Claims made that there will never be a true cyber war but better user education is needed of exploits.
According to a report by the Organisation for Economic Co-operation and Development (OECD), named ‘Reducing Systemic Cybersecurity Risk', very few single cyber-related events have the capacity to cause a global shock, but governments need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate.
Authors Professor Peter Sommer of the LSE and Dr Ian Brown of Oxford University's internet institute said that there are ‘significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services'.
The 120-page report determines that incidents of cyber security, such as malware, distributed denial-of-service, espionage and the actions of cyber criminals, will be both relatively localised and short-term in impact. Successful prolonged cyber attacks need to combine attack vectors that are not already known to the information security community and thus not reflected in available preventative and detective technologies.
They also need to combine: zero-day exploits; careful research of the intended targets; methods of concealment both of the attack method and the perpetrators; and the ability to produce new attack vectors over a period, as current ones are reverse-engineered and thwarted.
It also said that ‘analysis of cyber security issues has been weakened by the lack of agreement on terminology', as rolling all activities into a single statistic leads to ‘grossly misleading conclusions'. It concluded that ‘there will never be a true cyber war' because many critical computer systems are protected against known exploits and malware so that designers of new cyber weapons have to identify new weaknesses and exploits. However, the deployment of cyber weapons is already widespread in use and in an extensive range of circumstances.
In its conclusion, the report said: “There will never be enough policing resource to investigate all computer-related criminal attacks. The public will have to continue to learn to protect itself and that suggests a strong argument for some public funding for relevant user education.
“Many cyber attacks depend on the use of compromised personal computers. Improved public understanding of security therefore benefits governments as well as individuals and makes the task of the attacker more difficult. As with other forms of hazard where large sections of the public are likely to be affected, education is needed to help citizens appreciate that while the risks and the damage from them cannot be eliminated, they can very often be managed.”
Terry Pudwell, director and joint founder of Assuria, said that he agreed largely with the main conclusion in that the cyber attack threats are much less to do with military systems and more to do with possible attacks on critical national infrastructure and major economic systems.
He said: “Of course, the military and government urgently needs to protect itself, but I think most attackers know that there are much softer targets available in the private sector which is driven more by profit motives than protecting itself from unknown attackers.
“One of the biggest differences between real warfare and cyber warfare, in my opinion, is that with cyber warfare the victim organisation is rarely even aware of the fact that it has been attacked, at least for some time. Assuria solutions are designed to help with hardening systems but also to track and monitor critical user and system activity from all over the network and wherever possible to automatically analyse and alert on potentially suspicious activity.”
Alan Bentley, SVP international at Lumension, said: “The threat of a malicious cyber attack is not a new concept. However, the materialisation of state-sponsored cyber attacks will raise the threat level in many government and private organisations. The challenge is how they tighten their defences, in line with the raised threat level, whilst remaining nimble and productive.
“The thinking needs to switch from allowing everything in until it is proved to be bad to preventing anything from coming in unless it is proved to be good. Malware and unwanted or unlicensed software needs to be prevented from executing on the computer network – ensuring that we can keep the bad guys out.”
Robert Chapman, CEO of Firebrand Training, said: “It is becoming more apparent that an ethical hacker's job is beyond protecting their company's interests. They are protecting the safety and financial interests of the whole nation.
“The government has clearly indicated that it intends to tackle the very-real threat of cyber attacks head-on. A key enabler for this is to introduce more ethical hackers, but surely we would prefer an ethical hacker to find a vulnerability in our IT systems before a terrorist does.”
“In today's world of natural and terrorist disasters, we cannot afford for IT systems to fail. Imagine an incident, where the emergency services can't be contacted, or safety processes can't be initiated. It's unthinkable.”