Gavin E L Hall is a Doctoral Researcher in the Department of Political Science & International Studies at the University of Birmingham. His main focus of research NATO’s role in the broadening security environment, especially cyber-security. You can follow him on twitter @GavinELHall.
When the new government takes office in May 2015 one of the first tasks will be to initiate a Strategic Defence and Security Review (SDSR).
The SDSR of 2010 introduced four Tier 1 threats to the United Kingdom. For the first time, threats emanating from both state and non-state actors in cyberspace were classified as a direct threat to the national security of the UK. Thus, in 2011 the UK Cyber Security Strategy was launched, and an update is likely to follow in 2016/17.
We will focus here on two aspects: the threat of cyber-attack and the threat of a cyber-incident.
Significant debate exists around issues of taxonomy within cyberspace, though the notion of an attack implies the use of violence and the ability to cause physical damage, whether to a human, a machine or infrastructure.
Any number of ‘what if’ scenarios exist and our impending doom might seem assured. However, intent and capability are not synonymous, and the actual potential for damage is largely overstated. Only three events in cyberspace can claim to have actually caused physical damage, and no human has ever died directly from such an event.
Operation Orchard in 2007 saw the Syrian radar station at Tall al-Abuad go offline, possibly via a kill-switch embedded in the software by the manufacturer, which allowed Israeli bombers to fly undetected and destroy the Deir ez-Zor nuclear reactor construction site. Whether this is a cyber-attack or not is hotly debated due to the time delay between the cyber-action and the damage caused.
In December 2014, the German IT Security Situation report highlighted an event at a metal foundry where a ‘cyber-attack’ had gained access to the plant’s control systems. As a result, a blast furnace was unable to be shut down, and an explosion occurred. Whether this was the intention behind the cyber-attack remains unclear and provokes debate on the nature of intent required to commit an act of violence, especially in the legal sense.
The standard illustration of a cyber-attack is the Stuxnet incident in Iran in 2010. A complex operation was launched that led to an engineer at the plant unwittingly installing a virus into the control system that caused the centrifuges at the nuclear processing plant at Natanz to spin in an unpredictable manner.
Initial claims suggested that the centrifuges were destroyed directly – however, Dmitri Alperovitch has recently argued that the Iranians actually destroyed the centrifuges themselves, as they believed them to be faulty. Like Operation Orchard, the time delay and role of direct destruction may well mean that not a single true cyber-attack has ever actually occurred.
The citizens of the UK, as well as companies, have experienced a number of cyber-incidents. However, the present language of the debate ensures that the problem remains within the framework of the military and the nation-state.
The yearly data breach reports from Verizon continually highlight that over 85% of cyber-incidents could be prevented by ensuring adequate passwords are set and that software has been updated to the latest model. Furthermore, a number of incidents require the user to have handed over information willingly, admittedly usually via duping.
In reality, the UK is vulnerable to cyber-incidents and a significant factor in this is the lack of effort the government has made to adequately pursue the premise behind Objectives 3 and 4 of the Cyber Security Strategy: to provide education for the populous to enhance security by knowledge.
A more informed public with clear information provided free of hyperbole and threat-inflation would provide the single biggest boost to cyber security.
The threat of cyber warfare and cyber-attack is severely overstated, as such an event would not take place in a political vacuum or indeed be possible to achieve. Hostile actions in cyberspace would almost certainly accompany traditional forms of conflict, such as used by Russia against Georgia, in 2008, and Ukraine. Therefore, the threat can be mitigated via traditional means of diplomacy and deterrence, and no specific vulnerability to a cyber-attack can be ascertained.
First Published on The Birmingham Brief 05/02/15