Cyber-Warfare: Always An Unknown Quantity

Cyber defence looks set to get a budget boost, while everyone else loses money, says Peter Judge. The irony is, we will never know if the money was needed

This week’s critical spending review has sparked competitive pleading and media scares, as every possible part of the public purse fights to keep its portion of government spending.

Education got guaranteed funding, as did overseas aid, while defence was spared from the same cuts as everyone else, aided by strategic leaks from the Ministry of Defence, and trans-Atlantic grumblings from Hilary Clinton.

More money for cyber-defence?

But one small part of defence looks set to get a boost in spending, despite scant real evidence in public that it deals with a serious and real threat. Indeed the air of mystery which surrounds it seems to be part of the pitch that has won cyber-security an essential and growing part in the nation’s defence.

This week, cyber warfare was classified as a “Tier 1” threat in a new National Security Strategy released to parliament. This does not mean that the risk of other nations destabilising our e-commerce networks or our nascent smart grid is as dangerous a threat as international terrorism, apparently. The list of Tier 1 threats is “in no particular order” according to Home Secretary Theresa May.

But it does seem to mean that cyber warfare will be awarded more budget. Last week, rumours suggested that, despite the climate of austerity, cyber defence could get an extra £1 billion. The current rumours are nearer £500 million, but it seems that cyber defence will get privileged access to the ever-reducing pot of government money when the full extent of the cuts are announced.

Why is it that we can increase the money we spend on protection against threats from international government-backed online attacks, while we are cutting the money we spend on protecting children from personal attacks online?

That is, of course, a mischievous question. The sizes of the threats are impossible to compare, and the need for protection is arguably different (in fact there’s some debate as to whether children need very specific protection online at all).

But it does expose the difficulty. Cutting one thing or another is a completely subjective decision, one which no-one is actually qualified to make because the information to base that decision on doesn’t really exist. The scale of international cyberwarfare is unknown, and will be shrouded in mystery because that is how the perpetrators like it. And it is also how the people talking up the threat like it.

Risky business

The list of case histories on the Wikipedia cyberwarfare page is small. But most people in the field will tell you there are more incidents that don’t get exposed, or which are stamped out and kept secret. That is the basis of the case for more cyberdefence.

The issue has been getting maximum coverage with minimum information – a dangerous combination, and somewhat reminiscent of the fabled Y2K panic in the years leading up to 2000, when fears of major systems failures led to a massive overspend in rejigging and replacing critical systems which might – just might – have failed when the data flipped over.

It is obvious that we need to have some realistic awareness of the dangers, and some level of preparedness. It’s also obvious that we, the public, won’t get a full awareness of what is going on – for reasons of national security.

At the same time, it’s obvious that we simply cannot afford the level of expense to fully prepare for every possible attack that might happen. Because even if we could prepare for all attacks, the people we are paying to do the job would then discover more work that needs to be done. It’s called a gravy train , and both IT (see Y2K) and defence know how they work.

Someone, somewhere, with unverifiable information passed to him or her by biased sources, will have to make a decision, which will then funnel a certain amount of money at an ill-defined problem.

The people that get the money, for the most part, will work diligently to do what they understand needs to be done.

After that, there will be an observed level of hacking activity, some of it political, some of it commercial, some of it from organised crime (eg Zeus) some of it ideological (Operation Payback for instance), and some of it just mischievous.

The cyberwarfare lobby can then say how much worse it would have been without the budget it had. And they may well be right. Chances are we will never know.