What’s in a name?
Written by Peter Davy
While much of the debate surrounding cyber risk focuses on terminology, attacks themselves are becoming no less frequent. Peter Davy charts the progress of the silent assailant
They might crash our networks, bring down our utilities, scupper GPS and see our secrets stolen by the Chinese, but the one thing cyber attacks probably shouldn’t do is take us by surprise.
The profile of the risk is higher now than ever before. Last October, the government pledged £650m towards tackling cyber threats as part of the Strategic Defence and Security Review and this March it appointed a senior general to take charge of the new UK Defence Cyber Operations Group. A month earlier, Sir Richard Mottram, Tony Blair’s formerly top national security adviser, told a House of Lords inquiry that new laws were needed. Cyber attack by one state on another could be considered an “act of war”, he insisted. As for the related risk of cyber terrorism, March also saw Belfast host the first cyber security summit.
And it’s not just the UK that is taking action. The US has long trumpeted the risks from ‘cyberspace’, and the Pentagon’s head of cyber command recently warned that the country remains ill prepared. “[A] crisis would quickly stress our cyber forces,” General Keith Alexander told Congress. Germany, meanwhile, has launched a new cyber security strategy in the last couple of months, while, only last year the French director-general of network and information security Patrick Pailloux told delegates at the Worldwide Cybersecurity Summit of his concerns about attacks on the electricity systems, transport, water supplies, the financial sector and hospitals. “I live in a world of nightmares,” he said.
Overblown, but overstated?
Often, yes, says Peter Sommer, a visiting professor at the London School of Economic, and co-author of the OECD report, Reducing Systemic Cybersecurity Risks, published in January (as well as the man behind “Hugo Cornwall”, author of the already infamous Hacker’s Handbook from 1985).
“The authors have concluded that very few single cyber-related events have the capacity to cause a global shock,” the OECD report began, elsewhere noting that “it is unlikely that there will ever be a true ‘cyberwar’”.
A big part of the problem, says Sommer, is the hyperbole and loose language used in relation to the threats, so attacks by hacktivist groups such as Anonymous in solidarity with Wikileaks get lumped together with cyber terrorism, and cyber espionage, such as China’s GhostNet activities, are labelled cyber war. Nobody in either case is dying, he notes.
“There is a great danger with all of this lurid language that it simply confuses the issue,” Sommer adds.
Nor is he alone in thinking so. Professor Ross Anderson at Cambridge University, is another academic sceptical of some of the more colourful claims, and has argued that “cyber terrorism” is often more of a marketing term for the IT security industry than anything else. “It’s overblown,” he says.
In the US, commentators such as Rob Rosenberger, co-founder of Vmyths, a website combating “computer security hysteria”, points out that claims for the destructive potential of cyber attacks have been made for more than a decade with still relatively few examples to point to in reality. Indeed, Rosenberger was one of a dozen industry experts
invited to the White House’s first anti-virus summit meeting back in 2000. Even now, he says, politicians are still trying to get to grips with the technology and how it might be deployed.
“Until they do, we’ll be stuck with idiots who claim a single child can declare ‘war’ against the US, and idiots who claim a loose-knit group of immature brats can ‘terrorise’ global commerce.”
All of which suggests that we’re still a fair way from anything that could reasonably be described as a true cyber war.
What is it good for?
However, such talk does perhaps serve a purpose – or maybe even two. For a start it highlights that, for those who are at risk of being targeted in a conventional setting, new avenues of attack have opened, whatever you might decide to label them.
Sommer himself admits this. “There are new and interesting risks even if they are not quite at the startling level that some of the popular coverage has suggested,” as he puts it.
In fact, given the array of reports in just the last few months, it would be difficult to conclude otherwise. As Ilias Chantzos, Symantec’s director of government relations for Europe and Asia-Pacific, points out, in the last couple of months both the UK Foreign Office and French Finance Ministry have confirmed they have been targets of attacks, and we have also seen recent attacks on the likes of NASDAQ.
“Incidents like these demonstrate the significance of the risk,” says Chantzos, who was among those to give evidence last year to a House of Lords Committee Sub-Committee reporting last year on protections against large-scale cyber attacks on Europe. It’s no longer just the attacks on Iran’s nuclear facilities by Stuxnet that IT professionals
highlight. “I can’t see how, after so many incidents going public you can say we’re not under attack,” he adds.
Most at risk, of course, are those providing critical national infrastructure, and that goes well beyond just government-run organisations. In fact, about 90 per cent of digital infrastructure in Europe is privately owned. Take mobile telecoms, for example, says DK Matai, executive chairman of emotive security firm mi2g: it’s privately owned, but no less vital for that.
“In discussing these risks we have to more or less forget about the distinction between public and private sectors,” he says.
Moreover, the second function the tabloid stories might serve is to focus other businesses on more widespread risks of cyber crime, which for many are likely to be the more serious concern.
Such crime, and particularly cyber espionage and intellectual property theft is a growing concern, says Henry Harrison, technical director at Detica, the cyber security arm of defence giant BAE Systems. “It’s not just theoretical; we’re seeing quite a lot of it going on.”
Detica’s report, published by the Government’s Office of Cyber Security and Information Assurance in February, put the cost of cyber crime to the UK (explicitly excluding cyber war, terrorism and other attacks where the primary motivation was not financial gain) at £27bn, £21bn of which was said to be born by the private sector. IP theft accounted for £9.2bn a year and industrial espionage £7.6bn.
Of course, there is plenty of scepticism over these claims too. Critics challenge both the possibility of drawing up anything like an accurate estimate of such costs and point to BAE System’s interest in hyping the threat; Sommer called the report an “unfortunate item of British Aerospace puffery”.
However, Harrison has a number of answers. First, the difficulties in coming to an accurate estimate aren’t reason enough not to try; second, for all the accusations of self-interest, it’s not the IT security industry making the running when it comes to highlighting the risks – “Unusually for an IT area it is really governments that are leading the way in stressing the importance of this threat; and, finally, both that it’s a matter of record that there have been successful and attempted attacks against companies, and that
if many others don’t believe they have a problem with cyber espionage there’s an easy explanation: “The fact is, most organisations are simply not looking for it, and if you don’t look for it you can’t do anything about it.” At the very least, for those that rely on their IP, it’s probably a good place to start before dismissing the risk. As ever, it could be the stories that are not making the national headlines that are doing businesses the greatest harm.