The Study is part of a broader OECD review of Future Global Shocks which covers
pandemics and further collapse of the world financial system.
The UK Government has announced, as part of its Strategic Defence and SecurityReview that £650m is available to address “cyber” attacks, seen as a Tier One threat.
The
Oxford Internet Institute is a world-leading centre for the
multidisciplinary study of the Internet and society, and a department
within the Social Sciences Division of the University of Oxford.
www.oii.ox.ac.uk
Executive Summary
This report is part of a broader OECD study
into “Future Global Shocks”, examples of which could include a further
failure of the global financial system, large-scale pandemics, escape
of toxic substances resulting in wide-spread long-term pollution, and
long-term weather or volcanic conditions inhibiting transport links
across key intercontinental routes.
The authors have concluded
that very few single cyber-related events have the capacity to cause a
global shock. Governments nevertheless need to make detailed
preparations to withstand and recover from a wide range of unwanted
cyber events, both accidental and deliberate. There are significant and
growing risks of localised misery and loss as a result of compromise of
computer and telecommunications services. In addition, reliable
Internet and other computer facilities are essential in recovering from
most other large-scale disasters.
• Catastrophic single
cyber-related events could include: successful attack on one of the
underlying technical protocols upon which the Internet depends, such as
the Border Gateway Protocol which determines routing between Internet
Service Providers and a very large-scale solar flare which physically
destroys key communications components such as satellites, cellular
base stations and switches.
• For the remainder of likely
breaches of cybsersecurity such as malware, distributed denial of
service, espionage, and the actions of criminals, recreational hackers
and hacktivists, most events will be both relatively localised and
short-term in impact.
• Successful prolonged cyberattacks need
to combine: attack vectors which are not already known to the
information security community and thus not reflected in available
preventative and detective technologies, so-called zero-day exploits;
careful research of the intended targets; methods of concealment both
of the attack method and the perpetrators; the ability to produce new
attack vectors over a period as current ones are reverse-engineered and
thwarted. The recent Stuxnet attack apparently against Iranian nuclear
facilities points to the future but also the difficulties. In the case
of criminally motivated attacks: a method of collecting cash without
being detected.
• The vast majority of attacks about which
concern has been expressed apply only to Internet-connected computers.
As a result, systems which are stand-alone or communicate over
proprietary networks or are air-gapped from the Internet are safe from
these. However these systems are still vulnerable to management
carelessness and insider threats.
• Proper threat assessment of
any specific potential cyberthreat requires analysis against:
Triggering Events, Likelihood of Occurrence, Ease of Implementation,
Immediate Impact, Likely Duration, Recovery Factors. The study
includes tables with worked examples of various scenarios
• There
are many different actors and with varying motivations in the
cybersecurity domain. Analysis and remedies which work against one
type may not be effective against others. Among such actors are:
criminals, recreational hackers, hacktivists, ideologues, terrorists,
and operatives of nation states.
• Analysis of cybsersecurity
issues has been weakened by the lack of agreement on terminology and
the use of exaggerated language. An “attack” or an “incident” can
include anything from an easily-identified “phishing” attempt to obtain
password details, a readily detected virus or a failed log-in to a
highly sophisticated multi-stranded stealth onslaught. Rolling all
these activities into a single statistic leads to grossly misleading
conclusions. There is even greater confusion in the ways in which
losses are estimated. Cyberespionage is not a “few keystrokes away
from cyberwar”, it is one technical method of spying. A true cyberwar
is an event with the characteristics of conventional war but fought
exclusively in cyberspace.
• It is unlikely that there will
ever be a true cyberwar. The reasons are: many critical computer
systems are protected against known exploits and malware so that
designers of new cyberweapons have to identify new weaknesses and
exploits; the effects of cyberattacks are difficult to predict – on the
one hand they may be less powerful than hoped but may also have more
extensive outcomes arising from the interconnectedness of systems,
resulting in unwanted damage to perpetrators and their allies. More
importantly, there is no strategic reason why any aggressor would limit
themselves to only one class of weaponry.
• However the
deployment of cyberweapons is already widespread use and in an
extensive range of circumstances. Cyberweapons include: unauthorised
access to systems (“hacking”), viruses, worms, trojans,
denial-of-service, distributed denial of service using botnets,
root-kits and the use of social engineering. Outcomes can include:
compromise of confidentiality / theft of secrets, identity theft,
web-defacements, extortion, system hijacking and service blockading.
Cyberweapons are used individually, in combination and also blended
simultaneously with conventional “kinetic” weapons as force
multipliers. It is a safe prediction that the use of cyberweaponry
will shortly become ubiquitous.
• Large sections of the Critical
National Infrastructure of most OECD countries are in not under direct
government control but in private ownership. Governments tend to
respond by referring to Public Private Partnerships but this
relationship is under-explored and full of tensions. The ultimate duty
of a private company is to provide returns for its share-holders
whereas a Government’s concern is with overall public security and
safety.
• Victims of cybersecurity lapses and attacks include
many civilian systems and for this reason the value of a purely
military approach to cybsecurity defence is limited. The military
have a role in protecting their own systems and in developing potential
offensive capabilities.
• Circumstances in which the world or
individual nations face cybersecurity risks with substantial long term
physical effects are likely to be dwarfed by other global threats in
which information infrastructures play an apparently subordinate but
nevertheless critical role. During many conventional catastrophes there
is a significant danger that a supportive information infrastructure
becomes overloaded, crashes and inhibits recovery.
• The cyber
infrastructure, as well as providing a potential vector for propagating
and magnifying an original triggering event, may also be the means of
mitigating the effects. If appropriate contingency plans are in place,
information systems can support the management of other systemic risks.
They can provide alternate means of delivering essential services and
disseminate the latest news and advice on catastrophic events,
reassuring citizens and hence dampening the potential for social
discontent and unrest.
• Rates of change in computer and
telecommunications technologies are so rapid that threat analyses must
be constantly updated. The study includes a series of projections
about the future.
• Counter-Measures need to be considered
within an Information Assurance engineering framework, in which
preventative and detective technologies are deployed alongside
human-centred managerial policies and controls.
• A key
distinguishing feature of cyberattacks is that it is often very
difficult to identify the actual perpetrator because the computers from
which the attack appears to originate will themselves have been taken
over and used to relay and magnify the attack commands. This is known
as the problem of attribution. An important consequence is that,
unlike in conventional warfare, a doctrine of deterrence does not work
– because the target for retaliation remains unknown. As a result,
defence against cyberweapons has to concentrate on resilience –
preventative measures plus detailed contingency plans to enable rapid
recovery when an attack succeeds.
• Managerial Measures
include: risk analysis supported by top management; secure system
procurement and design as retrofitting security features is always more
expensive and less efficient; facilities for managing access control;
end-user education; frequent system audits; data and system back-up;
disaster recovery plans; an investigative facility; where appropriate –
standards compliance
• Technical Measures include: secure
system procurement and design; applying the latest patches to operating
systems and applications; the deployment of anti-malware, firewall and
intrusion detection products and services; the use of load-balancing
services as a means of thwarting distributed denial of service attacks
•
Large numbers of attack methods are based on faults discovered in
leading operating systems and applications. Although the manufacturers
offer patches, their frequency shows that the software industry
releases too many products that have not been properly tested.
• Penetration Testing is a useful way of identifying system faults
•
Three current trends in the delivery of ICT services give particular
concern: World Wide Web portals are being increasingly used to provide
critical Government-to-citizen and Government-to-business facilities.
Although these potentially offer cost savings and increased efficiency,
over-dependence can result in repetition of the problems faced by
Estonia in 2007. A number of OECD governments have outsourced critical
computing services to the private sector; this route offers economies
and efficiencies but the contractual service level agreements may not
be able to cope with the unusual quantities of traffic that occur in an
emergency. Cloud computing also potentially offers savings and
resilience; but it also creates security problems in the form of loss
of confidentiality if authentication is not robust and loss of service
if internet connectivity is unavailable or the supplier is in financial
difficulties
The authors identify the following actions for Governments:
• Ensure thatnational cybersecurity policies encompass the needs of all citizens and not just central government facilities
• Encourage the widespread ratification and use of the CyberCrime Convention and other potential international treaties
•
Support end-user education as this benefits not only the individual
user and system but reduces the numbers of unprotected computers that
are available for hijacking by criminals and then used to mount attacks
•
Use procurement power, standards-setting and licensing to influence
computer industry suppliers to provide properly tested hardware and
software
• Extend the development of specialist police and forensic computing resources
•
Support the international Computer Emergency Response Team (CERT)
community, including through funding, as the most likely means by which
a large-scale Internet problem can be averted or mitigated
• Fund
research into such areas as: Strengthened Internet protocols, Risk
Analysis, Contingency Planning and Disaster Propagation Analysis,
Human Factors in the use of computer systems, Security Economics
Attempts
at the use of an Internet “Off” Switch as discussed in the US Senate
and elsewhere, even if localised, are likely to have unforeseeable and
unwanted consequences.
