On 12 October 2012, US Defence Secretary Leon Panetta said that cyberattacks could inflict more damage on the US than 9/11. Shortly afterwards, British Foreign Secretary William Hague said the United Kingdom suffers from thousands of cyberattacks – mostly criminal – each day.
Our vulnerability to cyberattacks is increasing as we become dependent on ICT-networked systems for almost all aspects of daily life, and in particular for the smooth operation of global trading and financial systems.
At a conference on cybernorms, which I attended last month at the Massachusetts Institute of Technology, a key takeaway was that governments were starting to repatriate the Internet within the confines of national sovereignty. And, at the Budapest Cyber Conference, I found myself chairing a session of non-governmental speakers addressing the reality that cyberspace was becoming militarized.
Over 30 states have the capacity and the doctrine to conduct offensive operations in cyberspace. Any state with a national telecommunications agency also has a signals intelligence capacity, giving it an intelligence collection and covert action reach previously available to only a handful of big powers. These developments are taking place in a context lacking any rules of the road or clear definitions of what constitutes a cyberattack and what might be a proportionate response, much less any commonly agreed conceptual models for de-escalating a cybercrisis.
Before getting too panicked, we should recall that no one has yet died as a result of such activity in the cyber domain. And physical damage from cyberattacks is still rare. Stuxnet was an exception, but deployed on the back of a meticulous intelligence analysis and not easily replicated.
But, a much more immediate threat is the massive amount of cyberespionage and malicious criminal activity taking place on a daily basis. The networks of all Fortune 500 companies have been penetrated and many private sector companies may not even have realized that this is happening. Left unattended such activities could lead to a catastrophic collapse of confidence in online services and erode the economic well-being of nations.
The private sector has been slow to recognize and adapt to the threat and governments have been equally slow to educate them. Risk can be substantially reduced – though never eliminated – through good cyberhygiene. The private sector needs not just strong security, but also a counter-intelligence culture to mitigate the risk from cyberattack.
Author: Nigel Inkster, Director, Transnational Threats and Political Risk, International Institute f or Strategic Studies (IISS), United Kingdom; Member of the Global Agenda Council on Terrorism
Image: An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory. REUTERS/Jim Urquhart
See also the World Economic Forum’s Partnering for Cyber Resilience Page