Systemic cybersecurity risk

Embed Size (px)


Presentation to OECD project group on Global Risk. Expanded version presented to British Computer Society, Deutsche Bank and University of Southern Denmark.

Text of Systemic cybersecurity risk

  • 1. Cyber(in)security: systemic risks and responses Dr Ian Brown Oxford University

2. Non-systemic risks Cyber graffiti: defacement of Web sites for propaganda and bragging Cyber fraud: so far largely containable within financial system (low $bns) Terrorists get better returns from much simpler methods such as car bombs. Cyber terror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute. (Dr Juliette Bird, NATO) 3. Cybercriminals and patriots Market participants - custom virus writers, bot herders, mafias Nation state attacks (Estonia, Georgia) how far were patriotic hackers coordinated by state? 4. Pure cyber war The Korean cyber incidents were annoying and for some agencies, embarrassing, but there was no violence or destruction... Cybercrime does not rise to the level of an act of war, even when there is state complicity, nor does espionage [which] are the activities that currently dominate cyber conflict... Estonia and Georgia came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services. (Lewis, 2009: 23). At best, these operations can confuse and frustrate operators of military systems, and then only temporarily. Thus, cyberwar can only be a support function for other elements of warfare (Libicki, 2009: xivxv) 5. Cyber espionage/sabotage TITAN RAIN: Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin Google attack aimed at high-tech information to jump-start China's economy and the political information to ensure the survival of the regime James Lewis [I] listened and lip-synced to Lady Gagas Telephone while exfiltrating possibly the largest data spillage in American history -SPC Bradley Manning Stuxnet/Flame/DuQu 6. US offensive operations 231 offensive ops in 2011 to manipulate, disrupt, deny, degrade, or destroy information resident in computers or computer networks, or the computers and networks themselves $652m project GENIE to place tens of thousands of covert implants each year in computers, routers & firewalls through equipment interception, access, and hacking (TAO) TURBINE can manage millions of implants for intelligence gathering and active attack 7. Implants in the supply chain 8. NSA/CIA/FBI/DoD Trusted Partners Bloomberg 14/6/13: Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judges order if it were done in the U.S. 9. NSA partners 10. How can the democracies Design and execute strategic responses that carefully target threats, avoiding where possible tactical arms races? Get the best return on their security investment? Enhance the soft power potential of the Internet as a platform for democracy? 11. Strategic goals Availability & integrity of critical services (CNI) Protection of confidential information Manageable levels of fraud all in cost-effective form, where costs include inconvenience, enhancement of fear, negative economic impacts & reduction of liberties (John Mueller, The quixotic quest for invulnerability, 2008) 12. Counter-terrorism and mass surveillance ~5000 Americans surveilled under Presidential Surveillance Programme 2001-2005; led to