Lack of security in the cyber world is one of the most significant threats faced by the civilized world, according to Jarno Limnell, director of cyber security at security firm Stonesoft.
“But it seems that we have to experience a catastrophic incident before this threat is taken seriously enough,” he said.
Limnell, a former advisor to the military and government in Finland, said that it was time to take cyber security seriously because in the coming years it will change most radically the world’s understanding of security of nation states, society and individuals.
Cyber security, he said, is becoming increasingly important because of the world’s growing dependence on digital resources, growing investment by nation states in offensive as well as defensive cyber capabilities, the cyber weapon arms race, and the cost and efficiency of cyber attacks.
“Nation states are beginning to realise that they can achieve the same political goals with cyber weapons as traditional arms, but at a much lower cost,” said Limnell, who consults internationally on the issue of cyber security.
However, in a cyber war, the military is no longer the main target – civilians are, he said, which is why in all cyber defence strategies, great emphasis is being place on protecting critical national infrastructure.
This shift as the cyber and physical worlds become increasingly tightly integrated, could mean that the most powerful nations today, will not control the digital world in the same way they control the physical world, said Limnell.
Smaller, less powerful nations today, could create unique cyber capabilities and change the logic of warfare in future, he said. “Those who control the cyber world, will also control the physical world.”
The growing dependence of the physical world on the cyber world has important implications for the business world too, according to Limnell.
“Cyber security needs to become a critical part of the business; it is not something that can be left to the IT department,” he said.
Limnell believes that for governments as well as businesses, cyber capabilities must be seen as being of strategic importance.
In assessing these capabilities, organisations need to consider not only defensive capability, but also offensive capability – or at least an understanding of it – as there is no credible defence without it.
They also need to consider their level of dependency on the cyber world. The US, for example, has a lost to lose in terms of its dependency on cyber, said Limnell.
They are number one in terms of offensive capabililty, but they admit weaknesses in defence. “They have got the biggest stones to throw, yet they are living in a glass house,” he said.
In both government and business, a strategic understanding of cyber threats is vital, and must inform and guide the operational and technical, not the other way round as is currently the case, said Limnell.
“The common approach of treating cyber security as a technical question is wrong, guidance needs to be from the strategic level down,” he said.
Second, there is a need to break the illusion of security and make security the first thought rather than an afterthought. “Deploy defences, but at the same time understand the vulnerabilities,” said Limnell.
Third, organisations need to understand that complete cyber security is a myth, he said, but that resiliency is obtainable and worthwhile.
“It is important that organisations understand how to develop resilience because there will be times with the digital world will not work as it should,” he said.