Heavy lobbying, lurid language and poor analysis are inhibiting government planning for cyber protection, says a new report on Systemic Cyber Security published by the Organisation for Economic Cooperation and Development (OECD).
Cyber espionage is not a few keystrokes away from cyberwar, it is not helpful to describe hacktivist blockading as cyberwar, and it is unlikely that there will ever be a true cyberwar fought exclusively in cyberspace, say the authors of the report, Peter Sommer, visiting professor at the London School of Economics, and Ian Brown of the Oxford Internet Institute, University of Oxford.
So where does the truth lie? What is the real nature of the threat and who should be doing what to reduce that threat?
Global shock unlikely
According to the OECD study, very few single cyber-related events, such as a successful attack on one of the underlying technical protocols on which the internet depends, have the capacity to cause a global shock, but cyber risks are real and governments governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate.
There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services through malware, denial of service, espionage, and hacktivism, the report says, and reliable internet and other computer facilities are essential in recovering from most other large-scale disasters.
The key, says Sommer, is to test each cyber risk to understand all the elements that are required before a potential threat causes real damage. These include how much research is required on the target in writing computer code that will not be detected, and how long the event will last before the attacked system is able to recover.
"This type of careful analysis helps us understand what we should really worry about and points the way to remedies," he says.
Threat of disruption
Graeme Matthews, cybersecurity partner at Deloitte, says the OECD report highlights the continued and growing threat of disruption.
"Organisations need to be prepared and to have specific contingency plans in place to deal with systems and internet service disruption. Today, not many do and we would urge more positive action in this area. Where plans do exist, they need to be updated frequently because the pace in increasing," he says.
The best protections, the OECD report says, are careful system design, the use of products to detect known viruses and system intrusions, and user education. It is also essential to have proper contingency plans for system recovery.
"We think that a largely military approach to cybersecurity is a mistake," says Brown.
"Most targets in the critical national infrastructure of communications, energy, finance, food, government, health, transport, and water are in the private sector. Because it is often difficult to be certain who is attacking you from cyberspace, defence by deterrence does not work," he says.
Resilience is the key to recovery
As a result, the OECD report says, defence against cyberweapons has to concentrate on resilience, using preventative measures together with detailed contingency plans to enable rapid recovery from an attack.
But, according to Brown, cyberweaponry in all its forms will play a key role alongside more conventional and psychological attacks by nation states in future warfare.
In fact, the OECD report says the deployment of cyberweapons is already widespread in the form of things like unauthorised access to systems, viruses, worms, trojans, denial-of-service, root-kits and the like, and therefore it is a safe prediction that the use of cyberweaponry will shortly become ubiquitous.
Martin Sutherland, managing director of cyber security fim, Detica, says it is important to note that we are not talking about reducing risk for a far off event in the future.
"Advanced cyber attacks are happening now. The report suggests that likely breaches of cybersecurity such as espionage and the actions of criminals will be relatively localised and short-term in impact. In our experience, these attacks which result in the theft of intellectual property vital to the UK's knowledge-based economy can cause secrets to leave our shores that can never be got back and thus real long-term damage is inflicted on our nation," he says.
Alan Bentley, senior vice-president international at security firm Lumension says the materialisation of state-sponsored cyber attacks will raise the threat level in many government and private organisations.
The challenge, he says, is how they tighten their defences in line with the raised threat level, while remaining nimble and productive.
"Organisations can't just build military style security defences around their IT systems. Operations still need to be run and, to do this, organisations will have to leave a few doors open for communication," says Bentley.
The government's £650m cyber security programme needs to focus on how it can help both government and private organisations align their cyber security controls with the newly recognised risk, he says.
The thinking, says Bentley, needs to switch from allowing everything in until it is proved to be bad, to preventing anything from coming in unless it is proved to be good.
There is a clear need for action, and the OECD report identifies the following actions for governments:
- Ensure that national cyber security policies encompass the needs of all citizens and not just central government facilities
- Encourage the widespread ratification and use of the CyberCrime Convention and other potential international treaties
- Support end-user education as this benefits not only the individual user and system but reduces the numbers of unprotected computers that are available for hijacking by criminals and then used to mount attacks
- Use procurement power, standards-setting and licensing to influence computer industry suppliers to provide properly tested hardware and software
- Extend the development of specialist police and forensic computing resources
- Support the international Computer Emergency Response Team (CERT) community, including through funding, as the most likely means by which a large-scale internet problem can be averted or mitigated
- Fund research into such areas a: strengthened Internet protocols, risk analysis, contingency planning and disaster propagation analysis, human factors in the use of computer systems, security economics
Mark Darvill, director at security firm AEP Networks, says ensuring that military levels of security safeguard the integrity of the internet is absolutely critical.
"Yet it's not just the responsibility of governments. The private organisations that provide the security of critical infrastructure, such as power stations, water supplies and military locations, need to think about how they will fortify their security measures in line with the new threats. It's just as crucial that they deploy the highest grade security measures," he says.
The report concludes that attempts at the use of an internet "off" switch as discussed in the US Senate and elsewhere, even if localised, are likely to have unforeseeable and unwanted consequences.