In view of the cyber-warfare dimension to the Russia-Georgia conflict, and the Chinese cyber-espionage ongoing against the west since c.2003 ("Titan Rain", and so on), how concerned should we in the UK be about state-sponsored hacking?
Cyber-espionage and cyber-warfare are just expressions of a millenia old problem onto a new medium (cyber space).
The general public in the UK should be concerned, and the UK government should be concerned, but only to the same extent that they were concerned before about state sponsored espionage and warfare in general. Meaning, the public does not need to panic and the government does not need to just "throw money at the problem".
Governments have had "electronic" espionage and warfare concerns for most of the last century. The main thing about "cyber" is the connectivity that the internet brought to us, which has obvious advantages for doing business, but perhaps not so obvious, but frightening, consequences for governments in terms of critical national infrastructure (CNI).
Espionage is by definition a form of asymmetric warfare, because relatively small amounts of resources committed could bring huge benefits (ie, high return on investment in business speak). State sponsored espionage should be worrying for any state targeted by it, because it implies unlimited resources being invested by a foreign hostile power to try to disrupt, corrupt or uncover information.
Since it is asymmetric, the answer for a government targeted by "state-sponsored hacking" is to apply good, age-old, security principles, such as: value at risk, separation of duties, disaster recovery planning and so on.
For example, most utilities installations in a country (eg, power plants, water purification facilities, etc) are ran by SCADA systems not connected to the internet. So, the security of those isolated systems needs to be investigated, not just from a "hacking perspective", but from a technology-people-process perspective. Hacking (state-sponsored or not) is a concern and should be even more of a concern if these systems get connected to the internet or to other systems, which could themselves be hacked, etc.
A bigger worry could be a government's or a country's infrastructure moving more and more to being delivered by commercial providers, with shared infrastructure and more connections to the internet. In this case, the threat assessments need to include these commercial suppliers, the technology they use, where it was developed, how are their people recruited, are their work processes safe enough for the informaton at risk, etc? Governments are usually pretty astute at evaluating and mitigating such risks.
In brief: yes, it is a worry, but we generally know how to tackle it.
This was first published in September 2008