Gavin Hall of the Univerity of Birmingham writes for EA and The Birmingham Brief:
When the new British Government takes office in May 2015, one of the first tasks will be to initiate a Strategic Defence and Security Review (SDSR).
The SDSR of 2010 introduced four Tier 1 threats to the United Kingdom. For the first time, threats emanating from both state and non-state actors in cyberspace were classified as a direct threat to the national security of the UK. Thus, in 2011 the UK Cyber Security Strategy was launched, and an update is likely to follow in 2016/17.
So how significant are the threat of cyber-attack or that of a cyber-incident?
Significant debate exists around issues of taxonomy within cyberspace, though the notion of an attack implies the use of violence and the ability to cause physical damage, whether to a human, a machine or infrastructure.
Any number of “what if” scenarios exist and our impending doom might seem assured. However, intent and capability are not synonymous, and the actual potential for damage is largely overstated. Only three events in cyberspace can claim to have actually caused physical damage, and no human has ever died directly from such an event.
In Operation Orchard in 2007, the Syrian radar station at Tall al-Abuad went offline, possibly via a kill-switch embedded in the software by the manufacturer, which allowed Israeli bombers to fly undetected and destroy the Deir ez-Zor nuclear reactor construction site. Whether this was a cyber-attack or not is hotly debated due to the time delay between the cyber-action and the damage caused.
In December 2014, the German IT Security Situation report highlighted an event at a metal foundry where a “cyber-attack” had gained access to the plant’s control systems. As a result, a blast furnace was unable to be shut down, and an explosion occurred. Whether this was the intention behind the cyber-attack remains unclear, provoking debate on the nature of the intent required under law to commit an act of violence.
The standard illustration of a cyber-attack is the Stuxnet incident concerning Iran in 2010. A complex operation was launched that led to an engineer at the Natanz nuclear processing plant unwittingly installing a virus into the control system, causing the centrifuges to spin in an unpredictable manner.
Initial claims suggested that the centrifuges were destroyed directly – however, Dmitri Alperovitch has recently argued that the Iranians actually destroyed the centrifuges themselves, as they believed them to be faulty. Like Operation Orchard, the time delay and role of direct destruction may well mean that a true cyber-attack did not occur.
The citizens of the United Kingdom, as well as companies, have experienced a number of cyber-incidents. However, the present language of the debate ensures that the problem remains within the framework of the military and the nation-state.
The yearly data breach reports from Verizon continually highlight that over 85% of cyber-incidents could be prevented by ensuring that adequate passwords are set and that software has been updated to the latest model. Furthermore, a number of incidents require the user to have handed over information willingly, usually via duping.
In reality, the UK’s vulnerability is largely because of the lack of effort by the government to pursue the premise behind Objectives 3 and 4 of the Cyber Security Strategy: “to provide education for the populous to enhance security by knowledge”. A more informed public with clear information, provided free of hyperbole and threat-inflation, would provide the single biggest boost to cyber-security.
The threat of cyber-warfare and cyber-attack is overstated, as such an event would not take place in a political vacuum. Hostile actions in cyberspace would almost certainly accompany traditional forms of conflict, such as the operations by Russia against Georgia in 2008 and those against Ukraine today. The threat can be mitigated via traditional means of diplomacy and deterrence.
