Cyber warfare seems so much like an idea from science fiction, or perhaps the plot of a cheap airport thriller, that it’s hardly surprising most companies don’t think of it as a significant risk to them. But the evidence of the last few years would suggest that they should start thinking a little harder, because the risk is high and rising all the time.
There’s no one definition of cyber warfare; indeed many countries use different definitions which suit their own agendas, so the term can cover quite a wide range of online activities performed by states against their opponents.
Governments are spending billions on building up armies of hackers and stockpiles of cyber weapons, making it evermore likely future battles will be fought with electronic weapons as well as tanks and jets
These might range from low-level threats such as spreading propaganda and disinformation via social media through to cyber espionage – stealing secrets by hacking. And all the way up to using digital weapons to create damage in the real world – the nightmare scenario of hackers attacking the power grid, for example, and switching off the lights for everyone.
Targeting key infrastructure
Some of this might seem far-fetched, but governments around the world are spending billions on building up armies of hackers and stockpiles of cyber weapons, making it evermore likely future battles will be fought with electronic weapons as well as tanks and jets.
That’s because developed countries are extremely reliant on the electronic systems which run the banks, keep retailers’ supply chains operating and keep the power on. Any piece of computer code which could interfere with the smooth-running of these systems would be just as valuable as a battalion or two in a conflict.
“You could wage a fairly effective war against a country by stopping its banking system. Most of us do our banking online so what if you launched a massive denial-of-service attack against lots of banks and stopped the banking infrastructure being effective, you could do a lot of damage to a country,” says Professor Alan Woodward of the University of Surrey.
Unlike on the traditional battlefield, geography is irrelevant. Digital attacks can be launched from anywhere, against any target. All you need is enough computing power, internet access and skill. And thanks to the often anonymous nature of the internet, it may be very hard to work out exactly who is behind the attack, making it much harder to strike back.
So if a rogue state did want to launch a cyber attack against another country, the most obvious target would be what’s known as the critical national infrastructure, such as energy, transport, financial services or food – the essentials we all rely on.
That critical national infrastructure is made up of many big companies, but also smaller suppliers, many of which may never think they could be a serious target for state-sponsored hackers. “These supply chains are very deep and therefore include a surprising number of companies,” says Ian Glover, president of security industry group Crest.
Organisations must assess the risks to their business and make sure they have the internal skills or know-how to procure expert advice to design, manage and test their ability to protect themselves, he says.
Even small companies that might be suppliers to the larger players could be targeted, exactly because they are smaller and thus less able to protect themselves against attack. “They can get caught in the crossfire in a number of different ways,” says Professor Tim Watson, director of the Cyber Security Centre at the University of Warwick.
If a small company makes a vital widget, without which a bigger company or an army grinds to a halt, this could make it a target.
And, of course, industrial secrets are another tempting target; you might not be taken offline, but stealing plans for your next product could be just as damaging.
Analysing weak spots
Any organisation that derives its corporate worth from the intellectual property it generates should think very carefully about whether they could be a target, says Professor Woodward. “If you look at the vast majority of cyber attacks, they’re actually stealing ideas, stealing intellectual property because it’s extremely valuable.”
Companies tend to think of their cyber security risk in terms of their IT systems, such as e-mail, customer databases or websites. These are important and certainly essential to the smooth-running of most businesses.
But these aren’t the only electronic systems that keep businesses running. Many are now putting their industrial control systems online. These systems might control anything from factory systems to things as prosaic as the air conditioning. Connecting them to the internet is handy for remote monitoring, but can create a major security risk. And the rise of the internet of things means more and more devices are being connected up to the internet all the time.
“You’d be absolutely astonished at what is connected to the internet,” says Professor Woodward.
These systems are vital to the smooth-running of a business, but are often forgotten about, hard to upgrade and hard to make secure, all of which makes them a tempting target for hackers. It doesn’t matter how well your servers are protected with firewalls and other tech if a hacker can switch off the air conditioning to the datacentre which means they all overheat and break down.
All of this means this isn’t a job the board can simply dump on the IT department.
“With the greatest of respect, a lot of boards don’t know how the PC at home works, and think this is an IT problem and they delegate it down to the IT department, that it’s their problem – it’s not,” says Professor Woodward.
Rather, making sure that a company is protected is the responsibility of many different elements of the business.
Everybody is responsible
Certainly IT has to be involved, but also human resources making sure that staff know what to do and what not to do, while the board has to be educated about the risks and be ready with a plan if the worst happens. Non-executive directors can be a handy source of information and counsel.
“The responsibility for worrying about it has been delegated implicitly by the rest of the organisation to IT and it needs to be pervasive. You don’t just put technical controls in; the most effective controls will be the cultural ones and the IT department aren’t the best placed to introduce those,” says Professor Watson.
This doesn’t get IT off the hook though as they still have a responsibility to explain the risks to the board.
“It’s all very well to blame the board, but they are rational and they are running a business, and if somebody comes to you and says, ‘I need to spend this sum of money on this nebulous threat and I can’t tell you what you are going to lose’, the board quite rightly is focused on business processes,” he says.
The threat may seem too great to cope with, but the reality is that the vast number of security incidents, including some very high-profile ones, are preventable. The first step is to consider whether your organisation might be a target and why, and to make sure cyber-security best practice is understood and adopted across your organisation. That should help keep cyber warfare in the realms of thrilling fiction, rather than your grim reality.
ARTIFICIAL INTELLIGENCE AT WAR
First the good news about artificial intelligence or AI – security companies are already looking at how to use it to fight back against hackers.
New AI-powered tools can be “taught” to understand how a computer network usually operates, which then makes it very easy for such systems to spot unusual behaviour that could indicate a hacker is on the loose – like a computer copying a top-secret database it the middle of the night, for example.
But there’s also the bad news. As we increasingly rely on AI to make decisions for us, this increases the risk that those systems can be tricked by even smarter systems, without us realising.
It’s something that US director of national intelligence James Clapper warned about in a report to the Senate Armed Services Committee last month.
“AI systems are susceptible to a range of disruptive and deceptive tactics that might be difficult to anticipate or quickly understand. Efforts to mislead or compromise automated systems might create or enable further opportunities to disrupt or damage critical infrastructure or national security networks,” he warns.
Another problem is that at the moment cyber weapons are extremely expensive and complicated to build because they have to be specially designed for each target. Automatic cyber weapons incorporating AI could seek out vulnerability and adapt to the defences of different targets without assistance from a human operator, making cyber warfare much easier to execute against many more targets than hitherto possible.
This could lead to some interesting moral questions in future – if these autonomous AI weapons do damage, who is really responsible?
