In view of the cyber-warfare dimension to the
Russia-Georgia conflict, and the Chinese cyber-espionage ongoing
against the west since c.2003 ("Titan Rain", and so on), how
concerned should we in the UK be about state-sponsored
hacking?
With the publication of the
National Risk Assessment it is timely to consider what we need
to be worried about and realise that natural incidents of Hollywood
proportions do not have to take place to make life a misery.
Pervasive computing exposes all of us to damage, disruption, and
theft by state-sponsored "hacktivism".
Hackers who can disrupt power, petrol or food supplies through
so many different vectors can cause a greater degree of
demoralisation than Lord Haw Haw's comments ever could. From the
comfort of their own homes, hackers may not even have to find a
vulnerability in the oil refinery. An early war story of hacking -
back in the days when it was mostly mischievous - had soft drinks
deliveries rerouted.
What if all the petrol tankers ended up in Inverness? Perhaps by
itself that is correctable, but if motorway signal control was
interfered with, correcting misdirection (one risk) becomes more
serious with the realisation of another. The problem with
interconnection and interoperability is that if you can imagine it,
it can probably be done.
Cyber attacks are a weapon and weapons need always to be under
moral scrutiny. Any hacking, especially
state-sponsored hacking, is wrong, unless perhaps, it is the
right state hacking stuff that will help the good guys! Is the
crime for the "good guys" getting caught?
There is no end to it of course. Think about how the rest of the
world benefited from the Britain's innovation during the Industrial
Revolution. The Arkwrights and the Cromptons funded and sweated,
and invented. They learnt the hard way and had to live with their
investments. Meanwhile, preceding Otto von Bismarck's observation
that "only a fool learns from his own mistakes", rival countries
could come in and learn from GB and move straight to Industrial
Revolution 2.0. Now whereas the plans for Quarry Bank Mill may fill
a drawer or two in 1874, electronic information is rather more
compact and the thief does not even need to be near the
"electronic" filing cabinet.
Tomorrow's war
Be prepared for what is being done today for benefit tomorrow.
The cyber-Manchurian Candidates include files today that we report,
with relief, as encrypted at the time of a loss or breach waiting
for advent of, say, quantum computing to overcome the encryption
algorithms. State funding is so often a blank cheque for political
gains. We may pooh-pooh the likely patience in others but remember
the Iranians gluing together shredded American Embassy documents
after the 1979 revolution?
And as once obscurity and disconnection protected us, we have to
consider if those who would disrupt Supervisory Control And Data
Acquisition (Scada) systems no longer have to understand how to
access and manipulate proprietary systems because the specialised
process control products are being built on - or replaced by -
generic operating systems. How much damage can be done? Just a few
digits changed in a measurement or timing could ruin materials or
shut down production lines.
Attacking infrastructure through the IT that controls it is
likely to be cost effective and does not risk your own people
(until tit-for-tat cyber war becomes de rigueur).
What can we do about it?
Responsibility lies in all of us. Size does not matter. Defence
of the realm now affects the SME, the corporate, voluntary sector
and charities, as well as local and central government. Prevention,
detection, and reporting - and acting on reports - are part of the
home guard of cybervigilence. For example, do not be recruited to
botnets that could flood our own or another nation's systems with
denial of service attacks. Whether our information systems are at
home or at work, individually and collectively, we are all bricks
in the human firewall. As we benefit from migration and rich,
societal contributions from each other's national identities, tests
for those human vulnerabilities in the network have arrived none
too soon.