How big a threat do you think cyber attacks are? The UK government thinks they’re so worrying that they’re rated as a Tier 1 threat – above nuclear, chemical, biological and radiological attacks. Moreover, even in the midst of the biggest public service retrenchment in living history, they’ve allocated an extra £650 million to defending against them. “Attacks in cyberspace”, says the new National Security Strategy, “can have a potentially devastating real-world effect. Government, military, industrial and economic targets, including critical services, could feasibly be disrupted by a capable adversary.”
So how do we protect ourselves? At the RSA information security conference in London on October 14th, keynote speaker Michael Chertoff, co-founder of the Chertoff Group and former US Secretary of Homeland Security, claimed the priority is to establish the rules of engagement. “I’m not saying that you need to respond to virtual attacks with real attacks, but I do think it’s important to define when and how it might be appropriate to respond,” he told the conference. “Everyone needs to understand to rules of the game.” In the same way as MAD (Mutually Assured Destruction) defined the Cold War’s nuclear battlefield – you drop one on us, we’ll drop one on you – cyber war protocols would delineate the tit-for-tat conventions of the age of internet attack.
It sounds good in principle. And if it helps to stave off potentially disastrous attacks it would be an important step. But as Chertoff himself knows, it’s far tougher to regulate hacking than A-bombs.
Firstly, with MAD you knew who the potential attackers were – a handful of other nation states on the other side of a clear ideological divide. With cyber war it can be anyone: criminal organisations, industrial spies, bedroom-based anarchists; all that’s required to be a major power is committed technical experts. Secondly, this is such a mutable field that any protocols would either have to be very wide-ranging, or very vague to deal with the rate of technological change. Thirdly, there are so many ongoing attacks (intelligence agency GCHQ claims there are over 1,000 on UK government systems each month) that determining which ones justify a response is difficult. Chertoff suggests that the point at which action should be taken is when you have a “persistent attack on critical national infrastructures.”
This brings us to the fourth and biggest problem: whodunnit? An industry expert told us: “the fundamental difficulty in establishing a cyber response doctrine is the difficulty of definitive attribution of any cyber attack. A strand of thought is developing that attribution might always be largely impossible without fundamental changes to the structure of the internet, with detailed monitoring of any cross-border traffic.” It’s so easy to hide your tracks online that without an internationally agreed change to the basics of the internet, it will be difficult for governments to respond to attacks in good faith.
Chertoff’s answer is simple: attack the apparent origin of the aggression, even if it later turns out to be a country or company whose computer systems are being used as a pawn by a third party country, company or widely-dispersed hacktivist group. It may not seem fair, but Chertoff believes it might incentivise nations to improve their network security, making it tougher for third-party aggressors to launch attackers through their systems. Chertoff thinks it’s our best option – and a vital one. “This is a real problem,” he says. “If we don’t address this, then one day we’ll have an event so catastrophic that [it will be] difficult to
Slow Journalism in your inbox, plus infographics, offers and more: sign up for the free DG newsletter. Sign me up
Thanks for signing up.