Reducing Systemic Cybersecurity Risk report

This report is part of a broader OECD study into ―Future Global Shocks‖, examples of which could include a further failure of the global financial system, large-scale pandemics, escape of toxic substances resulting in wide-spread long-term pollution, and long-term weather or volcanic conditions inhibiting transport links across key intercontinental routes. 

The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.  Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services.  In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters


Catastrophic single cyber-related events could include: successful attack on one of the 
underlying technical protocols upon which the Internet depends, such as the Border 
Gateway Protocol which determines routing between Internet Service Providers and a 
very large-scale solar flare which physically destroys key communications components 
such as satellites, cellular base stations and switches.
For the remainder of likely breaches of cybsersecurity such as malware, distributed 
denial of service, espionage, and the actions of criminals, recreational hackers and 
hacktivists, most events will be both relatively localised and short-term in impact. 
Successful prolonged cyberattacks need to combine: attack vectors which are not 
already known to the information security community and thus not reflected in available 
preventative and detective technologies, so-called zero-day exploits; careful research of 
the intended targets; methods of concealment both of the attack method and the 
perpetrators; the ability to produce new attack vectors over a period as current ones are 
reverse-engineered and thwarted. The recent Stuxnet attack apparently against Iranian 
nuclear facilities points to the future but also the difficulties. In the case of criminally 
motivated attacks: a method of collecting cash without being detected.
The vast majority of attacks about which concern has been expressed apply only to 
Internet-connected computers. As a result, systems which are stand-alone or 
communicate over proprietary networks or are air-gapped from the Internet are safe from 
these. However these systems are still vulnerable to management carelessness and 
insider threats.
Proper threat assessment of any specific potential cyberthreat requires analysis against: 
Triggering Events, Likelihood of Occurrence, Ease of Implementation, Immediate 6
Impact, Likely Duration, Recovery Factors. The study includes tables with worked 
examples of various scenarios
There are many different actors and with varying motivations in the cybersecurity 
domain. Analysis and remedies which work against one type may not be effective 
against others. Among such actors are: criminals, recreational hackers, hacktivists, 
ideologues, terrorists, and operatives of nation states. 
Analysis of cybsersecurity issues has been weakened by the lack of agreement on 
terminology and the use of exaggerated language. An ―attack‖ or an ―incident‖ can 
include anything from an easily-identified ―phishing‖ attempt to obtain password details, 
a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth 
onslaught. Rolling all these activities into a single statistic leads to grossly misleading 
conclusions. There is even greater confusion in the ways in which losses are estimated. 
Cyberespionage is not a ―few keystrokes away from cyberwar‖, it is one technical 
method of spying. A true cyberwar is an event with the characteristics of conventional 
war but fought exclusively in cyberspace. 
It is unlikely that there will ever be a true cyberwar. The reasons are: many critical 
computer systems are protected against known exploits and malware so that designers of 
new cyberweapons have to identify new weaknesses and exploits; the effects of 
cyberattacks are difficult to predict – on the one hand they may be less powerful than 
hoped but may also have more extensive outcomes arising from the interconnectedness 
of systems, resulting in unwanted damage to perpetrators and their allies. More 
importantly, there is no strategic reason why any aggressor would limit themselves to 
only one class of weaponry. 
However the deployment of cyberweapons is already widespread use and in an extensive 
range of circumstances. Cyberweapons include: unauthorised access to systems 
(―hacking‖), viruses, worms, trojans, denial-of-service, distributed denial of service using 
botnets, root-kits and the use of social engineering. Outcomes can include: compromise 
of confidentiality / theft of secrets, identity theft, web-defacements, extortion, system 
hijacking and service blockading. Cyberweapons are used individually, in combination 
and also blended simultaneously with conventional ―kinetic‖ weapons as force 
multipliers. It is a safe prediction that the use of cyberweaponry will shortly become 
Large sections of the Critical National Infrastructure of most OECD countries are in not 
under direct government control but in private ownership. Governments tend to respond 
by referring to Public Private Partnerships but this relationship is under-explored and full 
of tensions. The ultimate duty of a private company is to provide returns for its shareholders whereas a Government‘s concern is with overall public security and safety.
Victims of cybersecurity lapses and attacks include many civilian systems and for this 
reason the value of a purely military approach to cybsecurity defence is limited. The 
military have a role in protecting their own systems and in developing potential offensive 
Circumstances in which the world or individual nations face cybersecurity risks with 
substantial long term physical effects are likely to be dwarfed by other global threats in 7
which information infrastructures play an apparently subordinate but nevertheless critical 
role. During many conventional catastrophes there is a significant danger that a 
supportive information infrastructure becomes overloaded, crashes and inhibits recovery.
The cyber infrastructure, as well as providing a potential vector for propagating and 
magnifying an original triggering event, may also be the means of mitigating the effects. 
If appropriate contingency plans are in place, information systems can support the 
management of other systemic risks. They can provide alternate means of delivering 
essential services and disseminate the latest news and advice on catastrophic events, 
reassuring citizens and hence dampening the potential for social discontent and unrest. 
Rates of change in computer and telecommunications technologies are so rapid that 
threat analyses must be constantly updated. The study includes a series of projections 
about the future. 
Counter-Measures need to be considered within an Information Assurance engineering 
framework, in which preventative and detective technologies are deployed alongside 
human-centred managerial policies and controls. 
A key distinguishing feature of cyberattacks is that it is often very difficult to identify the 
actual perpetrator because the computers from which the attack appears to originate will 
themselves have been taken over and used to relay and magnify the attack commands. 
This is known as the problem of attribution. An important consequence is that, unlike 
in conventional warfare, a doctrine of deterrence does not work – because the target for 
retaliation remains unknown. As a result, defence against cyberweapons has to 
concentrate on resilience – preventative measures plus detailed contingency plans to 
enable rapid recovery when an attack succeeds. 
Managerial Measures include: risk analysis supported by top management; secure system 
procurement and design as retrofitting security features is always more expensive and 
less efficient; facilities for managing access control; end-user education; frequent system 
audits; data and system back-up; disaster recovery plans; an investigative facility; where 
appropriate – standards compliance 
Technical Measures include: secure system procurement and design; applying the latest 
patches to operating systems and applications; the deployment of anti-malware, firewall 
and intrusion detection products and services; the use of load-balancing services as a 
means of thwarting distributed denial of service attacks
Large numbers of attack methods are based on faults discovered in leading operating 
systems and applications. Although the manufacturers offer patches, their frequency 
shows that the software industry releases too many products that have not been properly 
Penetration Testing is a useful way of identifying system faults 
Three current trends in the delivery of ICT services give particular concern: World Wide 
Web portals are being increasingly used to provide critical Government-to-citizen and 
Government-to-business facilities. Although these potentially offer cost savings and 
increased efficiency, over-dependence can result in repetition of the problems faced by 8
Estonia in 2007. A number of OECD governments have outsourced critical computing 
services to the private sector; this route offers economies and efficiencies but the 
contractual service level agreements may not be able to cope with the unusual quantities 
of traffic that occur in an emergency. Cloud computing also potentially offers savings 
and resilience; but it also creates security problems in the form of loss of confidentiality 
if authentication is not robust and loss of service if internet connectivity is unavailable or 
the supplier is in financial difficulties
The authors identify the following actions for Governments:
Ensure that national cybersecurity policies encompass the needs of all citizens and not 
just central government facilities
Encourage the widespread ratification and use of the CyberCrime Convention and other 
potential international treaties
Support end-user education as this benefits not only the individual user and system but 
reduces the numbers of unprotected computers that are available for hijacking by 
criminals and then used to mount attacks
Use procurement power, standards-setting and licensing to influence computer industry 
suppliers to provide properly tested hardware and software
Extend the development of specialist police and forensic computing resources
Support the international Computer Emergency Response Team (CERT) community, 
including through funding, as the most likely means by which a large-scale Internet 
problem can be averted or mitigated
Fund research into such areas as: Strengthened Internet protocols, Risk Analysis, 
Contingency Planning and Disaster Propagation Analysis, Human Factors in the use of 
computer systems, Security Economics
Attempts at the use of an Internet ―Off‖ Switch, even if localised, are likely to have 
unforeseeable and unwanted consequences.



Published by:

Reza Rafati's picture

Reza Rafati

Hi, I'm the founder of Cyberwarzone and i'm here to collect and share a lot of information. So stay tuned!

The Netherlands

My website