The report for the OECD by the London School of Economics and the University of Oxford looked at the potential of cyber-events to cause major disruption and found a tendency to exaggerated language, an over-reliance on military concepts of war and defence and plenty of confused thinking.
More likely, a separate event such as a natural disaster would be made worse by a collapse in electronic infrastructure on which a country had come to depend. As to the threat of a cyberwar, this was more likely to reflect a conflict that was also taking place using conventional military means than one happening purely using electronic weapons.
There was also a tendency for governments to conceive of cybersecurity using conventional military assessments of importance.
“We think that a largely military approach to cybersecurity is a mistake,” said report co-author, Dr Ian Brown, of the Oxford Internet Institute at the University of Oxford. “Most targets in the critical national infrastructure of communications, energy, finance, food, government, health, transport, and water are in the private sector.”
The biggest national disruption would be to civilian and private sector assets beyond the protective ring of military cybersecurity. In some cases this might be made worse by governments outsourcing services to private sector organisations, the report suggests.
As to the infamous US “kill switch” proposal, the authors are deeply sceptical.
“In the very simplest sense the Internet cannot really be switched off because it has no centre,” the report notes. “In most emergencies you would want to give priority to doctors, but most doctors and their surgeries use the same downstream Internet facilities as the bulk of the population and there would be no easy way to identify them. Localised Internet switch-off is likely to have significant unwanted consequences.”
Governments should look to protect citizens and not just government assets, the authors recommend. More effort also needs to be made to create international computer emergency response teams (CERTS) that can have a better view of unfolding events than today’s mostly national agencies.
None of this was being made easier by confused terminology which rolls any cyber-security event – whether a criminal Trojan attack, a “hacktivist” DDoS or a malware event such as the possibly targeted Stuxnet attack on Iran – into a single set of statistics.
Small-scale events could turn out to be highly significant but risked being drowned out by information overload.
Much of the report spells out generalised and sometimes obvious points for policy makers. Cybersecurity represents an issue that requires planning and attention and should not be ignored.
Perhaps, however, the biggest worry the authors point to is simply the way other disasters of the future could be made worse in the event that information systems cannot cope. Once, such events would have been dealt with on the ground using slower but possibly more robust lines of communication and response. The world’s growing reliance on the Internet requires a fallback in the event that it fails.