StatCounter

Thursday, September 18, 2008

The Spectre of Cyber Warfare


Commentary - Executive magazine

Over the summer the spectre of cyber warfare gained international significance, spurred on by reports of cyber attacks that crippled Georgia’s infrastructure in the wake of Russia’s ‘intervention’ in South Ossetia.
Reportedly carried out by nationalistic Russian hackers rather than by the Kremlin itself, the incident has shown how vulnerable a country’s critical national infrastructure (CNI) is to cyber attacks. Even presidential campaigns are open to attack, with senators John McCain and Barack Obama’s systems allegedly hacked into by the Chinese.
The dark side of technology has also come to the attention of the private sector in the Middle East, with a handful of banks in Dubai hit by ATM card theft and fraud in September. Furthermore, cyber crime continues to rise in the region, with some 50 million incidents of hacking against the public and private sectors in March, up from 15 million in December 2007, according to a study by internet security firm Trend Micro.
How seriously Middle Eastern governments are taking cyber crime is difficult to gauge however, particularly in terms of prevention and awareness. Additionally, businesses and governments are reluctant to announce cyber attack incidents to not cause concern to shareholders and the public, while statistics like the one above need to be taken with a pinch of salt as internet security firms have a vested interest in making out that cyber crime is worse than it may actually be.
Nonetheless, last year’s Virtual Criminology Report by NATO, the FBI and other agencies stated that cyber spying is one of the biggest security threats nations face, with 100 countries having experienced some form of cyber warfare. Britain’s secret service, M15, went as far as saying the country was “four meals away from anarchy” if there was a serious interruption to CNI and the distribution of food.
That countries are starting to take the threat seriously was highlighted at a conference I attended in Crete in September organized by the European Network and Information Security Agency (ENISA), which was set up in 2005 to investigate internet security problems and make recommendations for EU member states on how to protect themselves. What struck me was how long the EU has taken to tackle the issue on a collective basis, and that between three to five years are needed for all EU countries to be at a common level of protection. Furthermore, in a speech given by German Member of the European Parliament (MEP) Jorgo Chatzimarkakis, he said he “couldn’t understand politicians who doubt the importance of this endeavour” to tackle cyber crime. ENISA itself was at risk of not even getting established at one point, while few MEPs know much about cyber crime. Meanwhile, a speech by Lord Toby Harris stressed how ambivalent Britain’s political establishment is about information security, with less than 10 out of the 1400 members of the House of Commons and the House of Lords taking a serious interest in the subject. This in a country where six government departments have reported system compromises over the past year, many multiple times, and identity theft is estimated at $3.4 billion a year almost beggars belief. But while the EU is starting to take on the challenge of improving cyber protection for governments, businesses and consumers, the fact that ENISA’s budget is only $11.5 million a year indicates that more needs to be done and for regulations to be enacted.
Naturally, I started to think about how the Middle East is prepared for this phenomenon when so many EU countries are just setting up Computer Emergency Response Teams (CERTs) and Disaster Recovery Plans (DRP). The picture is not overly rosy, with the International Data Corporation estimating that total internet security spending in the region will only touch $9.3 million by 2009, with the UAE, Saudi Arabia, Kuwait, Qatar and Bahrain the top five investors. When you consider that security systems for small networks of 100 computers cost roughly $15,000, and those involving 1,000 computers $30,000, the region’s spending is woefully inadequate to protect CNI and businesses. What is being done on the legal front also needs to be addressed.
For instance, how protected are governments and businesses from cyber attacks when European countries do not have a Data Breach Notification Law? Are there units of law enforcement adequately trained to take on e-crime? And are there Disaster Recovery Plans and CERTs in place for when the seemingly inevitable happens?
Such questions need to be asked as the region gets more connected, and will gain further importance if many Arab countries go ahead with plans to build nuclear power plants (NPPs). After all, a NPP in Baxley, Georgia was shut down for 48 hours in March after a software update was installed on a single computer, and in 2003 a NPP in Ohio had its safety monitoring system disabled by a virus.
National responses to the problem and heightened regional cooperation are undoubtedly necessary to protect CNI and citizens from what is already a global phenomenon that is not going to go away.

1 comment:

Benjamin Wright said...

Paul: You raise data breach notification laws. Most all data in commercial and government systems are "breached" or "exposed" or "compromised" to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. –Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html