NATO is set this week to ratify a new policy on cyber-defense which will confirm that international law applies in cyberspace and that an online attack against one member country could be considered an attack on all 28.
The decision is expected to be taken by NATO leaders when they gather in Wales on Thursday and Friday, according to the New York Times.
NATO’s collective defense clause, known as Article 5, is a core principal at the heart of the military alliance – the world’s largest. So the new policy to include cyber will take a major step towards establishing international principles that a cyber attack could be considered in the same terms as a 'traditional' military attack.
The new cyber-defense strategy also includes commitments to enhance information sharing and 'mutual assistance' in combating cyber-attacks and improve the defense of NATO’s own networks, including better education and training.
The alliance said it will also step up efforts to engage with industry.
The new stance is a clear indication that cyber is now a key strategic dimension to security policy, according to McAfee director of cybersecurity, Jarno Limnéll.
“The fact is that the world is moving towards greater strategic use of cyber-weapons to persuade adversaries to change their behavior, and it is natural that NATO has reacted to this fact,” he told Infosecurity by email.
“Cyber will be an element of all crises and wars we’re seeing and going to see in the future; ie cyber operations, both offensive and defensive, will play major roles in all levels of war.”
Announcing cyber-attacks as part of Article 5 will encourage NATO members to improve their national defense and co-operation with each other, and it will act as a warning to others, he added.
“NATO wants to tell others that no single NATO-member can be attacked via cyber, and if that happens the alliance will support that country,” said Limnéll.
The policy doesn’t spell out exactly what the threshold of damage must be to invoke Article 5, but this is a wise move, he argued.
“Spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” said Limnéll.
“We have to remember that we are just living at the dawn of the cyber -warfare era and the ‘cyber-warfare playbook’ is pretty empty.”
Stephen Bonner, a partner in KPMG's cyber security team, argued that Article 5 has only ever been used once in NATO's history, so the new policy is more likely "a rhetorical point which is possibly aimed at having a deterrent effect."
"Of course, Article 5 determinations are a political judgement made at the time of an incident, not in advance," he told Infosecurity.
"There are risks around the increased militarisation of cyber space and we should be cautious about fuelling this. After all, in most cases, the response to a cyber attack is a civil matter.”
Consultancy BAE Systems Applied Intelligence welcomed the news, in particular its focus on information sharing with the private sector which is "often on the front lines of cyber attacks."
"If NATO and national governments are to keep up with the pace of innovation in both the cyber security landscape and the threat landscape, partnership with industry is essential,” a spokesperson told Infosecurity.