The next war will NOT be a pure cyberwar

Introduction

A new report, “Reducing Systemic Cybersecurity Risk”, has received quite a lot of attention. The report is part of the Organisation for Economic Co-operation and Development (OECD) Project on “Future Global Shocks”, and addresses the question:

How far could cyber-related hazards be as devastating as events like large-scale pandemics and the 2007-10 banking crisis?

As part of answering this question, the report discusses whether the next war will be a pure cyberwar.

In this security article, we will examine some points made in the report.

Future Global Shocks

The focus for the OECD project, of which this current report is one contribution, is "global shocks". One characteristic of this type of incidents is according to the report that

responses limited to the level of the nation state are likely to be inadequate; coordinated international activity, with all the associated problems of reaching agreement and then acting in concert, is what is required. 

From this follows, that disastrous events like the Haiti earthquake in January 2010, famines in parts of Africa, the Mexican Gulf oil spill in 2010, are not global shocks, as they are not global incidents in that manner.

Could a cyber incident be perceived as a global shock?

Cyberwar - the next type of war?

A Digital Pearl Harbor?

The concept of a Digital Pearl Harbor was coined in the early 1990s, but nothing that came even close to justify such a term happened before (possibly) the cyber attacks on Estonia in 2007. This event and subsequent similar ones, combined with e.g. information that organized crime had become cyber-based on a global scale, resulted in several national and multinational protection systems.

The recent Stuxnet incident, which is still being discussed and analyzed, also contributed to speculations regarding whether cyber weapons might be the way to combat the next war.

The report discusses at length whether cyberthreats have the potential for invoking global shocks, and some problems with this scenario. The most important objection is that few known types of single cyber events seem to be able to result in a global shock. One may however imagine combination of several different cyber events, and cyber events in combination with other incidents, resulting in a global shock.

Cyberattack equals retaliation with cyberweapons?

One problem with the whole concept of cyberwar is that it presupposes that an attack with cyber weapons on a state will result in retaliation with the same type of weapons. This is obviously not correct, anyone - a person or a  state - will of course use the arsenal of weapons that are most suited to combat a particular threat. An attack with cyber weapons may result in response with conventional (and nuclear) weapons.

A further discussion about any pure cyberwar therefore seems pointless, as this is unlikely to happen in the near future.

Cyberweapons - one type among many in the arsenal

A more sensible approach seems to regard cyberweapons as one of a series of weapons available in a conflict.

This approach also eliminates the somewhat academic problem related to the fact that "war" as a concept is strictly defined in international agreements and regulations. Several of the conflicts in the world, are "war-like" even though they do not comply with the rigid definition. And any state and/or coalition of states should obviously be prepared for attack even if the resulting conflict is not a war.

The report therefore uses the main part not to discuss "cyberwar", but rather cyberweapons and cybersecurity risks.

Cybersecurity risks in a historical perspective

The report has a part that focuses on historical progress that has lead to the situation we have today. Some of the major events are:

• The number of computers
  While the number of computers have risen enormously in later decades, the sophistication of the average computer user has not increased accordingly. One may therefore presume that the average computer today is more vulnerable than some years ago.
• The Internet
  The Internet and its connectivity provides both an opportunity for criminal activity, and potential for anonymity.
• Ecommerce
  Modern societies dependence on ecommerce is continuously increasing.
• Infrastructure
  National and international infrastructure are increasingly vulnerable for cybersecurity risks. 

The report mentions several examples of instances where cyberweapons have been used in recent years. It also attempts to define characterisics of a cyberweapon to separate it from e.g traditional malware:

Thus, a virus or a traditional computer worm is not a cyberweapon. However, a Distributed Denial of Service (DDoS) attack may be used as a cyberweapon. Weather the advanced malware Stuxnet can be defined a a cyberweapon from this definition is not obvious.

The responses to cybersecurity risks 

There are several types of response a nation or group of nations may invoke to prepare for cybersecurity risks. Among those mentioned in the report are:

Military response

U.S. and China are mentioned as examples of two countries that have invested much in cyber-capabilities, offensive as well as defensive.

Civil contingencies

Other countries have (e.g. Netherlands and U.K.) have chosen to focus on extending their programs for dealing with large-scale events to also include cybersecurity incidents.

Private sector

All businesses should have plans to reduce the impact of an attack using cyberweapons. should be part of business continuity planning for all firms. It is important to  focus not solely on the single organization, but also how a successful attack on one organization may implicate this organization's environment.

Government, Private and Public/Private partnerships 

Critical infrastructure is in many countries both publicly and privately operated. it is therefore important that both work together to prepare for and recover from cyberattacks. Such "public private partnerships" must a planned and defined set of formal relationships and understandings.

Policing and counter-fraud responses

The report points out that it is a problem that policing is (primarily) located in one country, while cybercrime is borderless. The need to educate potential victims with awareness programs and in the use of preventative measures, however, is emphasized in the report.

Research Responses 

Much work is needed in developing better and more advanced forensic and tracing tools and techniques. Cloud computing, and the increased enthusiasm for this technology, introduces new challenges.

Legal and regulatory approaches 

National and international laws and regulations have not been able to keep up with recent decades rapid technological development. The report indicates that this is changing and mentions initiatives from the United Nations regarding model laws and technical assistance to its members on reducing cybercrime and attacks on information systems.

Conclusions and recommendations in the report

The report sums up the following actions points to be taken for governments:

The report is more than 100 pages, and lots of interesting points are made and discussed. The full report is available from the link below, and should guarantee some interesting hours of good reading.

The following paragraph from the report seems like an appropriate ending; particularly with respect to this article's introductory quotation:

Reference

OECD/IFP Project on “Future Global Shocks” - “Reducing Systemic Cybersecurity Risk (the full report in PDF format)