Back in October 2010, the Coalition government promised £500m to bolster cyber security. The wisdom of such a move is obvious - with computer systems controlling everything from financial markets to nuclear weapons, the potential damage from a 'cyber-attack' is massive. Today's Guardian reveals how hackers - possibly funded by the US - created a virus that caused centrifuges to spin out of control at an Iranian uranium enrichment plant thanks to the 'Stuxnet' virus. It's not known exactly how much damage was done, but the fact that it was possible at all is a frightening concept for national security departments across the globe. If hackers can gain control of hardware at a nuclear research facility then, in theory, hackers can gain control of military hardware with potentially devastating consequences. But one thing the Stuxnet incident shows us is that it very difficult to achieve such dramatic results. Experts believe that it would have taken 10 developers 6 months just to test the virus, having created a duplicate of the nuclear plant's computer systems using identical hardware. Such an operation requires large resources, which is why state sponsorship is suspected. State-sponsored hacking is not unheard of - Russia has been accused of such activities by both Georgia and Estonia, and the head of MI5, Jonathan Evans, has accused the Russians and Chinese of attacking Whitehall computer systems. Meanwhile, over in the U.S., security officials said in 2009 that Chinese and Russian spies had hacked into the power grid, in an apparent attempt to map U.S. infrastructure, while leaving behind malicious software that the 'cyberspies' could activate in order to damage that infrastructure in the event of war.
Most evidence points to state 'cyber-attacks' only being used in the context of an existing conflict, in parallel with more conventional weapons. As the Estonia incident suggests, Russia is willing to use such attacks in pursuit of (albeit serious) diplomatic disputes in the former USSR against percived weaker nations, so although unlikely, it has to be considered that they will be prepared to do so further afield, against stronger nations than former USSR republics.
In this day and age, with the cold war long over, Britain's defence against cyber-attacks should start with the same way as its defence against conventional weapons - use the UN and our "essential" (is that a downgrade from "special"?) relationship with the U.S. to avoid conflict in the first place.
What is more likely is that coutries will use (and already do use) cyber-spying, such as the attempts to access information through the Whitehall computer systems. Instead of countries sending real-life human spies into "enemy" territories in order to bluff, coerce and extort secrets out of informants, they will increasingly rely on virtual spies using the Internet to prise information out of the computer systems of their enemies.
Similarly, terrorists will attempt to use the Internet to achieve their goals. Rather than smuggle and assemble bombs and guns across borders, it is a conceptually more simple challenge to cause damage to ones enemies with access to the Internet and a good hacker. These attacks may not even be aimed at causing physical casualties - they may attack economic targets, either by wiping financial data, or by attacking the infrastructure upon which modern commerce depends - which could be anything from an attempt to disable the signalling systems on the London Underground, to a "denial of service" attack on the computer systems used by the London Stock Exchange. The resources necessary to launch a successful Stuxnet style attack on, say, weapons systems is likely to be beyond the reach of most terrorist organisations - even any Islamic fundamentalists that may have benefited from Bin Laden's inheritance. That, though, is not to say that they won't try.
Overall, just as with conventional weaponry, the threat of serious harm via "cyber-attacks" in the foreseeable future is low, though the government is right in attempting to ensure that we are better protected against all possible such attacks form now on. China would be the most threatening country with its vast human resources providing a very large pool of hacking talent available to the authorities, so if Britain were to contemplate a "worst-case cyber-attack scenario" it would most likely come from China, though again, there is currently little incentive for China to launch a major attack of this (or any other military) kind.
As for guarding against the cyberspace threats to national security, the 'old-fashioned' (i.e. as much as 20 years old) defences are the ones that will be most effective. Even in these days where the Internet is king, most hacks are as a result of inside knowledge, and are preceded by a physical penetration of an organisation's defences, be it in the form of a disaffected employee or the stealing of hardware that allows a computer expert to download potentially compromising security information, or connect to an organisation's network and upload malicious software. So the old staples of maintaining good physical security at government buildings (which seems to be an issue at the House of Commons, of all places), and making sure people don't have, say, their surnames as network passwords are more relevant now than they have ever been.
As for the more extreme, Stuxnet style attacks, one hopes the government is not falling into the trap of taking at face value everything told to them by private sector companies with a vested interest in maintaining the fear of cyber crime and cyber attacks. The government-commissioned Cost of Cyber Crime report was produced in association with Detica, a private sector technology firm which is part of BAE Systems. The government should not be assuming that such reports just need to be commissions and any recommendations from said reports should be implemented with no further questions asked. If that happens, there is the danger that the risk assessment will come from private sector companies working backwards from their solution, thus fostering a climate of fear in which private technology companies can prosper - much as arms companies have prospered in the climate of fear fostered in the "war on terror". The theatre of war may have changed, but the politics remain the same.
No comments:
Post a Comment