Apparently plausible cyber-scare stories hit the national press at the rate of about two or three a month. There are reports of actual attacks, crimes and data breaches, alongside announcements and predictions from government officials, law enforcement, academics and, less plausibly, people wanting to sell security products and services. How do you evaluate them? How afraid should you be? For the media and marketers, it’s the scarier the better. But for your average person or business with systems to protect the question is: “How little do I have to do and still stay safe?” There are a few primary points to understand about how cyber attacks really work that can help to answer this question.
Our world is heavily dependent on reliable computer systems, communications and data. There is no longer any real distinction between our “cyber” selves and the rest of our lives. So our anxiety about cybercrime is fully justified. But bear in mind that most computer disasters (unintended or deliberate) are caused by poor design, inadequate testing, flawed upgrades, clumsy management and human error.
Most media reports of cyber incidents are, in the early stage, incomplete and inaccurate. When assessing a cybercrime incident, the mundane explanation is much more frequently true than the exotic. Most cyber-attackers use already-known methods. That tends to mean there are available detective, preventative and mitigating remedies – such as malware and intrusion detection software, firewalls and, for Distributed Denial of Service attacks that attempt to overwhelm a computer system and disable a service, facilities which can expand capacity.
Attacks often have a strong social engineering component, tricking the unwary user into downloading code which gives control to an external perpetrator. Never underestimate the possibility of the insider – a corrupted employee or an injected covert operative.
You need three things for a successful attack: first, code capable of delivering a payload (the harmful data within malware) so as to cause damage or open a backdoor for later exploitation; second, a means of getting it to your target without premature detection, and third, a detailed knowledge of your target. The more complex and sophisticated the targeted computer system, the more likely it is to have backups and recovery plans – and the more difficult it becomes for the attacker to acquire accurate and complete intelligence. In the case of Stuxnet, the famous computer virus discovering in 2010 that aimed at slowing down Iranian nuclear centrifuge development, the research had to include testing weaknesses in how the centrifuges worked.
A weapon, including cyber weaponry, is not merely something destructive. The deployer wants certainty not only of success, but that the outcomes do not create unwanted damage to either themselves or their allies. The real danger of a major attack is that the results lose control – cascading into other systems with unpredictable consequences.
Cyber attacks don’t take place simply because someone has the technical capability. There is nearly always a motive and an ambition – to get publicity for a cause, to send a warning signal to an opponent of future action, to promote disruption, to raise funds via extortion – and only sometimes to cause real damage. The ambitions are best understood in a wider political context – history, ideology, religion, disputes over land and access to resources.
Which brings us to the problems of attribution. Disguising the source of an attack is trivially easy because at any one time there are, worldwide, millions of poorly-secured computers which can be taken over and from which an attack can be made to appear. Even the more sophisticated test – “this attack code has specific characteristics” – can be unreliable as hackers borrow code from each other. Attribution has to include motivation, and that makes it an art as much as science. Be wary of any near-instant attribution which is over-confident and “definitive”.
Statistics need careful scrutiny. How do you define an “attack”? An email purportedly from a bank you have never heard of asking you to “update your details” is technically an attempted fraud equivalent to the value of what’s in your bank accounts – except that you ignore it. But what is the threshold that makes us call it an attack? Do we count malware that is routinely thrown out by anti-virus software?
Cyber attacks and cybercrimes are real enough, but the person who has to devise a security policy, whether for nation state, a business or for personal use, needs a strong dose of sobriety.
Professor Peter Sommer is an academic working in public policy and as an expert witness