Cyberwar threat way down the agenda at NATO conference
Real war, not iWar, focus for heads of state
For all its hype the threat cyberwarfare merited less than 100 words in a summary of discussions between heads of state at NATO conference last week.
The three-day North Atlantic Treaty Organization summit in Romania last week focused on discussing NATO operations in Kosovo and Afghanistan, and plans for the further expansion of NATO, particularly in the Balkans. Cyber defense got a briefest of look-ins, as point 47 of a 50 point declaration by heads of state and government meeting at the conference. The policy statement (below), which might have been drafted by Yes Minister's Humphrey Appleby, doesn't give too much away beyond saying the NATO allies might - on request - intervene to help an ally under attack.
NATO remains committed to strengthening key Alliance information systems against cyber attacks. We have recently adopted a Policy on Cyber Defence, and are developing the structures and authorities to carry it out. Our Policy on Cyber Defence emphasises the need for NATO and nations to protect key information systems in accordance with their respective responsibilities; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber attack. We look forward to continuing the development of NATO’s cyber defence capabilities and strengthening the linkages between NATO and national authorities.
The conference comes almost a year after the internet infrastructure of the Baltic state of Estonia, which became a NATO member in 2004, came under sustained attack. Civil unrest in Estonia over the removal of Soviet-era memorials last April was accompanied by attacks against the Baltic nation’s internet infrastructure. Several Estonian government websites remained unavailable; others such as that of the Estonian police were available only in text-only form as a result of sustained denial of service assaults, many of which were powered by networks of compromised PCs. Local banks and media outlets were also targets for the attack.
Estonian ministers pointed the finger of blame for the attacks towards the Russian government, an accusation the Kremlin denied and which remains unproven. Although technically unsophisticated, the assaults served as a wake-up to the potential damage that might be caused by DDoS attacks.
By contrast other influential international organisations meeting last week held conferences totally dedicated to cybercrime. The Council of Europe hosted two successive two-day conferences on cybercrime in Strasbourg, France. The first conference aimed to encourage the sharing of best practice in fighting cybercrime between law enforcement agencies and ISPs. The second of the two conferences, which ran on Thursday and Friday (3-4 April 2008), focused on the Convention on Cybercrime, the only global cybercrime treaty.
Threats including child pornography and racism to identity theft, fraud and cyber terrorism were debated at the first of the two conferences. The meeting brought together experts from all over the world, as well as representatives of governments, police forces and the internet industry – including Microsoft, eBay, Symantec and McAfee. The agenda included an assessment of cybercrime legislation, the identification of new threats and trends, and a discussion on improving international co-operation (including the sharing of best practices).
The guidelines, which build on the existing Council of Europe Convention on Cybercrime, call for formal partnerships between ISPs and law enforcement, and are described as the basis of first ever international agreement between private industry and law enforcement in the sphere of cybercrime.
The guidelines focus on three main areas:
- Written procedures for the issue and process of law enforcement requests, along with training on how to implement the procedures;
- Knowledge-sharing on cybercrime trends and feedback by law enforcement on investigations conducted on the basis of complaints filed by service providers.
- Plans to establish ways for law enforcement to reach their criminal compliance personnel at ISPs outside normal business working hours.
The framework, which seeks to help ISPs and law enforcement structure their co-operation over the world, was agreed at the end of the conference as noted here.
The second of the two conferences focused on the Convention on Cybercrime. The number of countries expected to have ratified the only global cybercrime treaty is projected to double this year.
So far, 22 countries have incorporated the Council of Europe's Convention on Cybercrime into national laws, a much lower figure that its supporters hoped for when it was launched seven years ago, in 2001. However the Council reckons that momentum is growing. As many as 40 countries will have implemented measures that set guidelines for laws and procedures in dealing with cybercrime by February 2009.
The convention provides for improved cooperation between law enforcement agencies alongside swifter prosecutions of cybercrime.
Countries can only ratify the treaty after making changes to their national laws. Almost half the 43 countries who have signed the treaty are yet to ratify it, largely due to the glacial pace at which legislation can be enacted in many jurisdictions.
The UK, France, Italy, Spain and Germany have all signed the treaty. Of these large European nation only France has ratified the treaty, as illustrated by a chart on the Council of Europe's website here.
Nations both inside and outside Europe are encouraged to ratify the treaty as part of attempts to fight international cybercrime. The US has already ratified the treaty and other countries outside the 47-member Council have expressed an interest in joining. Brazil, The Philippines, the Dominican Republic, Mexico, Costa Rica, and South Africa are all in various stages of complying with the treaty, according to Alexander Seger, head of the economic crime division for the Council of Europe.
He compared the process of establishing an international cybercrime enforcement regime with earlier problems such as establishing a framework to combat money laundering. While slow the legal system inevitably catches up, he argued, Computerworld reports. ®