OECD warns of cyber attack 'perfect storm'

Report says that cyber attacks alone are unlikely to threaten national infrastructures unless used in tandem with other military tactics

by Michael Smith (Veshengro)

A cyber attack could devastate critical national infrastructures, a recent report has warned, but only when used in combination with other disasters or military attacks.

The 'Future Global Shocks' study, published by the Organisation for Economic Co-operation and Development (OECD) on Monday, says that few cyber attacks will have the potential to cause a 'global shock'. Events that do have such potential include global pandemics and the 2007 to 2010 financial crisis.

“Few single foreseeable cyber-related events have the capacity to propagate onwards and become a full-scale 'global shock',” wrote authors Peter Sommer, of the London School of Economics, and Ian Brown, of Oxford University. “What should concern policy makers are combinations of events – two different cyber events occurring at the same time, or a cyber event taking place during some other form of disaster or attack,” the report reads. “In that eventuality, perfect storm conditions could exist.”

The document, however, does state that cyber attacks will become commonplace in military tactics. It is unlikely that wars will be fought entirely in cyber space though, it claims. “Cyber weaponry will play a key role alongside more conventional and psychological attacks by nation states in future warfare”. The OECD report highlights Georgia's war with South Ossettia in 2008, which saw widespread disruption of Internet traffic, as an example of this.

“In nearly all future wars as well as the skirmishes that precede them policymakers must expect the use of cyber weaponry as a disruptor or force multiplier, deployed in conjunction with more conventional kinetic weaponry," the report concludes. "Cyber weaponry of many degrees of force will also be increasingly deployed and with increasing effect by ideological activists of all persuasions and interests.”

Regardless of whether or not a cyber attack can develop into a 'global shock', the OECD report advises national governments to begin investing in cyber defences. This can already be seen in the UK, where the government recently announced it would be investing £650 million into cyber security measures over the next four years.

Much of the debate in 2010 surrounding how cyber attacks can disrupt national infrastructure focused on Stuxnet. The virus was deemed significant due to its complexity and the specificity of its target - it was only found to have attacked centrifuges at an Iranian nuclear plant.

An article published in the New York Times claims that Stuxnet was previously tested at Israel's Dimona nuclear complex. The article strongly implies that both the US and Israel were behind the development of the virus.

The virus reportedly works by causing Siemens-manufactured centrifuges to spin wildly out of control, causing them to self-destruct. Simultaneously, it feeds back erroneous reports to the equipment's operators, which falsely claims the centrifuges are operating as normal.

Iranian President Mahmoud Ahmadinejad claimed that the virus caused no damage to the country's nuclear programme. Sources in Israel however say Stuxnet has delayed the country's Uranium enrichment projects by five years.

I believe that it is dangerous to assume that cyber attacks alone could not disrupt, cripple or even destroy parts of a nation's critical infrastructure, from water supply, electricity and gas supply to communications.

In most cases it would not take much, to be perfectly frank, as too much of the infrastructure is entirely computer controlled and if a cyber attack should make it feasible to lock out the manual override then the proverbial would certainly hit the air moving device at some speed.

While I am no Luddite and use computers all the time for my work and for communication I find reliance on computer controls – solely computer control – a serious problem.

All it requires is to hit say the computers that control the national power grid or even the generating plants hard enough with a virus or a denial of service attack and the lights go out in the country.

In the UK we have seen what a normal failure of two power stations could have on the national electricity supply to the country and all that it requires is to cripple tow or three stations and the grid will collapse. Add to that a cycber lock out and the country will be in the dark, period, for a while. This could then be used to launch a more conventional military attack on the country or even a multiple-location terrorism attack. The services would be unable to respond.

Let's get some manual control back into our lives and our critical infrastructure so that, should attacks happen a crew of operators can take manual control and run the systems, whether power grid, water supply or trains, etc. to protect ourselves from a takeover. To that degree we best also take back our utilities and communications in house, away from foreign companies, and, ideally, back into state control.

© 2011