A report to the 34-nation Organisation for Economic Co-operation and Development (OECD) has warned governments to keep cyberthreats in proportion and not to entrust the defence of critical national infrastructure to the military.
The military needs to do a lot to protect its own systems, but that doesn’t put it in a good position to go out and solve this in the wider economy. The problem is much broader and goes
across the private sector.
—DR. IAN BROWN, senior research fellow,
Oxford Internet Institute, University of Oxford
The report, “Reducing Systemic Cybersecurity Risk” (.pdf), co-authored by Professor Peter Sommer of the London School of Economics and Dr. Ian Brown, a senior research fellow at the Oxford Internet Institute, University of Oxford, concludes that a ”cyberwar” fought solely in cyberspace is highly unlikely, but it does concede that a cyber element will feature in any armed conflict.
However, they insist that few single cyber-related events have the capacity to cause a global shock, and that most breaches of cybersecurity would be “both relatively localised and short-term in impact.”
The authors argue that the term ‘cyberwarfare’ is used too liberally to describe any cyberthreat, and that a lack of clear definitions could lead to governments allocating funds in a way that does not actually provide defences.
While acknowledging the importance of the Internet and associated systems to modern economies, and the known threat of state-sponsored espionage, it insists that,
“Cyberespionage is not ‘a few keystrokes away from cyberwar’, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.” The comment may be a veiled response to some of the controversial statements made by former White House special advisor to the president on cybersecurity, Richard Clarke, who has warned against state-sponsored cyberattacks in a series of books.
One of OECD's charges is that governments are paying too much attention to the potential damage a military or global cyberthreat could incur, and risk ignoring the far more likely effects of an accidental or systemic failure.
“A lot of people are using the term cyberwarfare far too loosely,” Sommer said. “When you press them what they mean and ask if the effects would be as devastating as [those of the war] in Afghanistan, or the Middle East, for example, they start to back down.”
Sommer said it is a mistake to use the term ‘cyberwar’ to describe espionage, hacktivist blockading or defacing of websites, as recently seen in reaction to the arrest of WikiLeaks founder Julian Assange. He said it was “not helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure.”
The report says that many cyber risks are real, but that it is important to test each one to understand all the elements that would have to be in place before a potential threat could cause real damage.
The report also acknowledges known attacks in recent years against Estonia, Georgia, Lithuania and South Korea, where government, banking and media websites came under fire, but makes the point that, although the attacks were “annoying” and “embarrassing,” they did not involve violence or destruction.
Brown put much of the blame on security vendors for exaggerating the dangers in order to sell products. “People quote huge numbers of attacks per day on government systems to show how bad the problem is, but they are counting every last probe and phishing email,” he said. “You have to be careful about crying ‘wolf’. It will catch the eye of the public the first time you do it, but they will very quickly get bored, especially if they don’t see it leading to any negative outcomes that affect them. There is already an undercurrent of scepticism and cynicism from commentators saying the threat is overblown.”
The authors underline what they see as the hazard of giving the military all responsibility for handling such threats. “There’s a danger of money and effort being wasted if [cyberwar is] treated purely as a military threat,” Brown said. “The military needs to do a lot to protect its own systems, but that doesn’t put it in a good position to go out and solve this in the wider economy. The problem is much broader and goes across the private sector.”
He said that the private sector and parts of government, such as the UK Department for Business, are best equipped to deal with many of the threats, especially since much of the UK’s critical national infrastructure is in private industry.
However, the report does emphasize the fragility of much of the technology that underpins modern life. For instance, it examines the growing complexity of modern software, pointing out that while Windows NT 3.1 in 1993 had 4.5 million lines of source code, its successor Windows NT 3.5 in 1994 had 7.5 million lines, and Windows XP, released in 2001, had 40 million. “If we assume only one bug or error per 1,000 lines, we arrive at the possibility of 40,000 bugs in Windows XP,” it says.
The report also warns that some current trends -- such as government agencies relying on the open Internet to deliver services, and the rise of cloud computing -- open up systems to more damaging attacks unless proper defences are put in place.
“With appropriate industry standards and competition between providers, it should be possible for businesses to manage the day-to-day security risks associated with cloud computing,” conclude the researchers in their report. “However, less attention so far has been paid to the impact of catastrophic events on cloud services. Without careful resilience planning, customers risk a loss of processing capacity and of essential data.”
The report lists a range of threats, ranked by the damage they could do and the time it would take to contain them. The conclusion: Only a successful wide-scale attack on the Internet infrastructure would be enough to cause serious and lasting damage. To further underscore the view that governments need to pay attention to IT infrastructure risks that don't necessarily involve attackers or malicious activity, the report posits that a serious solar storm is one of the most dangerous threats, and could do widespread damage to the electrical grid.
Ron Condon is UK bureau chief for SearchSecurity.co.UK. Send comments on this column to [email protected].