OECD report outlines risks of cyber warfare

But governments need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate, said the study by Peter Sommer, visiting professor at the London School of Economics, and Ian Brown of the Oxford Internet Institute, University of Oxford.

There are significant and growing risks of localised misery and loss as a result of compromised computer and telecommunications services. Reliable internet and other computer facilities are essential in recovering from large-scale disasters, the report said.

The study concludes it is highly unlikely there will ever be a pure cyber war fought solely in cyberspace with equivalent effects to recent wars in Afghanistan, the Balkans or the Middle East.

A true cyberwar, say the reports authors, is an event with the characteristics of conventional war but fought exclusively in cyberspace.

This is unlikely because many critical computer systems are protected against known exploits and malware, so designers of new cyberweapons have to identify new weaknesses and exploits. The effects of cyberattacks are also difficult to predict – on one hand they may be less powerful than hoped, but may also have more extensive outcomes arising from the interconnectedness of systems, resulting in unwanted damage to perpetrators and their allies. More importantly, there is no strategic reason why any aggressor would limit themselves to one class of weaponry.

"We don't help ourselves using 'cyberwar' to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks, nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure", said Sommer.

The study found that many "cyber" risks are real, but it is important to test each one to understand all elements required before a potential threat causes real damage.

"This type of careful analysis helps us understand what we should really worry about and points the way to remedies", said Sommer.

According to the report, the best protections are careful system design, the use of products to detect known viruses and system intrusions and user-education. It is also essential to have proper contingency plans for system recovery.

"We think a largely military approach to cybersecurity is a mistake", said Brown.

Most targets in the critical national infrastructure, and because it is often difficult to be certain who is attacking from cyberspace, defence by deterrence does not work, he said.

"That said, cyberweaponry in all its forms will play a key role alongside more conventional and psychological attacks by nation states in future warfare", said Brown.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?