A friend had his bank account scammed the other day. In discussion with them, he was told that there were several signs that the account was compromised. He was somewhat annoyed that the bank had done nothing about it until it was too late and quite a lot of money was removed.
Coincidentally, I heard an interesting programme on the BBC’s World Service the other day. Four experts discussed the subject, “Is cyber-warfare really that scary?” Naturally, as befits the BBC with its requirement for balance, experts argued from both sides of the fence. They were illuminating, if only because they didn’t actually answer the question to my satisfaction. Two, both from Kings College, London, said “No, it’s all hype/only really sabotage (so that doesn’t count)”. One said “the threat is real”, while the last was a legal expert from the Swedish Defence University who considered how the law deals with “non-physical” attacks.
I don’t believe the general population looks at such matters in the same way as academics. The distinction between non-physical and physical attacks probably doesn’t matter if it’s your wallet that’s being electronically lightened or if your firm’s computers are wiped and all your data are lost and the firm then fails. Or if your country is attacked and sections of the infrastructure brought down…
However, Professor Thomas Rid said, “Bringing down electricity grids, crashing airplanes, things like that just don't happen”. Professor Rid is also author of a book called “Cyber War Will Not Take Place”. Robert Lee, a PhD student, said "If you hear, 'There's been some recent research around aviation and planes are going to be hacked and fall out of the sky,' or, 'People are going to cyber-attack trains and derail them,' that's not realistic”.
This is all reassuring, but it was clear, to me at least, that this is all a question of definition, especially (as always) in the legal arena. Sabotage or war? Cyber or ‘conventional’? The Madrid train bombs were not ‘cyber-attacks’ but remotely and literally sparked by mobile phones. The Stuxnet attach on the Iranian Natanz Nuclear facility didn’t kill anyone, but did cause physical damage to enrichment centrifuges. In international law that probably counts as an attack. Then there was the data-only attack on Saudi Aramco, where computers were rendered useless but there was no physical damage. So not an attack then?
The ordinary person in the street neither has time for these niceties nor thinks in this way. Remember the ‘millennium bug’ hysteria anyone? Cyber crime definitely exists. My friend and many others can testify to that. I simply do not believe that every major country is not preparing for conducting - and defending itself from - cyber warfare. There are also mad men in this world with no respect for any law: if they can get a nuclear weapon or find some way to bring down an airliner electronically, and without someone strapping explosives to themselves, then they will.
There is one simple way in which I, as a non-specialist, know that cyber crime and, almost certainly cyber warfare, are becoming increasingly serious concerns. As a mere recruiter, I help find specialists for firms who are investing a lot of money in preventing both. Either they are completely misguided or they are living in the real, and dangerous, world. My money is on the latter…