Vice president and Gartner fellow, Richard Hunter, began the presentation on “How to Prepare for Cyberwar” by musing about the efficiency of the ‘duck and cover’ method employed during the Cold War, employed to help prepare school children for possible nuclear attack. “We are here, right?”, Hunter joked about the plan’s effectiveness. Whether nuclear and cyber threats are equivalent, however, is another question entirely. Regardless of potential impacts, duck and cover will hardly work for a cyber-attack – present or future.
Hunter then amused the audience with a foreboding visual headlined “WE’RE ALL GONNA DIE”, but with one caveat – “but probably not from cyberwar”. The Gartner VP took issue with government officials making recent public statements comparing potential cyberwar with that of nuclear threats. “I cannot imagine a cyber-attack that would kill 100,000 people in an instant”, Hunter countered, adding the long-term effects of a nuclear attack – from a loss-of-life perspective – far outweigh anything possible in today’s digital universe.
“While it is true that cyberwar has come a long way toward being something that is truly worth talking about”, he continued, “the idea that a cyberwar is as dangerous as a nuclear device is something for which the burden of proof does not exist”.
The analyst then defined cyberwarfare using a description from Wikipedia: “politically motivated hacking to conduct sabotage and espionage.” Hunter also highlighted that academic definitions of warfare include mentions of physical attacks against people. “Cyberwar generally doesn’t go into that category at this point in time”, he observed. “What we are seeing now is in fact espionage, national security breaches, incidents of sabotage, denial of service attacks, and assaults against technology supporting key infrastructure.”
Further complicating the situation, he argued, is the lack of a clear distinction at present between “cyberwar” and “cyber-criminality”, as both are seen as “similar threats using similar tools”.
To differentiate between what makes for an act of cyberwar versus cybercrime, fellow Gartner analyst Avivah Litan explained this dividing line depends on the threat actor that initiates the aggression. Hacktivists tend to engage in “crisis” creating situations, such as denial of service attacks, whereas nation-states that conduct cyber operations meant to disable another’s capabilities fall on the cyberwarfare end of the scale.
Cyber-espionage, on the other hand, lies in a somewhat gray area, as it can be conducted by individuals, groups, businesses, and nations. Litan observed that what use to be the problem of tech companies and the defense industry has become a concern across the board. Fears about cyber-espionage are “spreading into almost every sector”, she added.
In their attack phase, both cyberwar and cybercrime are indistinguishable Litian and Hunter argued. An eventual progression to true cyberwar will commence with cyber-attacks, but eventually devolve into responses that include physical violence.
Both analysts then explained how cyber-attacks have progressed over the last decade-plus, demonstrating their increasing sophistication and impact. Some of the examples highlighted included Stuxnet, the Hamas attack against the Israeli stock exchange, and recent DDoS attacks against the US banking sector.
Looking toward the near-term, Hunter was careful not to minimize the potential negative impact more widespread and coordinated cyber-attacks could have in the future on things such as utilities, finance, and public health and welfare. “We haven’t yet seen the kind of mass victimization attacks that are theoretically possible…but this is certainly something that is feasible” over the next few generations of technology development he opined, especially as cybercriminal infrastructures expand their support and data mining technologies become more powerful – and more affordable.
“It is entirely possible that we will move from a nation-to-nation concept of cyberwar to a many-to-many concept of cyberwar”, Hunter warned. “There’s nothing that says that cyberwar, going forward, has to be between nation-states”.
Regardless of how a cyber-attack is characterized, the parties involved, or whether the concept of “mass victimization” comes to fruition, the two analysts provided several recommendations on how to prepare and respond. Litan acknowledged the value in evaluating an attacker’s motivation as a means to identify what assets will need the most protection, but in the end gave a more broad-based warning: “assume it can be anybody coming after anything”.
Hunter specifically said that business continuity management “is the most cost-effective way to identify and plug the holes that mean the most to your enterprise. Business continuity management is the discipline that will lead you to the most important defenses most quickly.”
Litan closed by recommending the creation of a “head of threat intelligence” position within organizations that reports outside of the IT department – a tactic that many of her clients are now implementing. Having this position, she argued, creates a layer of checks and balances, while also drawing decision making around cyber-threat management into the organization’s overall risk management structure.