August 2011

Just because your CEO doesn’t walk around in combat trousers it doesn’t mean your company won’t be a target in a cyber war, says Martin Jordan.

Growing up in Northern Ireland, my first experience of war occurred around the age of seven when my father’s chip shop on the Springfield Road, Belfast, was destroyed by a blast bomb; homemade explosives ignited with a cordite fuse.

We put the incident down to the quality of my dad’s curry sauce, and rebuilt. By the time I was 12, advanced hand-soldered, radio-controlled detonators and Semtex had taken precedence and a game of cat and mouse ensued across the airwaves of Northern Ireland.

Fast-forward to the present day and we can observe similar yet more evolved methods in Afghanistan, where consumer electronics such as mobile phones are being used to detonate IEDs.

Ultimately, technology is advancing at an exponential rate while, at the same time, its influence on global conflict is becoming ever more prominent. With these trends in mind, to ignore the threat of weaponised code in the prosecution of cyber wars would be rather naïve.

Disposable PCs

The next generation of wars, War 3.0, will have a greater impact upon the civilian population of the western world than current kinetic wars. With a $100 disposable computer a sole aggressor can reach into the heart of a nation from anywhere on the planet.

For the majority of us, our exposure to war is derived from images and reports in the media as opposed to first-hand experience. Our appetite for war may well quickly wane if a disrupted fuel supply keeps doctors and nurses at home, or crippled market trading systems hamstring the economy.

This low cost of entry will also afford both individuals and nations the ability to punch well above their weight. It will further enable countries to reduce their reliance on dated, Soviet-era heavy iron, and instead develop an in-house offensive capability where the imagination and skill of the developer are the only limitations.

Stock exchanges will be taken offline and intellectual property stolen, resulting in the erosion of a nation’s economic competiveness whilst simultaneously raising questions over its ability to offer a safe and reliable environment from which to conduct business.

War 3.0 will allow nations to track and monitor dissidents abroad via online utility bills, mobile phone messages, free mail accounts and the many other trappings of the modern connected lifestyle.

Rogue states and terrorists will be able to conduct guerrilla warfare across the world’s computer networks, hopping from ISP to ISP in an instant. Countries on the edge of US tolerance will become safe havens for rogue ISPs, facilitating large capacity internet pipes available for questionable use.

Returning to the present, evidence shows that the attacks of today are very rarely physically destructive; their effects tend to be more subtle, with espionage and network reconnaissance as the main motive. Surprisingly, despite this motivation most attackers do not bother to cover their tracks.

Over 10 years ago, I recall watching an attack on a European car company from a Japanese competitor who did little to hide their source IP address. Most people are not naïve enough to believe that the internet offers anonymity, but on an international level it certainly offers a level of deniability and immunity from prosecution.

Secret stealing

In recent months several advanced and persistent attempts to steal military and economic secrets from the US by nations or persons unknown have come to light.

One by one, reports of RSA-related and other breaches have emerged at a number of US establishments. Given the sophistication of these attacks we can now say with confidence that the enemy is truly inside the wire. This should worry us for two reasons.

Firstly, the US has long been an ally to the UK and one of our closest relations in terms of the global economy. As such, an attack across the Atlantic is in some ways an attack on the UK by proxy, at the very least the UK is affected by the collateral damage.

We have enormous economic relationships with our cousins, and the US is still our single largest export market. We only have to look at the sub-prime crisis for an example of how trouble in the US affects the global economy.

The second, and most significant reason, concerns the fact that the US takes neither breaches of National Security, nor challenges to its national boundaries, cyber or physical, lying down. Those nations and individuals that feel they can operate with impunity are in for a shock; the US executive enforcement agencies have a long reach and heavy fist.

Were a serious cyber attack to be launched on the US from within the UK, a military retaliation is unlikely, but the damage to longstanding political, economic and security relationships could be severe.

American rhetoric on recent attacks is strengthening and one can feel a growing sense of impatience on Capitol Hill. Obama’s recent strategy document, International Strategy for Cyberspace (May 2011), states, ‘The United States will defend its networks, whether the threat comes from terrorists, cybercriminals or states and their proxies.’

Missile strikes

Just to clear up any ambiguity that may remain from that document, an unnamed pentagon source told the Wall Street Journal, ‘If you shut down our power grid, maybe we will put a missile down one of your smokestacks.’

It’s clear that many nations, as well as militant organisations, already hold and are further developing cyber war capabilities at various levels.

As a nation we need to invest heavily in non-kinetic weapons, including offensive code and defensive networks early, or run the risk of being left vulnerable as the internet comes to increasingly resemble a battlefield. This can be achieved through participation, consultation and sponsorship across government, industry and education.

Our offensive capability must be innovative and replicate the military advantage afforded by the development of the longbow; a cheap, highly mobile weapon, capable in its day of penetrating charging French heavy horse at a distance, a weapon that massively increased our capability at little cost.

Our defensive capability must be part of the fabric of the UK. Just because your CEO does not walk around in combat fatigues, does not mean your company will not be targeted.

With a myriad of outsourced suppliers, conjoined networks and outsourced security contracts, most companies would find it difficult to testify that every piece of active code on their network is authorised, understood and benign.

Oh, and by the way, my dad made the best curried chips in Belfast.