Cyber War – the facts

Ian Glover, President of CREST talks Cyber War, Government and what business can do to protect itself.  

How likely is that a company could find itself and its systems in the firing line if some kind of cyber war happened?

“Cyber war” is a very overworked and not very specific term. Undoubtedly, if there was a war then cyber in many different forms would be an increasingly important element. There would be attempts to intercept, interrupt and interpret communications as there always has been; but these would be much more technical in nature and far more widespread.

Again, should there be a war then social media would have a very significant part to play in propaganda, confusion and attempts to change public and World perceptions.

In war, attacks on infrastructure have always been prevalent. Disruption to critical services undoubtedly has an impact on a nations’ ability to function and defend itself. Given the nature of critical national infrastructure and its dependence on technology and communications infrastructure, the idea of attacking these assets via cyber is very real and has the benefit of being possible from remote locations.

Moving down to more traditional businesses, if they are a supplier to defence or critical national infrastructure then they would be targets in this type of scenario. These supply chains are very deep and therefore include a surprising number of companies. It would seem possible, but unlikely, that other businesses, could be drawn into a conflict, as any disruption to business would have a disabling affect. In fact, the risk of this type of disabling through fear of attacks would probably have a greater impact.

If we are not talking about war, but lesser forms of state sponsored attack, then the same scenarios already described would apply, but probably with a need for anonymity by the attacker.

Are boards and execs aware of the risks?

Boards are becoming much more aware of cyber facilitated crime and the theft of data, particularly given the amount of coverage these types of attacks attract. Not all necessarily understand the part that they might play in warfare or state sponsored attacks. Those that form part of the critical national infrastructure or are in the supply chain for infrastructure and defence services are certainly being actively encouraged to take cyber security more seriously with cyber security assurance requirements forming an increasing part of procurement processes right through the supply chain.

This is starting with basic cyber security hygiene through schemes like Cyber Essentials. These schemes are designed to provide protection at a very basic level from simple unsophisticated attacks. These are the minimum requirements for all businesses to take appropriate steps to protect themselves. Organisations with a higher risk profile, i.e. those more likely to be attacked, those holding personal or financial information or with IPR to protect, will have to do more to protect themselves against sophisticated attacks from well financed and resourced attackers. The same will apply to their supply chains.

At the higher levels where critical services need to be protected, industry, government and regulators are working together to create schemes that provide much higher levels of assurance against attacks and also test the ability of those organisations to detect, react and recover from such attacks.

What can they do to make sure they have the right levels of protection?

Organisations must assess the risks to their business and make sure that they have the internal skills or know-how to procure expert advice to design, manage and test their ability to protect themselves. They must also look at a wider context. Whilst they might not view themselves as a legitimate target, they must consider whether they would be a soft target to get to the next stage in a supply chain.

Are they doing enough (or indeed, is it possible to do enough?

Government is definitely trying to support business by working with the cyber security industry to roll out programmes to raise the level of basic cyber security hygiene. Industry should be adopting these good practices in much larger numbers than they are currently. Larger businesses are starting to realise the risks that they are running by not having in place appropriate cyber security controls. Some of the most recent attacks would have been stopped by having basic cyber security hygiene controls in place. If organisations are breached by these simple attacks their ability to protect themselves against more sophisticated attacks must be questioned. This is not however the case for all businesses and many have invested in appropriate levels of controls and have their defences tested through regular penetration testing and their ability to detect, respond and recover from attacks assessed.

At the critical level, some regulators are doing extremely good work, but this needs to be expanded to encompass all aspects of the critical national infrastructure.

Cyber warfare is not introducing new concepts but the use of cyber is opening up new channels of attack and presenting new challenges.

Ian Glover

President of CREST www.crest-approved.org

 

 

Arrange a Conversation 

Browse

Article by channel:

Read more articles tagged: Cyber Security, Featured