An article on the technical blog Ars Technica gives an interesting perspective on cyber war that should be taken into consideration when developing policies for US cyber security. The article, based on a study by Dr. Ian Brown out of the Oxford Internet Institute, claims that a pure cyberwar fought entirely in cyberspace is highly unlikely. Current cyber attacks and cyber weapons exploit known vulnerabilities in computer systems. Once an attack has been executed, top security and technical firms begin developing counter measures to 1. Fix the vulnerability and 2. Restore currently vulnerable systems. This reduces any ability to reuse a cyber weapon. This isn’t to say that similar techniques can’t be reused to exploit other vulnerabilities, but verbatim reuse of a cyber weapon is almost impossible. Because of this, long-term cyber warfare conducted in cyberspace, the way we think of conventional warfare conducted in physical space, is almost impossible. If a vulnerability has been patched, the only way to execute another attack is to find another flaw in the system. Thus, it would be difficult to maintain frequent and continuous assaults on one system or a set of systems over time.
Keeping this in mind, the real risk of a cyber attack lies in the time frame between when an attack is launched and when the attack is detected and patched. Therefore subtlety is a cyber criminal’s best friend. The longer an attack can go unnoticed the more damage it can do. If an attack obtusely disrupts a system it will be detected and resolved much more quickly than if it quietly disrupts a system. The success of malware such as Flame takes advantage of this factor. Identified in May of 2012, file names of the main maleware component were seen as early as December 2007. This means that Flame had at least 5 years to wreak havoc on computer systems.
It is also important to note that the greater risk in a cyber attack is to the systems and information a computer network controls and not to the computer network itself. Development of cyber weapons to disrupt systems such as Iran’s nuclear centrifuges (Stuxnet) is where the threat of a cyber attacks really lies. In securing our computer networks we can also ensure security for the infrastructure in our communications, energy, finance, food, government, health and transport systems.
What then do we need to keep in mind in developing cyber security policy? First, deterrence is nearly impossible because of the anonymity individuals can maintain when acting in cyber space. If you don’t know who is attacking you, it is quite difficult to deter them from doing so. I don’t see this characteristic of cyber space changing anytime soon either due to the strong desire to keep the Internet open and decentralized.
The best way to prevent cyber attacks from occurring is by eliminating the opportunity. In other words, software developers need to design flawless systems without significant vulnerabilities cyber criminals can exploit. It’s nearly impossible to get rid of all vulnerabilities, but requiring a stronger focus on the larger ones would be manageable. This will require changing the nature of software development entirely. If you have ever downloaded a software application from the web, only to find that you have to install ‘updates’ for the application months later - Congratulations! you have had first hand experience of the software industries ‘good enough’ mentality. Software developers no longer try to get an application working right the first time. Instead they unveil a product that works ‘good enough’ and assume that potential problems can be fixed as users detect and report them. Policy needs to be framed on changing this aspect if they ever hope to be able to manage and thwart cyber attacks.
For more info check out.....