There is much discussion of the changing dynamics and technologies of warfare but references particularly to cyber warfare have increased recently.
Many people in the information security industry believe that we have entered an era of ‘cyber warfare’ and that government leaders need to go on the cyber-offensive. Although future wars are expected to include cyber-targets of some form, the hype surrounding cyber warfare created by the IT industry simply isn’t justified.
Worse still, the conjecturing about cyber warfare can lead to a distraction from an IT professional’s real concerns – responding to the less exciting but very real day to day threats.
These forms of attack are evidently a concern as the US government has appointed a cyber coordinator to provide guidance, and the Cooperative Cyber Defence Centre of Excellence (CCDCOE) has recently been set up by NATO. In the UK, the House of Lords has discussed a framework to protect the EU’s infrastructure. It has also been reported that the European Commission wants to introduce harsher penalties for cyber criminals, potentially increasing jail sentences to five years. However, what would a cyber attack look like, is it really feasible, and what is the real risk to IT?
One suggestion is that a cyber-attack would be in the form of a botnet, used offensively to disable another country’s computing infrastructure. Botnets are designed to direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. Col. Charlie Williamson, a US Air Force officer, recently told the BBC that his country should create an offensive botnet to target any forces that launch a cyberattack against it.
From the IT industry’s perspective however, the concept of an offensive botnet has many drawbacks – logistical, technical, political and commercial – and could easily be abused. A ready-made tool to take control of, or disable, so many devices at once is the same as any other weapon, in the wrong hands it can be used against the infrastructure it was meant to defend. There is also doubt amongst IT professionals as to whether cyber warfare can really be developed to a military grade from a technical standpoint, whilst ensuring there are sufficient defensive methods preventing it.
Another form of cyber attack could be less to do with disabling devices and infrastructure, and more focused on accessing or destroying a nation’s data. For example, accessing confidential and classified information – this could be in the form of hacking but on a larger coordinated scale. Information can even be modified or updated without the target knowing. Any information that is not handled securely in the public or defence sector could be an easy target.
The idea of modifying data undetected can also be escalated into a more damaging form of attack, using hacking methods and viruses to take control of a nation’s IT infrastructure, and therefore take control of its utilities. For example, the US government has claimed its energy grid was potentially under threat through cybercrime, where computer systems could turn off electricity for an entire city.
Many IT security professionals generally lack the military and political expertise to make policy decisions on cyber warfare, even though some of them are qualified to discuss cybercrime. Cyber warfare and cybercrime are fundamentally different and require, in many cases, drastically different approaches. However for IT specialists, there is a real day-to-day concern and requirement for the government’s understanding of these issues. Organisations should expect that they could be targets themselves; the attacks described above are not limited to the public sector.
The private sector could also be affected indirectly by outages of essential services, lack of electricity, payment systems and the internet. There are a lot of unknowns that IT executives cannot edict or control. One thing is certain: this should elevate network and systems monitoring as well as business continuity and disaster recovery to the highest priority. Whatever the situation, organisations should be able to restore normal operations as soon as possible and not lose any vital data due to an emergency of any kind.
The fact remains however, that it is highly unlikely that we would experience warfare isolated only to the digital realm. Warfare has changed dramatically over the decades, but the realities of it haven’t, meaning a serious cyber attack would not be an isolated incident and it is highly likely to include some form of kinetic attack or response.
It serves little purpose to continue communicating the misinformation, propaganda, and fear that the industry currently seems to be embracing. So many in the information security industry are not adequately informed, nor do we possess the requisite experience to decide in what fashion the military should respond to protect our nation’s interests.
Conversely there is a lack of technical understanding within the US government that can adequately inform and provide guidance to deal with the emerging threats posed by interconnected digital assets with no physical boundaries.
The solution is an understanding of how to protect against real, not imagined, threats and to create a foundation of cooperation that will enable rationale discussion between public and private sector within our own national boundaries and in cooperation with our international allies.