How a 'Perfect' Tech Security Storm Could Strike
A question often asked is why terrorists haven't yet brought down the Internet. The answer is simple: They don't want to. It's too much hard work and, even if it were achieved, it would cause more annoyance than chaos. It would probably be temporary too; few cyber attacks last more than a few hours.
Above all, keeping a few million teenagers off Facebook is hardly going to make the president wish he'd taken a personal day. Some online businesses would be disrupted, but if they're fatally wounded from being offline for an hour or two, then there's no hope for them.
That we have nothing to fear from cyber attacks is a view confirmed by a new report from the Organization for Economic Cooperation and Development (OECD), which--as part of a study into "Future Global Shocks"--has suggested that no single cyber-related event could ever be on the same scale as a pandemic, natural disaster, or a failure of the global financial system.
The report is available here as a PDF file.
However, the report authors point out that things could get a little sticky should a natural disaster happen at the same time as a cyber-related event. For example, coordinating ground troops after an earthquake might be made difficult if the satellite network is brought down via a virus.
Of the major threats that we should be worrying about, the report splits into two categories what it calls "catastrophic cyber-related events." The first is a successful attack on the technical protocols on which the Internet runs. The second is acts of God such as a large-scale solar flare that physically destroys key hardware--including satellites, which aren't easily replaced.
An attack on the Internet protocols would involve hackers finding and exploiting a flaw in one of the existing protocols that run the Internet, such as Internet Protocol (IP), or the Border Gateway Protocol (BGP). The problem wouldn't be finding a solution. The headache would come from implementing one, because virtually all Internet-connected hardware and software would have to be updated. The time taken to do so is where the disruption and loss would occur, and is therefore where the cyber terrorists would win.
As for acts of God, it's been known for some time that "space weather" such as solar flares and cosmic rays are a danger for electronic equipment. Precautions have been taken, but there's little guarding against a major storm occurring.
Every other kind of cyber attack, the report says, is likely to be short term. That includes malware, distributed denial of service (DDoS) attacks, criminal activity, and hacking.
As for the possibility of cyberwar, the report is equally withering, and is critical of those who claim that examples of cyber espionage means we're at a tipping point.
The report points out that most key systems are very well protected, vastly increasing the effort required by attackers to produce any result. Again, attacks would have to spot a unique weakness--a chink in the armour--that would then need to be targeted. Because of this, the report suggests that cyberwar would be like an army limiting itself to "one class of weaponry."
However, discussing current trends, the report suggests that relying on government Web portals for dissemination of information and the collection of data is where trouble might be lying in store.
It's not hard to imagine why. Let's say there's a viral pandemic. Treatment is free, courtesy of the government, but you must fill out a form online. With so many people suddenly putting strain on government computers, would they be able to cope? Especially if the "perfect storm" of a cyber attack happened at the same time?
What if, as is increasingly common, a third party rather than a government agency runs those services? Faced with such sudden, huge demand, the third party would quickly need to acquire masses of network infrastructure--a logistical nightmare, but also a financial one, because the company did not budget for such demand. If they decided to simply give up, what would happen to the vital services they provide? No doubt the government would step in, but how quickly could it do so in a panic situation?
And, of course, the report is wary of the trend towards cloud computing. If the Internet is taken down, the cloud dies.
Virtually every major western nation is signed up to the OECD, so we have to hope that this report lands on the desks of the right people, and some action is taken (or at least that debate takes place).
However, despite its calm reassurances, the report might cause a shiver down the spine of anybody who realizes how much we've come to rely on Web infrastructure.
Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas.