In view of the cyber-warfare dimension to the
Russia-Georgia conflict, and the Chinese cyber-espionage ongoing
against the west since c.2003 ("Titan Rain", and so on), how
concerned should we in the UK be about state-sponsored
hacking?
Cyber-espionage and cyber-warfare are just expressions of a
millenia old problem onto a new medium (cyber space).
The general public in the UK should be concerned, and the UK
government should be concerned, but only to the same extent that
they were concerned before about state sponsored espionage and
warfare in general. Meaning, the public does not need to panic and
the government does not need to just "throw money at the
problem".
Governments have had "electronic" espionage and warfare concerns
for most of the last century. The main thing about "cyber" is the
connectivity that the internet brought to us, which has obvious
advantages for doing business, but perhaps not so obvious, but
frightening, consequences for governments in terms of critical
national infrastructure (CNI).
Espionage is by definition a form of asymmetric warfare, because
relatively small amounts of resources committed could bring huge
benefits (ie, high return on investment in business speak). State
sponsored espionage should be worrying for any state targeted by
it, because it implies unlimited resources being invested by a
foreign hostile power to try to disrupt, corrupt or uncover
information.
Since it is asymmetric, the answer for a government targeted by
"state-sponsored hacking" is to apply good, age-old, security
principles, such as: value at risk, separation of duties, disaster
recovery planning and so on.
For example, most utilities installations in a country (eg,
power plants, water purification facilities, etc) are ran by SCADA
systems not connected to the internet. So, the security of those
isolated systems needs to be investigated, not just from a "hacking
perspective", but from a technology-people-process perspective.
Hacking (state-sponsored or not) is a concern and should be even
more of a concern if these systems get connected to the internet or
to other systems, which could themselves be hacked, etc.
A bigger worry could be a government's or a country's
infrastructure moving more and more to being delivered by
commercial providers, with shared infrastructure and more
connections to the internet. In this case, the threat assessments
need to include these commercial suppliers, the technology they
use, where it was developed, how are their people recruited, are
their work processes safe enough for the informaton at risk, etc?
Governments are usually pretty astute at evaluating and mitigating
such risks.
In brief: yes, it is a worry, but we generally know how to
tackle it.