Serious cyber attacks on the horizon

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

A report prepared recently by James A. Lewis, of the Center for Strategic and International Studies, used the recent cyber attacks that targeted the US and South Korea as a catalyst to raise a series of very important questions: Which nations possess the cyber capabilities to launch attacks against the US? What are the odds of that happening? How soon will those capabilities be available for purchase to the highest bidder on the black market?

As the report says: Cyberspace enables anonymous attacks. The use of botnets complicates attribution of an attack. Failure of attribution leads to several conclusions:

  • There is neither an adequate policy framework to
    manage conflict in cyberspace nor a satisfactory lexicon to describe it
  • Uncertainty is the most prominent aspect of cyber conflict – in attribution of the attackers identity, the scope of collateral damage, and the potential effect on the intended target from cyber attack
  • Many concepts – deterrence, preemption, proportional response – must be adjusted or replaced for the uncertain cyber environment.

The author of the report agrees with the findings that the previously mentioned attacks were of the most basic kind, and says that we haven’t yet witnessed “a serious cyber attack”. He thinks this is because the current political state of affairs has not warranted it and because most cyber criminals and terrorists have not yet obtained the necessary capabilities.

But, the moment when they do is not that far away. Lewis estimates that at this time China, Russia, Israel, the UK and France (along with the US) are the only nations capable of launching an advanced cyber attack. He also predicts that in as few as three years, this capabilities will probably start to become available on the black market.

This brings us to another issue: the cyber world allows concealment, so the attacks cannot always linked to the attacker. The attacks mentioned before are thought to have originated in North Korea, but it has yet to be proved. It is reasonable to assert that cyber criminals will become the mercenaries of the cyber world and that they will be occasionally employed by nations (or at least work under their tacit consent).

The defensive practice of deterrence will also have to change – for how can we threaten to retaliate, if the attacker is unknown and sure of his anonymity?

Even though the author thinks that “serious cyber attack independent of some larger conflict is unlikely”, he thinks that the US has to step up their defenses because attacks by cyber criminals are far more likely.

“We have, at best, a few years to get our defenses in order, to build robustness and resiliency into networks and critical infrastructure, and to modernize our laws to allow for adequate security. Our current defenses are inadequate to repel the attacks of a sophisticated opponent”, says Lewis. “The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange.”