in short supply: People who know their shit.

      Buying some snake-oil, off the shelf, promises-to-solve-your-problem solution is much more manager-friendly.

    • Most countries/corporations so far have not even begun to implement actual, technically effective security measures for their computer systems

      What the hell are those "actually, technically effective" measures? If you can articulate them you'll probably become a god of the cybersecurity industry and then a millionaire overnight.

      The irony is that if you could list the "effective" measures that should be implemented, they would become an item on the checklist that you decry.

      • by ffkom ( 3519199 )

        Most countries/corporations so far have not even begun to implement actual, technically effective security measures for their computer systems

        What the hell are those "actually, technically effective" measures?

        To name just one simple example: Encrypting and Signing emails. Standards for this have been around for decades, but most countries/corporations cannot be bothered to implement them. All kinds of lame excuses have been brought forward to avoid them, and still adversaries forge senders and tamper with the content of actual ones.

        If you can articulate them you'll probably become a god of the cybersecurity industry and then a millionaire overnight.

        No, the knowledge has been there quite a long time, but the will to make use of it isn't.

  • .... time Russia initiated a cyberattack, WW3 would have happened years ago already.

    Not that I'm saying anyone should let this slide, but it hardly seems like something for NATO to be involved in.

    • by Kokuyo ( 549451 )

      I think there's a teensy tiny ever so slight difference when the offending country is currently sending their armed forces to go sight seeing in another country.

      • by mark-t ( 151149 )

        That other country in this case, however, is not a NATO member. They might want to be, but they aren't right now, and that actually *does* make a difference.

        Again, I'm not saying Russia should just be ignored on this, I know they are in the wrong here, but any military response by NATO members would be extremely ill advised.

        • That's the debate here, is it not? At what point does a cyber attack trigger Article Five?

          Russian hackers set Macron's iPhone lock screen to a dick pic: hilarious, and probably shouldn't trigger the mutual defense pact.

          Russian hackers infiltrate the control systems of a nuclear power plant and deliberately expose French citizens to radiation: ...maybe should be treated as an act of war that involves NATO?

          In reality we'd be lucky if the scenarios are so clear cut.

  • If the attack causes physical harm or loss of life, it is an act of war. If our power grid, gas grid, water grid, etc. gets attacked and it causes harm to any single person? That's technically an attack with a weapon of mass destruction. If it harmed one person, that means you ATTEMPTED to harm as many people as it affected. Take down a city's power grid, let's say Denver? Regardless of the LEVEL of harm that WAS inflicted, there's 300,000 people just in Denver proper, let alone the Metro are which probably

    • City and County of Denver is about 700,000. Metro area is about 2.7 million.
    • by Klaxton ( 609696 )

      Nuclear retaliation would basically mean the end of humanity so let's try to not do that. But a proportionate cyber retaliation would be appropriate, and not something that kills innocents. Destroying their compute infrastructure such that they can't cause any additional harm would be a good start. Taking all their money is also good.

      • Oh, I don't know. Probably not even the end of the US and Russia. Though certainly the end of their existence as major world powers.
        There are questions as to the level of climactic disruption, but there's pretty solid agreement that it wouldn't be a real threat to the human race.
        • If you fucked the USA up good enough you'd kill hundreds of millions of people or more who don't even live here, because of all the people who depend on us for food.

          • No doubt about- it would be proper fucked.
            Tales of the end of civilization and humanity are over-played, though.
            Even the US would survive, though greatly reduced. And whether or not the country would be torn apart in civil strife after the destruction and re-establishment of State and Federal governments is another level of conjecture, entirely.
    • But...really. Lets say a Russian cyber attack took down the Denver electrical grid an as a result 7 people died. Would you kill billions of people and end likely civilization over it? Because there is a good chance that a retaliatory nuclear strike would trigger all out nuclear war.

      The problem is that there are no clear rules for cyber weapons and its not at all clear how much damage they might do.

      Even with no physical damage, what if there were a way to take down the banking system? Or destroy eve
    • by Tom ( 822 )

      Take down a city's power grid, let's say Denver? Regardless of the LEVEL of harm that WAS inflicted, there's 300,000 people just in Denver proper, let alone the Metro are which probably got affected as well. You just tried to inflict that harm on every single one of them.

      Yes, BUT - anything that has human lives depending on it ALSO should have a backup-up plan, because power loss happens not just from cyberattacks. So there would also be gross negliegence on the part of someone responsible for it.

      Hospitals, for example, have emergency power backups, just like computing centers do.

  • I was alive (Score:2, Insightful)

    by gillbates ( 106458 )
    I was alive during the Balkan conflict and waited for NATO to act; if their behavior then was any indication, they'll issue memorandums and condemnations, but won't act until Putin is taking Paris.
    • by Klaxton ( 609696 )

      Ridiculous. Any NATO country will most definitely be defended from any Russian aggression. And U.S. and NATO interventions did end the violent conflicts of the 1990s, maybe not as quick as they should have.

  • I mean, that kinda says it all. Their words mean nothing.
    • by djinn6 ( 1868030 )

      I mean, the UN is fine if you understand that it's not supposed to be a world government, but simply a way for countries to talk as an alternative to war. Not the "oh no we lost 130 people" kind that most are talking about today, but the "oops we accidentally the entire human civilization" kind.

      Today the UN Security Council was asked if they would collectively denounce Russia's invasion of Ukraine, to which the answer was no because Russia, being a permanent member with veto privileges, vetoed it. The main

  • by Tom ( 822 ) on Saturday February 26, 2022 @04:53AM (#62305639) Homepage Journal

    The thing with cyberattacks is to prove that the attacker is a) russian and b) acting on behalf of the government - and prove that beyond reasonable doubt.

    When bombs fall on your cities and tanks roll over your country, it's fairly safe to assume these aren't some stoned teenagers with too much misguided patriotism. A cyberattack very well CAN be.

    And that's the thing. You don't want to be the person that started WW3 because some idiot in his mothers' basement ran one of his toys on you.

  • Don't make promises you can't keep, and article 5 is one of them. Every promise Biden has made has turned out to be nothing more than hot air, whether domestically or internationally. Don't let NATO follow the same delusional path.

  • You have to defend yourself; Vote for Nuclear Weapons as deterrent

An authority is a person who can tell you more about something than you really care to know.

Working...