IFP/WKP/FGS(2011)3 MULTI-DISCIPLINARY ISSUES INTERNATIONAL FUTURES PROGRAMME OECD/IFP Project on “Future Global Shocks” “Reducing Systemic Cybersecurity Risk” Peter Sommer, Information Systems and Innovation Group, London School of Economics Ian Brown, Oxford Internet Institute, Oxford University Contact persons: Pierre-Alain Schieb: +33 (0)1 45 24 82 70, [email protected] Anita Gibson: +33 (0)1 45 24 96 27, [email protected] 14th January 2011 This report was written by Peter Sommer and Ian Brown as a contribution to the OECD project ―Future Global Shocks‖. The opinions expressed and arguments employed herein are those of the authors, and do not necessarily reflect the official views of the OECD or of the governments of its member countries. TABLE OF CONTENTS EXECUTIVE SUMMARY ............................................................................................... 6 SYSTEMIC CYBER SECURITY RISK .......................................................................... 9 SYSTEMIC CYBER SECURITY RISK ........................................................................ 10 DESCRIPTION AND HISTORICAL CONTEXT ......................................................... 15 Early days of business and government computing ..................................................... 15 1970s and 1980s: changing patterns of risk ................................................................. 15 Routes to democratisation ............................................................................................ 16 The emergence of the Internet ...................................................................................... 17 Changing business practices ........................................................................................ 20 E-Government .............................................................................................................. 20 Smart Grids and SCADA ............................................................................................. 21 Cloud Computing ......................................................................................................... 22 Complexity / Source Lines of Code / Program Bugs ................................................... 22 Critical Infrastructures: Cyber Elements ...................................................................... 23 Specific Systemic Threats ............................................................................................ 24 Blended attacks ............................................................................................................ 29 Large-scale criminal attacks ......................................................................................... 29 Recreational Hacking ................................................................................................... 31 Hactivism ..................................................................................................................... 31 Large-scale State and Industrial espionage .................................................................. 32 REMEDIES ..................................................................................................................... 34 Remedies: Security Doctrines ...................................................................................... 34 Remedies: System Design ........................................................................................... 35 Remedies: Detective and Preventative ........................................................................ 36 Remedies: Mitigation and Recovery .......................................................................... 39 RISK CHARACTERISATION, INTERLINKAGES AND KNOCK-ON EFFECTS ... 42 3 RISK ANALYSIS AND THE BROADER CONTEXT ................................................. 48 Impact, scope and duration .......................................................................................... 48 Threshold, tipping, trigger and control points .............................................................. 48 Duration Issues ............................................................................................................. 50 LEVEL OF PREPAREDNESS ....................................................................................... 61 Military Responses ....................................................................................................... 61 Civil Contingencies ...................................................................................................... 63 Private sector ................................................................................................................ 65 Policing and Counter-Fraud Responses ....................................................................... 68 Research Responses ..................................................................................................... 69 Legal and Regulatory Approaches ............................................................................... 70 CONCLUSIONS AND RECOMMENDATIONS .......................................................... 81 National Strategies ....................................................................................................... 83 Public Private Partnerships .......................................................................................... 84 International Strategies ................................................................................................. 85 Possible New Technical Measures ............................................................................... 86 Research ....................................................................................................................... 87 Education ...................................................................................................................... 88 REFERENCES .............................................................................................................. 111 Tables Table 1. Types of Malware ...................................................................................... 24 Table 2. Extract from provisions of leading cybercrime laws ................................. 73 Figures Figure 1. Increasing dependence on the Internet ...................................................... 18 Figure 2. Increasing important of the Internet .......................................................... 19 Figure 3. Steps Towards E-Government ................................................................... 21 Figure 4. Critical Infrastructure Inter-Dependencies ................................................ 23 Figure 5. Shape of Disaster Recovery....................................................................... 39 4 Figure 6. Internet Users per 100 Inhabitants 1998-2008 .......................................... 52 Figure 7. Contribution of ICT capital growth to labour productivity growth in market services (1995-2004) .................................................................................................... 54 Figure 8. Enterprises using the Internet to interact with public authorities, by purpose, during 2007, EU27 (%) ................................................................................................ 55 Figure 9. UK Critical National Infrastructure ........................................................... 64 5 EXECUTIVE SUMMARY This report is part of a broader OECD study into ―Future Global Shocks‖, examples of which could include a further failure of the global financial system, large-scale pandemics, escape of toxic substances resulting in wide-spread long-term pollution, and long-term weather or volcanic conditions inhibiting transport links across key intercontinental routes. The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters. Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact. Successful prolonged cyberattacks need to combine: attack vectors which are not already known to the information security community and thus not reflected in available preventative and detective technologies, so-called zero-day exploits; careful research of the intended targets; methods of concealment both of the attack method and the perpetrators; the ability to produce new attack vectors over a period as current ones are reverse-engineered and thwarted. The recent Stuxnet attack apparently against Iranian nuclear facilities points to the future but also the difficulties.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages121 Page
-
File Size-