This report is part of a broader OECD study into ―Future Global Shocks‖, examples of which could include a further failure of the global financial system, large-scale pandemics, escape of toxic substances resulting in wide-spread long-term pollution, and long-term weather or volcanic conditions inhibiting transport links across key intercontinental routes.
The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters
Catastrophic single cyber-related events could include: successful attack on one of the
underlying technical protocols upon which the Internet depends, such as the Border
Gateway Protocol which determines routing between Internet Service Providers and a
very large-scale solar flare which physically destroys key communications components
such as satellites, cellular base stations and switches.
For the remainder of likely breaches of cybsersecurity such as malware, distributed
denial of service, espionage, and the actions of criminals, recreational hackers and
hacktivists, most events will be both relatively localised and short-term in impact.
Successful prolonged cyberattacks need to combine: attack vectors which are not
already known to the information security community and thus not reflected in available
preventative and detective technologies, so-called zero-day exploits; careful research of
the intended targets; methods of concealment both of the attack method and the
perpetrators; the ability to produce new attack vectors over a period as current ones are
reverse-engineered and thwarted. The recent Stuxnet attack apparently against Iranian
nuclear facilities points to the future but also the difficulties. In the case of criminally
motivated attacks: a method of collecting cash without being detected.
The vast majority of attacks about which concern has been expressed apply only to
Internet-connected computers. As a result, systems which are stand-alone or
communicate over proprietary networks or are air-gapped from the Internet are safe from
these. However these systems are still vulnerable to management carelessness and
Proper threat assessment of any specific potential cyberthreat requires analysis against:
Triggering Events, Likelihood of Occurrence, Ease of Implementation, Immediate 6
Impact, Likely Duration, Recovery Factors. The study includes tables with worked
examples of various scenarios
There are many different actors and with varying motivations in the cybersecurity
domain. Analysis and remedies which work against one type may not be effective
against others. Among such actors are: criminals, recreational hackers, hacktivists,
ideologues, terrorists, and operatives of nation states.
Analysis of cybsersecurity issues has been weakened by the lack of agreement on
terminology and the use of exaggerated language. An ―attack‖ or an ―incident‖ can
include anything from an easily-identified ―phishing‖ attempt to obtain password details,
a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth
onslaught. Rolling all these activities into a single statistic leads to grossly misleading
conclusions. There is even greater confusion in the ways in which losses are estimated.
Cyberespionage is not a ―few keystrokes away from cyberwar‖, it is one technical
method of spying. A true cyberwar is an event with the characteristics of conventional
war but fought exclusively in cyberspace.
It is unlikely that there will ever be a true cyberwar. The reasons are: many critical
computer systems are protected against known exploits and malware so that designers of
new cyberweapons have to identify new weaknesses and exploits; the effects of
cyberattacks are difficult to predict – on the one hand they may be less powerful than
hoped but may also have more extensive outcomes arising from the interconnectedness
of systems, resulting in unwanted damage to perpetrators and their allies. More
importantly, there is no strategic reason why any aggressor would limit themselves to
only one class of weaponry.
However the deployment of cyberweapons is already widespread use and in an extensive
range of circumstances. Cyberweapons include: unauthorised access to systems
(―hacking‖), viruses, worms, trojans, denial-of-service, distributed denial of service using
botnets, root-kits and the use of social engineering. Outcomes can include: compromise
of confidentiality / theft of secrets, identity theft, web-defacements, extortion, system
hijacking and service blockading. Cyberweapons are used individually, in combination
and also blended simultaneously with conventional ―kinetic‖ weapons as force
multipliers. It is a safe prediction that the use of cyberweaponry will shortly become
Large sections of the Critical National Infrastructure of most OECD countries are in not
under direct government control but in private ownership. Governments tend to respond
by referring to Public Private Partnerships but this relationship is under-explored and full
of tensions. The ultimate duty of a private company is to provide returns for its shareholders whereas a Government‘s concern is with overall public security and safety.
Victims of cybersecurity lapses and attacks include many civilian systems and for this
reason the value of a purely military approach to cybsecurity defence is limited. The
military have a role in protecting their own systems and in developing potential offensive
Circumstances in which the world or individual nations face cybersecurity risks with
substantial long term physical effects are likely to be dwarfed by other global threats in 7
which information infrastructures play an apparently subordinate but nevertheless critical
role. During many conventional catastrophes there is a significant danger that a
supportive information infrastructure becomes overloaded, crashes and inhibits recovery.
The cyber infrastructure, as well as providing a potential vector for propagating and
magnifying an original triggering event, may also be the means of mitigating the effects.
If appropriate contingency plans are in place, information systems can support the
management of other systemic risks. They can provide alternate means of delivering
essential services and disseminate the latest news and advice on catastrophic events,
reassuring citizens and hence dampening the potential for social discontent and unrest.
Rates of change in computer and telecommunications technologies are so rapid that
threat analyses must be constantly updated. The study includes a series of projections
about the future.
Counter-Measures need to be considered within an Information Assurance engineering
framework, in which preventative and detective technologies are deployed alongside
human-centred managerial policies and controls.
A key distinguishing feature of cyberattacks is that it is often very difficult to identify the
actual perpetrator because the computers from which the attack appears to originate will
themselves have been taken over and used to relay and magnify the attack commands.
This is known as the problem of attribution. An important consequence is that, unlike
in conventional warfare, a doctrine of deterrence does not work – because the target for
retaliation remains unknown. As a result, defence against cyberweapons has to
concentrate on resilience – preventative measures plus detailed contingency plans to
enable rapid recovery when an attack succeeds.
Managerial Measures include: risk analysis supported by top management; secure system
procurement and design as retrofitting security features is always more expensive and
less efficient; facilities for managing access control; end-user education; frequent system
audits; data and system back-up; disaster recovery plans; an investigative facility; where
appropriate – standards compliance
Technical Measures include: secure system procurement and design; applying the latest
patches to operating systems and applications; the deployment of anti-malware, firewall
and intrusion detection products and services; the use of load-balancing services as a
means of thwarting distributed denial of service attacks
Large numbers of attack methods are based on faults discovered in leading operating
systems and applications. Although the manufacturers offer patches, their frequency
shows that the software industry releases too many products that have not been properly
Penetration Testing is a useful way of identifying system faults
Three current trends in the delivery of ICT services give particular concern: World Wide
Web portals are being increasingly used to provide critical Government-to-citizen and
Government-to-business facilities. Although these potentially offer cost savings and
increased efficiency, over-dependence can result in repetition of the problems faced by 8
Estonia in 2007. A number of OECD governments have outsourced critical computing
services to the private sector; this route offers economies and efficiencies but the
contractual service level agreements may not be able to cope with the unusual quantities
of traffic that occur in an emergency. Cloud computing also potentially offers savings
and resilience; but it also creates security problems in the form of loss of confidentiality
if authentication is not robust and loss of service if internet connectivity is unavailable or
the supplier is in financial difficulties
The authors identify the following actions for Governments:
Ensure that national cybersecurity policies encompass the needs of all citizens and not
just central government facilities
Encourage the widespread ratification and use of the CyberCrime Convention and other
potential international treaties
Support end-user education as this benefits not only the individual user and system but
reduces the numbers of unprotected computers that are available for hijacking by
criminals and then used to mount attacks
Use procurement power, standards-setting and licensing to influence computer industry
suppliers to provide properly tested hardware and software
Extend the development of specialist police and forensic computing resources
Support the international Computer Emergency Response Team (CERT) community,
including through funding, as the most likely means by which a large-scale Internet
problem can be averted or mitigated
Fund research into such areas as: Strengthened Internet protocols, Risk Analysis,
Contingency Planning and Disaster Propagation Analysis, Human Factors in the use of
computer systems, Security Economics
Attempts at the use of an Internet ―Off‖ Switch, even if localised, are likely to have
unforeseeable and unwanted consequences.