But hold on a minute – are we now in danger of overhyping all of this?
Recently I spent a day at a conference listening to some very clever people discuss these issues in grave terms. I can’t name them because the meeting took place under the Chatham House rule, but suffice to say they included a number of those responsible at the highest level for protecting Britain from cyber threats, in both the public and private sectors.
They all seemed terribly worried but as I looked round the room I realised that just about everybody had some interest in promoting the problem. The public sector people, facing big cuts in their budgets, had found something that the Treasury seemed prepared to fund, even as the rest of the defence budget went south.
The private sector executives know that billions of pounds worth of contracts are being handed out as countries try to shore up their cyber-defences and naturally they want their share. And yes, even I had a motive for talking up cyber terror – it does make for a good headlines.
But after a morning listening to thousands of words about the scale of the threat, the new government structures designed to protect our national infrastructure, and the way the private sector could feed into that process. I was left somewhat bemused.
Yes, there’s evidence that criminals are launching attacks on banks and other private sector businesses, that consumers are suffering from the effects of cybercrime, and that poor security is allowing government secrets to flood out onto the internet. But where is this cyber terror or indeed warfare?
Everyone latched onto the Stuxnet incident – “if it was done to them, they could do it to us” the cry went up. But it became evident that nobody quite understood what had happened in Iran and whether it really was a symptom of a wider threat.
But there was a sober voice at the meeting, a man who had been studying the evidence of the nature of cyber threats. The danger of cyber terrorism, he told us, seemed limited. Terrorists got more publicity from a car bomb than from taking down a computer network, which was a complex operation to mount.
And many of the incidents referred to as cyberwarfare were “nothing of the sort”. He pointed to the attacks on Estonia, on Georgia and South Korea, and quoted American officials describing them as “annoying and embarrassing”, rather than really damaging. After all, they had caused no casualties or loss of territory. Cyberwarfare, it seemed, could only be a “support function”, rather than a primary weapon.
After hearing this measured assessment, we moved straight on to a man from the private sector. He told us that cyberwar was going on right now, largely invisible to the public, from a whole variety of actors. He quoted the IRA, “You have to be lucky all of the time, we only have to be lucky once,” and he called on the government and the private sector to spend even more on shoring up Britain’s cyber defences.
Maybe he was right and we should not be complacent about the dangers to our national security lurking in cyberspace. But in the past the ICT and security industries have found it very easy to scare governments into spending huge sums on initiatives that have not always proved their worth.