Is cyber-warfare really that scary?
- 6 May 2015
- From the section World
On 7 December 1941, Japanese aircraft attacked the American naval base at Pearl Harbor, Hawaii. The attack was surprising, devastating, and drew the US into World War Two.
Sixty years later, US Defence Secretary Leon Panetta has warned of the risk of a "cyber-Pearl Harbor".
Is he right, or is the scale of the problem being overhyped? Four experts spoke to the BBC World Service Inquiry programme.
Robert Lee: Beware the hype
Robert Lee is a US Cyber Warfare Operations Officer, and is studying for a PhD in Cyber Security at King's College London.
"A lot of my research debunks stories. I can't cite them because they're not true. There's a general narrative that horrible things are happening all the time: cyber-war, nation states are crumbling. That's not true.
"If you hear, 'There's been some recent research around aviation and planes are going to be hacked and fall out of the sky,' or, 'People are going to cyber-attack trains and derail them,' that's not realistic.
"Security companies are ramping up the threat. The military's relabelled a lot of things 'cyber-warfare' because they want to get the budget from Congress. Nato and the different alliances ramp up the threat to encourage other countries to invest in security.
"One of the narratives that gets built around critical infrastructure is that we're going to have these cascading power failures; someone's going to break in and very easily take down the power grid. While it's true there's vulnerable infrastructure, you can't just take down the entirety of the power grid from a cyber-capability.
"[And] we all have the same threat. If the US wants to be able to do that against Russia, or China wants to do that against the US, they have to accept their own vulnerability and do things that would impact themselves as well.
"The head of Cyber Command and the head of the National Security Agency say, 'OK, we need to invest in offensive capabilities to be able to secure our critical infrastructure'. Those capabilities trickle down to fringe groups.
"If you developed a cyber-capability that could take down the Chinese power grid, it would be nearly identical to the capability you would need to take down the US power grid. We use the same systems. The hype is forcing us to look into offence, which is exactly what we should not be doing.
"We actually saw a very concerning case recently, where a company said, 'Iran, they're attacking the US hundreds of thousands of times a year'. But they redefined 'attack': they used ways of describing the events in a way that no-one else in the security world support. The way they framed it was very dangerous."
Frederick Kagan: The threat is real
Frederick Kagan is director of the Critical Threats Project at US think tank, the American Enterprise Institute, and wrote the report which Robert Lee described as "dangerous".
"Our report looked at Iranian activities in cyberspace. The Iranians are developing a significant stockpile of cyber-infrastructure that they can use to attack Western infrastructure."
He reviewed data gathered by Norse, a cybersecurity company with millions of sensors around the world which are designed to look like websites for banks, power plants or universities.
"We discovered a number of rather stealthy attempts by some systems based in Iran to identify vulnerabilities in Western systems that would have allowed the Iranians to take full control over those systems if they had been actual systems, and if the attacks had been successful.
"[The] criticism misrepresents our report. We don't anywhere say there were thousands of attacks on industrial control systems. We identify 65 attacks on an industrial control system. We have used the term in accord with standard industry definitions that include collection of information, and not just damaging systems.
"I'm trying not to overhype the cyber-threat. But the reality is that a very skilled and determined attacker who spends a lot of time preparing for an attack can do an enormous amount of damage to our critical infrastructure, and cause a lot of people to die and cause a lot of economic damage and make it very difficult to recover.
"Could we have a massive 'Pearl Harbor' cyber-attack that did a huge amount of damage, and was a surprise? Yes, absolutely.
"The scenarios that keep me up at night are scenarios of miscalculation. There's always this probing around perceived red lines. What do we think we can get away with? In the context of a world that has become incredibly violent, the risk of miscalculation is high."
Heather Harrison Dinniss: How should the law deal with non-physical attacks?
Heather Harrison Dinniss is senior lecturer at the Swedish Defence University who has helped to run cyber-defence war games for Nato.
"There's a broad level of agreement about the rules of cyber-warfare. Pretty much everybody agrees that death or physical injury to persons or damage to property amounts to an attack. For example Stuxnet was the attack against the Iranian Natanz Nuclear Enrichment Facility which caused physical harm to enrichment centrifuges.
"What do you do about data-only attacks such as against Saudi Aramco, where machines are wiped, but there is no physical harm? The computer is still sitting there, but doesn't work anymore. Are you dealing with the use of force, or are you going to deal with it solely as a criminal justice matter?
"When it comes to cyber, because it's such a fluid environment, establishing a red line on escalation isn't going to be helpful. I think at the moment we need to just stick with our general principles on proportionality and responses in that area.
"States tend to play things close to their chest, and aren't going to want to give away what they are capable of. The problem with a cyber-treaty is it's either going to become very outdated very quickly, or you're going to end up with something that is so general that you may as well have just applied the treaties that you already had.
"There are a number of projects that are looking at not establishing red lines per se, but looking at confidence-building measures in cyberspace, and how you deal with situations to stop things spiralling out of control.
"Cyber-warfare has the potential to be incredibly scary. But I don't lie awake at night worrying that there's going to be a cyber-Pearl Harbor. What I think is more likely is espionage and stealing of company secrets. Are we going to see big things go 'boom'? Probably not."
Thomas Rid: Mundane threats more significant
Thomas Rid is professor of security studies at King's College London and the author of Cyber War Will Not Take Place.
"Bringing down electricity grids, crashing airplanes, things like that just don't happen. Instead I think we should talk about the attacks that actually happen, that actually cause a lot of damage.
"[The Saudi Aramco attack] essentially turned their computers into unusable bricks. The oil production was not affected - only the office environment.
"It was sabotage. It's useful to use the word sabotage, because then we don't talk about violence. These are non-violent attacks, yet they have a huge effect. And if we talk about war, then we're always waiting for something big and violent to happen. But effective non-violent sabotage is already happening.
"There's an excess of alarmism already. I don't think we're taking our eyes off the ball by pointing out that we need a little more nuance.
"It shouldn't be underestimated how difficult it is to develop this capability at scale. Yes, only trying to get into one specific hospital is not very difficult. But doing it across London is far more difficult.
"Attacking a control system would be like entering a building, finding the secret engine room, fiddling with the engine, changing its settings - not shutting it down, but changing its settings - so that the engine does something very specific that you want it to do. And doing all of that in a way so the operators of the engine don't recognise what you're doing is actually quite difficult.
"What I'm most worried about is easy attacks against networks, not against the power plants, but against office environments. What if somebody steals data from the NHS, or some other company? That's a more realistic scenario.
"It's doing basic hygiene. It's like brushing your teeth in the morning. It's just so much more exciting to talk about cyber war. The actual conversation that really makes a lot more sense, I'm afraid, is a far more boring one. And that's ultimately part of the problem."