Computer games: Why the next world war could be fought online
IT has made it easier than ever for remote attacks against critical infrastructure, but how prepared are we for this?
"Humanity is acquiring all the right technology for all the wrong reasons," claimed 20th century American inventor Buckminster Fuller. Such words also serve as a neat descriptor for the rise in cyber warfare.
In recent years, IT has become an increasingly popular weapon of choice for people intent on wreaking havoc against high-profile public and private sector organisations across the world.
The perpetrator's mission could be to inflict maximum disruption on the victim, by knocking out services they need to stay up and running, or to steal company data that could give a rival business or country a competitive advantage. In some cases, the motive is a mix of both.
This article originally appeared in the Q2 IT Pro Special Report, which was published in April 2013 and features a whole host of articles about the evolving nature of security threats facing the enterprise today.
More recently, not-for-profit anti-spam group Spamhaus suffered (what is thought to have been) the world's largest Distributed Denial of Service (DDoS) attack. This was widely credited with causing a global drop in average web speeds in March 2013.
Kevin Curran, a cyber security academic and senior member of technology association IEEE, said IT is a popular choice of attack vector because of the amount of devastation it can easily cause.
"Think about the 1970s and the Cold War. The only real way to get key insider information was to have a [human] plant," he tells IT Pro.
"Now, by exposing weaknesses in online access by state employees, experts on the far side of the world can suddenly find themselves gaining access to dream material."
IT also allows cyber attackers to take down multiple targets at once, using little more than an internet connection and some working knowledge about the victim's security systems.
"The reason this risk exists is because the internet offers little or no regulation, potentially huge audiences, anonymity and a fast flow of easy-to-grab information," Curran explains.
This has become increasingly easy for cyber attackers to take advantage of, as manufacturers and utility firms push to get more of our devices and household appliances connected to the internet, claims Chris McIntosh, chief executive of comms security vendor ViaSat.
"When you delve into the details of having smart metres in your home, for example, you find out the Government is going to allow remote disconnects, which means our houses can be disconnected from the grid remotely by someone over a network," McIntosh says.
"That should ring alarm bells [because] if someone can hack into that system, they could switch off the electricity to the majority of houses across the UK."
Etay Maor, senior product marketing manager at security vendor Trusteer, backs this view, claiming IT now has the potential to do as much damage to a country's critical infrastructure as traditional' weapons.
"If one nation went to war with another - in order to get an advantage - you would send in fighter jets to bomb their critical infrastructure," Maor tells IT Pro.
"You can do that today, but you don't have to risk the life of a pilot or their equipment because all you need are cyber weapons."
This risk exists is because the internet offers little or no regulation, potentially huge audiences, anonymity and a fast flow of easy-to-grab information.
As a result, many countries are building command centres, focused on the development of cyber weapons that can be used to attack other nations and their infrastructure, he claimed.
"We are yet to see [an attack] that has caused mass civilian casualties, such as one that shuts down a nuclear power plant for example, but that doesn't mean it won't happen," Maor warns.
It's not just lives that are at stake either, as a large-scale and sustained attack could have major implications for the health of some of the world's major economies, adds Curran.
"The internet economies of the G8 nations account for a significant and growing portion of global GDP [and] internet-related consumption and expenditure is now bigger than agriculture or energy," he says.
"Protecting our national cyber infrastructure makes financial sense for the Government."
At the moment, few organisations and countries are in a position to stave off an attack that could cause widespread carnage, said Jacques Erasmus, chief information security officer at anti-virus vendor Webroot.
"Only those with the most robust and mature information security models and monitoring capabilities will be able to detect these anomalies effectively," he explains.
"There are only a handful of companies at the moment that have made the right investments in security to properly defend and respond to these threats."
With all this in mind, peace keeping military alliance NATO recently published a 215-page guidance document, advising its members which include the UK and US - on how to respond to and behave during state-sponsored cyber attacks.
In particular, the guide firmly states attacks on nuclear power plants, dams, dykes and hospitals are off limits.
"In order to avoid the release of dangerous forces and consequential severe losses among the civilian population, particular care must be taken during cyber attacks against works and installations containing dangerous forces...as well as installations located in their vicinity," the document states.
"It is nice to have a document that sets out how things like this should be handled, but there will always be radical states and Governments that say, nice document, I'll read it later' and then proceed with the attack they were planning anyway," Maor adds.
In This Article
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now