Two big events last year thrust the issue of information and cyber security onto the global stage. First Stuxnet led to accusations of deliberate cyber sabotage by a nation state. Then WikiLeaks showed all too clearly how devastating data breaches can be to entire countries and how hard it is to keep even the most sensitive data private.
What was made clear by these, perhaps more so than ever before, is that cyber security is no longer a specialist function aimed at securing networks and combating viruses. It is an international issue with a growing potential to cause international damage. As we travel further down this road, we need to see the security profession becoming more involved in politics, diplomacy, the media and everyday life. We need to ensure that international decisions involving cyber security are informed by cyber security experts.
WikiLeaks highlighted two very important lessons. Firstly, that data can be extremely valuable and can have devastating consequences when it is lost or stolen; and secondly, that it's very hard to completely secure. The aftermath was even more revealing. Internet companies withdrew support for WikiLeaks and groups threatened revenge DDoS attacks. The whole thing caught everyone by surprise and no one seemed to know how to respond. Part of the reason for this is that security, whilst often deployed well at a technical level, is not sufficiently considered in wider policy decisions either in companies or governments.
WikiLeaks is a great example how the increasingly connected world can lead to devastating consequences. However, for all its impact, it was a fairly straightforward data theft by a determined individual. As an ongoing international concern, Stuxnet was perhaps the more worrying development. Not only was it an incredibly sophisticated worm, but it clearly had some serious expertise and resources behind it. Responding to this requires some major international considerations, and not consulting the cyber security profession would be as illogical as not consulting the aggrieved or accused nation state.
The implication that Stuxnet may have been a deliberate attack on Iran by a government is a serious one, and not necessarily true. Jumping to such conclusions is counterproductive. Unlike physical attempts at espionage, where the perpetrator was clearly identifiable once caught, locating a cyber attack does not make it attributable. It may be a nation state, but it could equally be a group of cyber criminals, activists, terrorists, or even a teenager testing his skills. It would be tragic if we were to make major international accusations and decisions based on incorrect assumptions.
On the other hand, if it was a deliberate attack by a nation state, then further serious issues are raised about the risks of cyber warfare if the aggrieved nation decided to retaliate in kind. We saw what happened in Estonia in 2007 and we know what is possible by determined groups. All out cyber warfare would be a disaster and we need to do everything in our power to ensure we don't reach this stage.
International diplomacy is absolutely vital in dealing with these concerns, or indeed avoiding them in the first place. Keeping nations or organisations at arm's length will only make this problem worse, but this diplomacy needs to be underpinned by an understanding of what cyber attacks can do, how and why they are launched, and how we can protect against them. Crucially people making these decisions need to understand when attacks are attributable and when they are not. They need to understand the security issues behind the attack, as well as any international sensitivities, and make informed responses. We must avoid knee-jerk reactions which could lead to spiralling 'tit for tat' attacks, which cost money, cause disruption and divert resources away from dealing with the ever increasing threat of cyber crime.
Governments, diplomats, businesses and security experts around the world need to have open and honest conversations with each other and work together to mitigate the need for such attacks, as well as identifying ways to combat them.
It is more important than ever that cyber security experts become more involved in policies and relations at a global level, as well as within organisations. We have seen the potential for devastating use of cyber space, and we arm ourselves best to combat these attacks by ensuring our policies, as well as our technology, are informed by security experts. The government takes scientific advice when making scientific decisions. We need a similar pool of cyber security experts who are engaged with the political landscape, who can advise governments on cyber security decisions.
This has been an issue for some time, but now more than ever it is a challenge that needs coordinated global action, not just to avoid cyber warfare, but also to combat all cyber crime. When taking action on a global level, politicians, diplomats and other senior decision makers must understand the security issues involved, as well as the broader international tensions.
About the Digital Systems Knowledge Transfer Network
The Digital Systems Knowledge Transfer Network is an independent body set up by the Technology Strategy Board to combine expertise and drive innovation in distributed computing, cyber security and location and timing services to help address the challenges of digital Britain.
The Cyber Security Programme brings together business, government and academia to collaboratively develop effective responses to cyber security threats.
The KTN is a free membership organisation. To find out more, or to join, visit www.digitalsystemsktn.org
Tony Dyhouse is the cyber security director for the Digital Systems Knowledge Transfer Network (DSKTN).