Earlier this week I ran into an article by my friend Raf Los (Wh1t3rabbit) titled “Cyber War - Fact from Fiction in the shadow of the Tallinn Manual” discussing among other things whether attacks such as Stuxnet and Flame can be considered cyberwar or not. The question is important from a legal perspective because in our democracies parliaments have to be involved before a government can declare war.
I responded to Raf by putting a comment on his blog, pointing out that, from a practical perspective, whether this is cyberwar or not is irrelevant. The technology has disrupted Iran’s manufacturing of radio-active material.
Above all, what Stuxnet and Flame demonstrate is an escalation in the technologies used to disrupt operations. And both have been discovered because people have looked out for them. What other, even more advanced, technologies are out there that we do not know of? Who is controlling them and are we absolutely sure they are fully under control?
Although I could not find it online, I remember a short Charlie Chaplin film where he is instructed to fire a canon — a canon that keeps following him shooting in his direction. Let me use this as an analogy. Could any of these sophisticated hacking tools backfire? Remember, in April 2010 15% of the global internet traffic was hijacked by China. How many CIOs are keeping these incidents in the back of their mind when planning their enterprise security?
Indeed, we increasingly rely on cloud computing. In particular, public cloud is seen as the future for many services. The availability of the Internet is taken for granted. But what happens if the Internet grinds to a halt because of massive attacks or hijacking?
Fundamentally we should ask ourselves two questions:
Do we have the technologies to stop propagating any threat within our IT systems?
Can we continue operate without Internet access, at least for a period of time?
The Internet is a globally distributed network comprised by many voluntarily interconnected autonomous networks says Wikipedia. It operates without a central governing body. In 2005 the Internet Governance Forum (IGF) was established, to open an ongoing, non-binding conversation among multiple stakeholders about the future of Internet governance. In other words the Internet is wide open and could be disrupted massively for political or financial reasons. We should keep that in mind.
You will probably react by telling me I’m paranoid. Frankly I’m not, but I find it important we think through extreme scenarios to ensure we keep our key information and processes safe. This is all about scenario planning. So, in your mind, what is the risk such scenario ever takes place? If you feel it’s a possibility, even a remote one, review your operations and assess how resilient they are. In other words, how long do you think your enterprise will be able to continue operate without international internet access for example? Is the time adequate in your mind? What could you do to become more resilient? These are the questions you should ask yourself. They will help you identify the vulnerabilities in your IT operations and address them. Even if the extreme scenario you used to identify them never materializes, it will help you be prepared in case of cloud outage, partial internet unavailability or other dysfunctions. How are you making sure your environment stays safe?