Cybergeddon, a complete take-down of the internet, is undoubtedly within the power of some nation states, but is unlikely, say security industry experts.
Bringing down the internet would not be in anyone’s interest, said Fred Piper, security consultant and former director of the information security group at Royal Holloway, University of London.
While we have seen cyber assaults of this sort on Estonia, nation states and even cyber criminals are unlikely to bring down the internet as they rely on it, Fred Piper told a roundtable discussion in London.
However, critical national infrastructure is extremely vulnerable to state-sponsored cyber attack and considered to be a top risk by the US government, said Hugh Thompson, chief security strategist for security firm Blue Coat Systems.
The growing number of attacks against embedded systems demonstrated by security researchers and evidence of these kinds of attacks in the past 24 months should be a strong wake up call, he said.
“Attackers may be using simple social engineering techniques to get inside networks, but the methods they are using to move laterally once inside, are extremely sophisticated,” said Hugh Thompson.
As with nuclear weapons in the past, the world is starting to engage in a cyber arms-race, where everyone wants powerful cyber weapons they hope they will never use, said Paul Simmonds, co-founder of the Jericho Forum and former CISO of AstraZeneca and ICI.
Read more on cyber war:
- US prepares cyber offensive capability
- UK cyber protection should be more aggressive, say MPs
- UK citizens back pre-emptive cyber strikes, poll shows
- Cyber security will change ideas of the nation state, says Stonesoft
- Analysis: Prepare for cyber war. But what does it mean?
- Making sense of the threat of cyber war
“The cyber capability of nation states that has been publicly revealed in the past year, and even in critical national infrastructure discussions, is probably only the tip of the iceberg, with most of the true capability remaining hidden,” Paul Simmonds said.
Nation states are unlikely to use zero-day threats they may have developed, said Thompson, because once they have been used, they will no longer be effective.
“Once an attack method is known, it is more difficult to repeat, because people adapt to what has happened,” he said.
For this reason, said Simmonds, it is worrying that many countries are rushing headlong into connecting elements of critical infrastructure to the internet to cut costs and for ease of use.
The UK is publicly investing a lot into assessing its cyber defence capability and identifying the gaps, so it is not all gloomy and awareness is increasing, which is good, said Piper.
However, he said it is unknown if this is moving fast enough and it also needs to be collaborative at an international level if it is to be effective.
“Hopefully, in 2013 we will see more momentum in international collaboration around issues such as bringing attackers to justice no matter where they are operating from,” said Piper.
This is particularly important in light of the fact that the ability to attack critical infrastructure is not necessarily limited to state-sponsored attackers, said Thompson.
With much lower barriers to entry through widely-available attack toolkits, individual attackers can be as powerful as nation states and cause an enormous amount of damage, he said.
More likely to be accidental
However, according to Simmonds, any major halt to critical infrastructure or the internet is more likely to be the unintended result of other attacks or failures, than a deliberate strike.
Cyber weapons are also unlikely to be used in isolation; they are far more likely to be part of a much wider military campaign, said Thompson.
Looking ahead to 2013, he said organisations should be more concerned about targeted attacks and ensure they are prepared to detect and mitigate these.
“Targeted attacks using freshly compiled code are reaching epidemic proportions, said Thompson, but because few organisations are reporting such attacks, they are not being taken as seriously as they should by many businesses.