Aux armes, citoyens? Hold that Article 5. This US holiday weekend has been light on Petya news, but it seems that NATO has roused itself into the cyberdefense arena as a military arena for them, based on NATO Secretary General Jens Stoltenberg’s statement on Article 5’s collective defense, and a Friday brief that declared:
The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community.
Nevertheless, NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state. Other options are unlikely. The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation.
NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty and responses might be with military means. However, there are no reports of such effects, so according to Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, self-defence or collective defence of victim states are not available options.
Well, the cyber-tanks are not rolling as of yet. The brief notes three interesting factors: low estimated deployment cost ($100,000) means that a non-state or criminal actor could have developed it, but the lack of ransom counterbalances that; the kill switch was a simple one that could be used to limit spread; and it was targeted to spread via internal networks versus the wide spread of the internet.
The brief’s options for international response seem contradictory and incomplete to this Editor.
The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.
Ukraine’s speculation (of course) is that it’s Russia, though Russian organizations were also hacked. This is of a piece with earlier Russian attempts to disrupt, and Ukrainian spokesmen pointed out, as did NATO, that Petya was easy to limit if you knew how. ZDNet
And now Australia is going on the offensive. The Australian Signals Directorate (ASD) has been authorized to “disrupt, degrade, deny, and deter” bad cyber actors, placing a national emphasis on cybersecurity for “the mums and dads, the small businesses, large businesses, government departments and agencies” according to Dan Tehan, Australian Minister Assisting the Prime Minister for Cyber Security (whew!). Can we include healthcare? Leading the way! ZDNet