The primary difficulty of cyber security isn’t technology – it’s policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace’s many security challenges, so it’s important to understand them all before any one of them can be solved.
The list of bad actors in cyberspace is long, and spans a wide range of motives and capabilities. At the extreme end there’s cyber war: destructive actions by governments during a war. When government policymakers like David Omand think of cyber-attacks, that’s what comes to mind. Cyber war is conducted by capable and well-funded groups and involves military operations against both military and civilian targets. Along much the same lines are non-nation state actors who conduct terrorist operations. Although less capable and well-funded, they are often talked about in the same breath as true cyber war.
Much more common are the domestic and international criminals who run the gamut from lone individuals to organised crime. They can be very capable and well-funded and will continue to inflict significant economic damage.
Threats from peacetime governments have been seen increasingly in the news. The U.S. worries about Chinese espionage against Western targets, and we’re also seeing U.S. surveillance of pretty much everyone in the world, including Americans inside the U.S. The National Security Agency (NSA) is probably the most capable and well-funded espionage organisation in the world, and we’re still learning about the full extent of its sometimes illegal operations.
Hacktivists are a different threat. Their actions range from internet-age acts of civil disobedience to the inflicting of actual damage. This is hard to generalise about because the individuals and groups in this category vary so much in skill, funding and motivation. Hackers falling under the “anonymous” aegis – it really isn’t correct to call them a group – come under this category, as does Wikileaks. Most of these attackers are outside the organisation, although whistleblowing – the civil disobedience of the information age – generally involves insiders like Edward Snowden.
This list of potential network attackers isn’t exhaustive. Depending on who you are and what your organisation does, you might be also concerned with espionage cyber-attacks by the media, rival corporations or even the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against these various threats can lead to contradictory requirements. In the U.S., the NSA’s post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organisation. The NSA’s need to protect its own information systems from outside attack opened it up to attacks from within. Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying? European countries may condemn the U.S. for spying on its own citizens, but do they do the same thing?
All these questions are especially difficult because military and security organisations along with corporations tend to hype particular threats. For example, cyber war and cyberterrorism are greatly overblown as threats – because they result in massive government programmes with huge budgets and power – while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward. With the secrecy that surrounds cyber-attack and cyberdefence it’s hard to be optimistic.
By Bruce Schneier