On Saturday, Kevin Scheid, a US Department of Defense veteran, was placed in charge of NATO’s cyber operations. The appointment wouldn’t be big news if it weren’t for the fact that he’s joining the organisation at a hair-raising point in history. The vicious malware triggered NATO to announce on Friday that the attack is believed to be the work of a state actor and is a potential act of war.
There was a lot of ruckus back in May when Donald Trump met with the leaders of NATO and failed to confirm that the US is committed to Article 5 of the North Atlantic Treaty. That’s the clause of the agreement that pledges the members of NATO to mutual defence. Legally speaking, if Article 5 is triggered by an attack on one member, the other members are required to join in retaliation. This week NATO’s Secretary General confirmed that a cyber operation with “consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty and responses might be with military means.” But Friday’s press release emphasises that we don’t know enough about the origin of NotPetya or the intentions behind its release at this time.
NATO researchers have concluded that the malware “can most likely be attributed to a state actor,” and if a nation is determined to be responsible, “this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.” What sort of countermeasures? Well, pretty much anything. Independently Michael Fallon, the UK defence secretary, announced this week that his country was prepared to respond to cyber attacks “from any domain - air, land, sea or cyber.”
If the unhinged president in the US wants to start a war for the hell of it, he pretty much has the power to do that. But NATO functions on strict rules. Tomáš Minárik, a researcher at NATO CCD COE writes:
If the operation could be linked to an ongoing international armed conflict, then law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it, and with respect to possible direct participation in hostilities by civilian hackers, but so far there are reports of neither.
Minárik is outlining what would justify full on IRL military conflict. That doesn’t, necessarily, mean that NATO couldn’t respond in the cyber-realm if it determined that a government was responsible for NotPetya. He continues:
As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.
NATO doesn’t know who’s responsible for NotPetya, and no experts have attributed the attack to one actor with any certainty.
It’s one of the most fascinating pieces of malware to ever wreak havoc on a large scale. At first, people thought it was ransomware, then it was more likely to be a wiper with some ransomware code. It’s become clear that it uses the EternalBlue and EternalRomance exploits that were pilfered from the NSA and released by the hacking group the Shadow Brokers in April. But intriguingly, it appears that whoever created NotPetya had access to those exploits two weeks before they were given to the public.
Another puzzling factor is the motive for releasing this malware that doesn’t seem to benefit anyone. No one is getting paid. It’s just a really destructive worm that locks up systems. It was first released in Ukraine, and that country’s security services are blaming Russia. But Russians were victims of the attack as well. It’s such a pointless and nasty worm that the crime group behind the original Petya actually jumped in and volunteered to help victims. Lauri Lindström, a researcher at NATO says, “it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power - a demonstration of the acquired disruptive capability and readiness to use it.”
According to Bloomberg, attacks on NATO’s electronic infrastructure increased by 60 per cent last year. If it’s true that a state actor is responsible for NotPetya, it’s possible that NATO taking notice and talking up Article 5 could make the perpetrator think twice. Then again, if the responsible party gets away without a trace, they’ll know that they’re untouchable. [CCDCOE via Security Affairs, Bloomberg]