On 12 October 2012, US Defence Secretary Leon Panetta said that cyberattacks could inflict more damage on the US than 9/11. Shortly afterwards, British Foreign Secretary William Hague said the United Kingdom suffers from thousands of cyberattacks – mostly criminal – each day.
Our vulnerability to cyberattacks is increasing as we become dependent on ICT-networked systems for almost all aspects of daily life, and in particular for the smooth operation of global trading and financial systems.
At a conference on cybernorms, which I attended last month at the Massachusetts Institute of Technology, a key takeaway was that governments were starting to repatriate the Internet within the confines of national sovereignty. And, at the Budapest Cyber Conference, I found myself chairing a session of non-governmental speakers addressing the reality that cyberspace was becoming militarized.
Over 30 states have the capacity and the doctrine to conduct offensive operations in cyberspace. Any state with a national telecommunications agency also has a signals intelligence capacity, giving it an intelligence collection and covert action reach previously available to only a handful of big powers. These developments are taking place in a context lacking any rules of the road or clear definitions of what constitutes a cyberattack and what might be a proportionate response, much less any commonly agreed conceptual models for de-escalating a cybercrisis.
Before getting too panicked, we should recall that no one has yet died as a result of such activity in the cyber domain. And physical damage from cyberattacks is still rare. Stuxnet was an exception, but deployed on the back of a meticulous intelligence analysis and not easily replicated.
But, a much more immediate threat is the massive amount of cyberespionage and malicious criminal activity taking place on a daily basis. The networks of all Fortune 500 companies have been penetrated and many private sector companies may not even have realized that this is happening. Left unattended such activities could lead to a catastrophic collapse of confidence in online services and erode the economic well-being of nations.
The private sector has been slow to recognize and adapt to the threat and governments have been equally slow to educate them. Risk can be substantially reduced – though never eliminated – through good cyberhygiene. The private sector needs not just strong security, but also a counter-intelligence culture to mitigate the risk from cyberattack.
Related Material & Supporting Data
- On 25 October, after indications of a wide-scale cyberattack, Israeli police ordered every district and officer under its jurisdiction to disconnect their computers from the Internet and advised officers to be careful when using police computers or software
- In its annual Security Threat Report for 2011, anti-virus firm Symantec revealed an 81% increase in the number of malicious attacks.
- The Nuclear Security Enterprise experiences up to 10 million “security significant cybersecurity events” each day.
- Cyberattack Alert: Israeli Police Disconnect Computers from the Internet (news.softpedia.com)
- Hold on to your butts, US Secretary of Defense warns cyberattacks could threaten infrastructure (thenextweb.com)
- US: Hackers in Iran Responsible for Cyberattacks (abcnews.go.com)
- Obama Signed Secret Directive To Thwart Cyberattacks In Mid-October (thinkprogress.org)