BBC BLOGS - dot.Rory
« Previous | Main | Next »

Cyberwar or cybermirage?

Rory Cellan-Jones | 08:34 UK time, Friday, 4 February 2011

The threat of war in cyberspace grows by the day.


We have already seen attacks launched on Estonia and Georgia, and the Stuxnet incident, which saw Iran's nuclear programme come under threat from a piece of malware this shows us how vigilant we need to be.

And as well as the state-sponsored assaults, there are bands of cyber terrorists who pose a real danger to our national infrastructure, capable, for instance, of sending a wave of sewage down the Thames just in time for the London Olympics.

Today the British Foreign Secretary William Hague will call for international agreement to combat the threat of cyber warfare, with countries urged to sign up to something between a highway code and a Geneva Convention for the internet.

But hold on a minute - are we now in danger of overhyping all of this?

Recently I spent a day at a conference listening to some very clever people discuss these issues in grave terms. I can't name them because the meeting took place under the Chatham House rule, but suffice to say they included a number of those responsible at the highest level for protecting Britain from cyber threats, in both the public and private sectors.

They all seemed terribly worried but as I looked round the room I realised that just about everybody had some interest in promoting the problem. The public sector people, facing big cuts in their budgets, had found something that the Treasury seemed prepared to fund, even as the rest of the defence budget went south.

The private sector executives know that billions of pounds worth of contracts are being handed out as countries try to shore up their cyber-defences and naturally they want their share. And yes, even I had a motive for talking up cyber terror - it does make for a good headlines.

But after a morning listening to thousands of words about the scale of the threat, the new government structures designed to protect our national infrastructure, and the way the private sector could feed into that process. I was left somewhat bemused.

Yes, there's evidence that criminals are launching attacks on banks and other private sector businesses, that consumers are suffering from the effects of cybercrime, and that poor security is allowing government secrets to flood out onto the internet. But where is this cyber terror or indeed warfare?

Everyone latched onto the Stuxnet incident - "if it was done to them, they could do it to us" the cry went up. But it became evident that nobody quite understood what had happened in Iran and whether it really was a symptom of a wider threat.

But there was a sober voice at the meeting, a man who had been studying the evidence of the nature of cyber threats. The danger of cyber terrorism, he told us, seemed limited. Terrorists got more publicity from a car bomb than from taking down a computer network, which was a complex operation to mount.

And many of the incidents referred to as cyberwarfare were "nothing of the sort". He pointed to the attacks on Estonia, on Georgia and South Korea, and quoted American officials describing them as "annoying and embarrassing", rather than really damaging. After all, they had caused no casualties or loss of territory. Cyberwarfare, it seemed, could only be a "support function", rather than a primary weapon.

After hearing this measured assessment, we moved straight on to a man from the private sector. He told us that cyberwar was going on right now, largely invisible to the public, from a whole variety of actors. He quoted the IRA, "You have to be lucky all of the time, we only have to be lucky once," and he called on the government and the private sector to spend even more on shoring up Britain's cyber defences.

Maybe he was right and we should not be complacent about the dangers to our national security lurking in cyberspace. But in the past the ICT and security industries have found it very easy to scare governments into spending huge sums on initiatives that have not always proved their worth.

Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000? Or the desperate need for an identity card system and a massive NHS computer project? Previous governments took advice from the "experts" on those issues, and now the politicians have bought in to the idea that huge sums need to be spent to shore up our cyber defences.

And who is advising ministers on cyber security? Presumably the same giant international IT suppliers who have always rushed to help out. One person suggested at yesterday's event that maybe the government needed to use small start-up firms to address the cyber-security problem. That sounds attractive and if Cybergeddon does not happen in the next decade we might at least be left with a stronger digital economy.


  • Comment number 1.

    Experts may exaggerate the degree of threat!?!

    Careful Rory!

    If we continued with this independent thinking where would it end?

    We may even conclude that climate scientists advising the government may have something to gain from over-stating the dangers of global warming.


  • Comment number 2.

    Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?

    Yes, and I remember the massive efforts that went into finding and fixing or retiring broken code. Y2K wasn't a disaster for the same reason that polio isn't much of a threat in the UK - a lot of successful preventative work.

  • Comment number 3.

    Disable JavaScript in your browser and you’ll eliminate a huge portion of treat. Of course you’ll also cripple your online experience as most big websites require this to run. But as mentioned, no one has interest is blocking the hole, the big websites want it for user experience reasons and the private cyber security companies have no interest in plugging a hole that provides so much money.

    This is a problem that really only governments can solve and probably together in partnership with web browser providers. A simple positive filter would solve the problem, any site not on the list and the user is told the site is un-vetted but can proceed at their own risk.

  • Comment number 4.

    Agree with the skepticism re CyberWars.

    Disagree with the Y2K analogy. Y2K was a threat to a huge range of businesses and public services. If it had not been addressed, we could have seen widespread failures and disruption that would have taken weeks or months to fix. Y2K bugs may have been over-hyped, but the threat was very real. Difficult to prove a negative, though.

  • Comment number 5.

    I think they're trying to soften us up for a cyberwar on terror as an excuse to censor the internet.

    Critical infrastructure should not be on the internet anyway. Stuxnet was introduced by removable media.

  • Comment number 6.

    "are we now in danger of overhyping all of this?"

    Impecable timing as ever Rory - Just as Anonymous Group target Egypt and Yemen!

    Moreover, I doubt the CIO of thinks the risks are anywhere near overhyped.

  • Comment number 7.

    I must declare a vested interest as I am an IT Security consultant to both the public and private sector in the UK.

    I can not see Cyber-warfare happening soon. By warefare people tend to mean nation states conducting all out assaults on multiple targets with the aim of gaining some kind of advantage. The systems used by the various components of critical national infrastructure are diverse and there is no silver bullet which can bring them all down.

    What is happening now though is twofold:

    1. Cyber-espionage. There are cases of communication interception all the time designed to provide intelligence to gain competetive advantage of one kind or another. This has always happened - but the fact of the internet, the sheer volumes of information flowing and the ability to process it make it more prevalent. Consider it all a kind of cyber cold war.

    2. Private cyber-armies. The most well known of these is the group known as Anonymous. In the past people associating themselves with this group have targetted groups like Scientologists. In the last few months they have targetted people perceived as anti-Wikileaks. Such private armies are likely to grow and become more prevalent - but I consider it unlikely they will have the means to conduct anything more than guerilla skirmishes in the short term.

  • Comment number 8.

    ***"Terrorists got more publicity from a car bomb than from taking down a computer network, which was a complex operation to mount."***

    Given that a bunch of inept script-kiddies brought down Visa, the "complexity" aspect is vastly overstated.

  • Comment number 9.

    _Ewan_ wrote:

    Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?

    Yes, and I remember the massive efforts that went into finding and fixing or retiring broken code. Y2K wasn't a disaster for the same reason that polio isn't much of a threat in the UK - a lot of successful preventative work.


    Well said!

    People forget, or just ignore, the hours and hours of work that went on. I remember one friend basically working a solid year before the event with his colleagues trying to get it all sorted.

    He has been constantly annoyed by ignorant journalists assuming the entire thing was some kind of hoax. Just because some idiotic papers shouted the sky would fall doesn't mean that there wasn't a problem.

  • Comment number 10.

    @8 True, but all the majority of those inept kids did was download a program which did all the actual "attacking" for them. Not exactly technical know how needed there, but so far that is the biggest problem of websites being shut down for a few hours.

    When that happens to the army and their communications can't get through and that leads to actual loss of life, then REAL cyber warfare is here. But that won't happen any time soon, seeing as they have quite a few back ups, and rarely use the actual internet for any important communications.

  • Comment number 11.

    James Rigby wrote:

    "2. Private cyber-armies. The most well known of these is the group known as Anonymous...."

    Although I agree that they are probably not about to take over the nuclear control system, groups like this can be a constant irritant that slows every thing down and can get a lot of press coverage.

    The sad thing is that they are such a misguided bunch. They object to Egyptian authorities trying to stop access to websites, but then they react by trying to stop access to government websites. Very democratic.

    They promote complete web freedom and no censorship, then censor companies that wont support their heroes by attacking their websites and trying to stop them from operating.

    The internet is always going to be a potential security breach - in the end the best defence is nailing up the doors to reduce the chance of someone breaking in.

  • Comment number 12.

    Rory is a technology journalist and like his industry colleague, Tony Collins, previously at Computer Weekly, has probably written up many Government funded 'computer systems disaster' articles and consequently is right to be wary of this particular bandwagon.

    Nevertheless, information in the public domain points to the extreme vulnerability of certain control systems for electricity, gas and water grids, as these systems were never designed with security in mind.

    Stuxnet has merely demonstrated that this security issue has to be urgently addressed and will need significant resources.

    Furthermore, there are suspicions that large multi-national corporates, particularly in the financial sector, including Stock Exchanges, may already have suffered due to malicious activity.

    Systems engineers such as myself have been aware of these security issues for some considerable time but only now, as our world becomes ever more closely interconnected, have cyberspace and related systems security issues come to the fore.

    We led the world once in security with Chain Home, which actually saved us and we now need to do it all over again.

  • Comment number 13.

    Cyber warfare probably isn't a threat, but cyber espionage probably is. Computers were born in an age of cyber espionage - only we didn't call it that, back then: we called it Bletchley Park.

    As with the point of most espionage, the aim of cyber spying is to gather as much data on the enemy's movements and intentions as possible, without them realising it: where sabotage is done, to do it subtly, so that they will waste months wondering why they can't get the best centrifuges they could afford running right.

    The best response to cyber espionage, then, is to avoid over relying on your systems too much, never expose what should not be exposed, and never assume you are impregnable.

    It was the German belief in the invulnerability of the Lorenz cipher, that made the effort of Bletchley Park worthwhile. We perhaps forget the message of the Lorenz cipher, because we were on the winning side of it, but the telling fact is, that even when they started losing U-boats in attacks that would suggest divine intervention, still the German navy continued to relay their positions and numbers to each other in intimate detail. It is placing too much faith in your systems, that is the danger, not having weak or strong systems.

    And herein lies the problem. Many of the people who want to implement the solutions to this perceived threat, are deeply stupid people, who do not grasp that message. They want to harden the perimeter, when the problems are structural, human ones, within the heart of the system itself. Look at their existing systems - slapdash, half-baked networks, where an individual marine specialist, sitting at a workstation in Baghdad, can listen in on, and gather, just about the entire diplomatic and intelligence traffic of the United States government.

    The telling thing, from the Bradley Manning affair, is not the quality of the data released, but how easily it could be obtained - the sight of entire US intelligence and diplomatic system, exhibiting the collective discretion of a bunch of drunken Facebook users at an especially rowdy party.

    Wrapping another wall around the outside of that will achieve nothing, because it was an inside job. Why try to protect yourself from your enemies when you don't do enough about how your own people behave?

    Too many of those who want to protect us from the threat of 'cyber warfare' want to buy a Perfect Lorenz cipher (and too many of the people they talk to just-so-happen to have one to sell).

  • Comment number 14.

    Hexham_Dan @ 13

    The US DoD 'Orange book' specified who can have what level of access to various grades of information i.e. it is always appropriate access.

    But as the post-9/11 trauma set in, the US Government seems to have decided that that was part of the problem i.e. if certain information had been shared out more between the various agencies, then somebody would have joined the dots.

    So, it seems that they decided to create a database of material, including diplomatic information, that all *interested parties* could access, so that highly sensitive material then became available to low level operatives such as Manning, with a very predictable outcome - the material leaked.

    Nevertheless, as you state, in the security world, the human is the weakest link, where even 'trust but verify' is inadequate.

  • Comment number 15.

    When that happens to the army and their communications can't get through and that leads to actual loss of life, then REAL cyber warfare is here.

  • Comment number 16.

    Oh sod it: I'm just going to throw the cat amongst the pigeons and suggest the government secretly switch to Macs. LOL.

  • Comment number 17.

    This blogger has not worked on military systems for a couple of decades but todays software driven military systems environment offers all sorts of possibilities for mischief.

    For example, weapons being turned back onto their operators or appearing to be fully functional until they need to actually be used in ernest whereupon they mysteriously malfunction.

    Other possibilities include military comms and databases being hijacked and used to spread misinformation.

    It seems to me that the cold war has been surreptitiously replaced by cyberwarfare, such that now even the actual enemy is anonymous.

  • Comment number 18.

    My servers were under more intense attack a few years ago than they are now - I've just looked through the logs to see. Most attacks still seem to be originating from China and look automated and experimental - trying to give the attacker root privileges - this has always been both detected and failed (so far!) No attempted attack has got into the internal network (yet) and vital data is not physically able to be accessed from the internet ever - as it is on machines that are not connected.

    However - the biggest risk is personal data accessible in clear on internet connected PCs. I personally like use once pad encryption with a very large pad as well as employing systems that ensure passwords are changed regularly and the no two password protected data are the same and all passwords are as strong as possible. I'm not overly keen on relying of technology however as the people based social cracking is only too easy. But hardware encrypted hard discs and even the humble encrypted zip files carefully used work well as does stenographic data storage systems - tried, and use them all.

    The risks of denial of service attacks are quite large as is the ability to close down the whole internet - but this is generally done by states themselves such as Egypt and Iran at present to their own people's internet access - I wonder if this itself constitutes terrorism and cyberwarfare against others by depriving your own people of access to information and thus the ability to protest about what the state is doing?

  • Comment number 19.

    It is tempting to suggest that just perhaps this wonderful age of super-dooper, ever-so-cool, internet technology that we are spending such a huge amount of money on (both as countries and as individuals), just might fit rather neatly into a sentence containing the words "Pandora's Box" and "opened."

    I remember the days when shutting my front door meant shutting the world out. Seems like some distant utopian dream now ....

  • Comment number 20.

    'Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?'

    Yes I do. For months I worked on fixing date routines in computer systems that would have failed after 1999.

    Rory, will you please acknowledge that you have no idea what you are talking about regarding the Y2K bug. I was there, you weren't.

  • Comment number 21.

    '20. At 06:20am on 05 Feb 2011, RedLinuxHacker wrote:
    I was there, you weren't.'

    Fair comment on most 'reporting' on tricky issues these days, that mostly seems unqualified opinion masquerading as fact

    But it must be noted that 'being there' is helpful but not the be all.

    What we're getting as 'news' from half the BBC not at Davos on hotel balconies in Egypt being evidence of that.

  • Comment number 22.

    I agree with the posters on this thread who complain that Rory is underplaying the Y2K issue and the fact that the actual disruption was relatively minor is testament to all those people who worked very hard to sort out any potential problems.

    At that time, I was involved in a project to Y2K proof a billing system (billing, I discovered, is a huge industry in its own right) and without a shadow of doubt, it would have failed completely without the work being performed.

    For insiders, will the end of the epoch be an issue?

    Probably not, after all it is still a couple of decades away and anything could happen between now and then and it certainly won't be my problem as I shall have 'moved on'.

  • Comment number 23.

    "Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000? "


    As others pointed out already, the Y2k bug would have had some pretty bad consequences if it hadn't been dealt with. It was caused by programmers in the 1980s (or thereabouts) assuming that NO ONE would still be using their code in 10 / 20 years time, and so it'd be no big deal if they only had 2 digits for the year - it'd save system resources if they did it like that. Unfortunatly, people tend not to replace software that works well, and so the bug was born.

    Still, the NHS one got much too expensive and could've mostly been done for free by an undergrad as their coursework assignment. "ie final year project: patients database" The cost of replacing the computers will be unavailable in the long run anyway. The only difficult/expensive bits would be the networking of the machines, and security. Still not quite sure how they got it so wrong!

    The National ID card was a stupid idea from start to finish. The only "experts" who thought THAT was a good idea, even in principle, were those bidding for the contracts to build a system no-one expected to work.

    With that in mind, yes we should be wary of our (taxpayers) money going down a blackhole. But, this is certainly a very real threat, as it could be used to cripple economies - imagine if telephone networks or power supplies could be switched off all across the nation, at the whim of someone half-way across the globe. Imagine the chaos that'd cause, and you'll start to see why they're so worried about it.

  • Comment number 24.

    I'm not overly keen on relying of technology however as the people based social cracking is only too easy. But hardware encrypted hard discs and even the humble encrypted zip files carefully used work well as does stenographic data storage systems - tried, and use them all.


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.