A war fought entirely in cyberspace is unlikely but governments must boost their defences, says the OECD
A cyber-attack on computer systems could cause a global catastrophe, if it comes at the same time as a terrorist attack or natural disaster, according to the Organisation for Economic Cooperation and Development (OECD).
Governments need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate, says an OECD report released on 17 January. Following much-publicised “hacktivist” attacks against nations, the OECD warns of the significant and growing risk of “localised misery and loss” as a result of the compromise of computer and telecommunications services.
“It is a safe prediction that the use of cyber-weaponry will shortly become ubiquitous.” stated the report. “What should concern policy makers are combinations of events – two different cyber-events occurring at the same time, or a cyber-event taking place during some other form of disaster or attack. In that eventuality, ‘perfect storm’ conditions could exist.”
Pure cyber-war unlikely
According to the report’s authors, Peter Sommer and Ian Brown, a war fought solely with cyber-weapons is unlikely. However, the use of cyber-weaponry as a “disrupter” or “force multiplier”, deployed in conjunction with more conventional forms of weaponry, could be extremely detrimental to a country’s infrastructure.
They warn that a purely military approach to cybsecurity defence is limited, calling for international cooperation to mitigate the risk of such attacks. New technical measures will also help to improve cyber-security and greater education and research into the motivations and capabilities of potential attackers.
“There will never be enough policing resource to investigate all computer-related criminal attacks,” the report states. “The public will have to continue to learn to protect itself – and that suggests a strong argument for some public funding for relevant user education.”
The news follows in the wake of several high-profile cyber-attacks against companies and countries caught up in the WikiLeaks controversy. The hacktivist group known as Anonymous achieved notoriety after it targeted companies such as Mastercard, Visa and PayPal with distributed denial of service (DDoS) attacks, when they withdrew their support for the Wikileaks website.
“Hacktivism is a first cousin to more conventional direct action groups, which all face the same challenge: the initial actions are often successful in winning public sympathy but thereafter public perceptions can arise that activities have ‘gone too far’,” explains the OECD. “To reach the level of a global shock, hacktivist activity would need to be extremely well researched and persistent and be carried out by activists who had no care for the consequences.”
It has also been estimated that the Stuxnet Trojan may have knocked out as many as 1,000 centrifuges at Iran’s nuclear facility in 2010, and experts have warned that it heralds a new breed of Trojans that will attack more devices that are not computers in 2011. The New York Times has reported that Stuxnet was developed jointly by the US and Israel, and tested on Israel’s own secret nuclear installations.
In October 2010, the UK government pledged to invest £650 million in its cyber-defence strategy, after the National Security Council highlighted cyber-attacks as being one of the greatest threats to Britain, alongside terrorism.
“The threat is a real and credible one,” said Ian Lobban, director of the Government Communications Headquarters (GCHQ), in October. “Cyberspace is contested every day, every hour, every minute, every second.”