Features

The UK is ultracoy about its deployment of cyber skulduggery, claiming it concentrates on defence and penetration testing, but experts say anyone who believes a leading country has no information weaponry is deluded. "Testing capabilities have a dual purpose of being used against an adversary in time of conflict," says Sami Saydjari, a former Pentagon security expert and CEO of the Cyber Defense Agency. "Taking out a system is just one weapon. There are also confidentiality (stealing secrets) and integrity attacks (altering data to affect decision-making). You can assume an organisation would use the full spectrum to help accomplish its mission."

"In the US, we have massive take-out capabilities," agrees Winn Schwartau, security consultant and author of Information Warfare. "The Chinese could shut down major portions of the US infrastructure. You have to think about what's to their best advantage and, clearly, open cyberwarfare isn't in their interests."

While politicians tip-toe around with diplomatic half-truths and deny any snooping, military leaders are less coy about developing e-weaponry. According to the gung-ho Wynne of the US Air Force: "Cyberspace can have both offensive and defensive components. Red Flag exercises, or attack teams, will also become a staple of cyberwarfare. The defensive nature of cyberwarfare refers to protecting the ability to conduct offensive operations - not the more common view of defence as information assurance."

Invisible attack

Unlike conventional warfare, a well-implemented

ADVERTISEMENT

cyberattack is virtually untraceable. Estonia might have pointed the finger at Russia, but it couldn't prove a thing. "The problem with cyberwarfare is that there's so much ambiguity," says Libicki. "Yes, the traffic came from Russia, but it's impossible to say whether it was ordered by Putin, a bureaucrat without his knowledge or done by college kids. It could even be that it was a Russian billionaire sucking up to the Kremlin."

Estonia aside, there have been very few recorded attacks on civilian targets - which makes a refreshing change from conventional weaponry - but the situation could change as terror groups and rogue states adopt more sophisticated techniques.

"The biggest concern has to be remote attacks on non-IT infrastructure, the banking, financial and power infrastructures, and of those it's the power infrastructure that's most vulnerable," says Saydjari. "The power companies don't have the financial clout of the banking sectors, and the SCADA system that controls the power grid isn't up to scratch. There's no intruder-detection system, which is very bad considering it controls the power and many other civil instillations."

The National Grid declined to comment on this issue directly, but stressed its commitment to security. "We don't discuss the fine detail of our security arrangements," a spokesperson says. "We take the security of our people and assets extremely seriously, and we work closely with the government and security services."

The biggest problem for both the government and utility companies is identifying where the attacks might come from. In reality, it's anyone with enough cash. "You'd need about half a billion dollars, enough to buy some networks, some software and an experienced team," says Saydjari. "You'd need to get some insiders in, but that isn't difficult: it would just take three to five years. Half a billion could be mustered by any small nation, and even some terror groups."