When I first took on a responsibility for NATO’s cyber-defence nearly two years ago, only a handful of allies were aware of the gravity of cyber-attacks. The United States in particular was experiencing increasingly sophisticated attacks against its military command and control systems, defence contractors and high-tech companies. But many saw that as natural in view of the leading role of the U.S. in military, economic and technological domains. Others believed that they could take the risk of nothing, or at least nothing serious, happening to them.
This situation has now changed dramatically. Although only Estonia has so far had its government and banking sector disabled for days on end because of a cyber-attack, all allies have suffered financial losses, the theft of industrial secrets and key networks taken out of service as the result of denial of service or advanced persistent cyber-breaches. If the organisations or companies attacked had an obligation to reveal publicly their losses, the true extent of the cyber problem would be even clearer.
At the recent London conference on cyber-space, estimates of annual profits from cyber-crime went as high as $1 trillion, putting it on a par with the global narcotics trade. Throughout 2011 we have witnessed a string of sometimes spectacular hackings of organisations that one would have thought were relatively secure: Lockheed Martin, Google, the French economics ministry, Sony, the EU External Action Service and, not least of all, NATO. The Dutch company Diginoctar had its security certificates stolen by a single Iranian hacker, compromising the identities of 300,000 Iranian users. Security previously considered effective has been revealed as surprisingly vulnerable to the most skillful or well-resourced cyber-criminals.
At the same time, the ease of access for cyber-criminals suggests that the problem is likely to get worse before it gets better. Malware is developing exponentially. The U.S. security firm Symantec counted 1.5 million new forms last year alone, even if much of this malware can only be used once before a patch is applied. Much malware can be acquired for free, or costs infinitely less than the systems it can attack.
A virus downloaded for $26 on the internet was used to access the video imagery from U.S. drones over Iraq. With so many different actors from every corner of the world able to play in cyber-space – state intelligence services, military establishments, organised crime syndicates, citizens’ “hacktivist” groups or disaffected private individuals – cyber will remain for many years to come the ultimate form of asymmetric warfare: easy to attack and hide one’s identity, and hard to defend and identify the attacker.
At the same time, new types of malware have crossed the threshold from the virtual world to the real world of actual physical damage or destruction. The most celebrated example is Stuxnet, which was implanted into the Siemens operating system at an Iranian nuclear plant. Allegedly it destroyed 1,000 centrifuges by making them spin out of control. Stuxnet was able to programme itself, seek out its target and initially hide its traces. It also underlined how even closed systems, delinked from the internet, can be vulnerable to sabotage, in this instance from a USB stick.
More generally, our increasing reliance on information technology and automation to operate oil and gas pipelines, air traffic control systems or smart electricity grids makes cyber-attacks an attractive option for terrorists or hostile states. This said, over 90% of cyber intrusions today are part of classic criminal activity and for the purpose of theft or espionage rather than to make aircraft fall out of the sky or to plant potentially catastrophic false information about peoples’ medical records. Still, the data or information gained through cyber-crime could be used to plan and carry out even more devastating future attacks.
Because of the universality of the cyber-threat, it is easy for government officials or business executives to became passive, raise the white flag and claim, like their predecessors in the 1930s, that the “bomber will always get through”. But good tactics and technologies like radar blunted the bomber threat so that it was never decisive.
In a similar vein, we should not over-hype the cyber-threat. There is much that we can do to reduce it. For instance, cyber-attacks depend on anonymity. Once we can trace the source of an attack (and we are well on our way to doing so), the credible threat of criminal prosecution or retaliation will go a long way towards restoring deference in cyber-space. Equally we can improve identity authentication and our intrusion detection systems. We can reduce the all-too-easy access to sensitive information following the wake up call of the Wikileaks disclosure. An international code of conduct will eventually emerge to oblige states to co-operate in cyber-investigations and freeze data for evidence.
Finally, we must distinguish between cyber as a problem and over-hyped scenarios like cyber “Pearl Harbors” or a “Cybergeddon”. There is no evidence to date that a country can be durably paralysed by cyber-attacks or can lose a war wholly in cyber-space. The internet of the future will be designed increasingly with safety in mind and, once liabilities for cyber-attacks and losses are more clearly established, the key public and private sector actors will have a greater incentive to invest in security. So, cyber-threats are a challenge that we will in time learn to contain, if never totally to control.
The author is the Deputy Assistant Secretary General, Emerging Security Challenges, NATO.