A recent study carried out by the Organisation for Economic Cooperation and Development (OECD), about the potential effects of attacks on computer systems, suggests the risk of a true ‘cyberwar’ is minimal. However, governments and infrastructure suppliers must still ensure that adequate security and recovery plans are in place for the rare combination of events that could pose a threat to national security.
The authors of the study say that most malicious attacks are localised and short-lived, and are un-deserving the name of cyberwar, which is applied indiscriminately to cyber crime such as stealing data or vandalising a site.
One of the authors of the study, Peter Sommer, a visiting professor at the London School of Economics, explained: “We don’t help ourselves by using ‘cyberwar’ to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks. Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure.”
The report says that the ambiguous language may in fact hamper the development of plans to block incidents and recover from successful attacks.
However, the report does acknowledge the risk of a catastrophic incident, such as a solar flare that disrupts the physical elements of a network. It also warns that cyberwarfare weapons such as viruses, worms, Trojans and denial of service, could in future be used alongside conventional weapons as ‘force multipliers’.
The OECD report is part of a series aimed at identifying events that could cause global disruption. Researchers found that pandemics and financial instability are far more likely to cause a crisis situation than cyber attacks in their current form, although a series of coordinated attacks could prove a serious risk.
Although cyber attacks may hold little risk of global disruption, the effect on a single system, such as the National Grid, could be devastating. Even the effect of a denial of service may prove financially ruinous to an individual company. Companies and service providers should therefore resist complacency when it comes to protecting their systems.
The report warns against a largely military approach to cybersecurity as the targets themselves are seldom military. It recommends the application of a careful system design, anti-virus software, protection against system intrusions and user education. Equally important is the establishment of contingency plans for system recovery in the event of a successful attack.
In addition, common sense at the individual system level will limit any potential future cyberwar having a more widespread effect.