Extreme situations, entropy eruptions and unforeseen problems caused by complex interactions between a plethora of components are prime story material. You can use it in (science) fiction, you can use for breaking news, you can use it for scaring your children, you can use it for advertising and you can use it when talking about information security. Maybe this is why talking about „cyberwar“ is all the fashion these days. Let’s follow the trend and introduce the issue with style:
No boom today. Boom tomorrow. There’s always a boom tomorrow. What? Look, somebody’s got to have some damn perspective around here! Boom. Sooner or later. BOOM! — Lt. Cmdr. Susan Ivanova, Babylon 5
This statement from a fictional character pretty much sums up the issue (plus it contains exactly the required amount of sources to get you published by most media). It also automatically answers all questions, especially if we talk about war be it cyber or otherwise. The German news site Spiegel Online (SPON) has a recent article covering the issue if depending on IT systems, (not) properly dealing with complex software and (not) hardening your IT infrastructure. Most companies have no fall-back procedures once their digital lifeline is severed or compromised. They have turned back in time to become teenagers addicted to text messaging. The same is true for governments. Remember the DigiNotar incident and its impact for e-government. IT security can’t keep up because of economic pressure (or corporate greed, decide for yourself). For every 100 lines of code audited there are 10.000 lines of code freshly written and deployed, according to the author of the SPON article. Hardening systems and doing secure infrastructure design is simply not done or done sloppily. The article concludes that the digital modern society simply cannot withstand „cyberwar“.
Let’s step back and invoke the power of analogies by forgetting about „cyber“ for a moment. Our office has no bomb-proof roof and no bunker. We have no checkpoints with armed guards on the way to the entrance. We haven’t piled sandbags in front of the windows. We do not issue bullet-proof vests to our staff. We do not own any armoured vehicles to get around. We maintain no air force and we cannot call in close support, neither by plane nor by artillery. All in all we are very ill-prepared for a war. Why have we skipped all of these necessary measures to improve our security? Well, firstly we cannot afford it, and secondly the risk for incidents where security breaches are done by shrapnel or bullet are luckily quite low.
Turning back to „all things cyberwar“ you will now better understand why the IT infrastructure is like it is. It’s all about risks, and a „cyberwar“ is nothing like a „real war“. You cannot add „cyber“ and keep thinking of „war“. Shutting down the IT infrastructure of a national economy can be done by politics, natural disasters, the energy market and by the supply of electronics including the raw materials to produce them. How many IT departments do you know who have taken tsunamis and floods in Asia into account? Do you know where your electronics and storage hardware comes from? Do you know how it is transported? Where are your digital assets and how are they connected? Maybe you should start to think about these things before you think about preparing for war, cyber or otherwise.
True, there are threats that use the network or computers, but the Morris Worm turns 24 this year, the Internet is more than 40 years old (depending which event you use as a marker for birth), but now we’re talking about „cyberwar“? We should talk about risks and security intelligence first. This is exactly the reason why we are preparing the DeepINTEL event – to give you the big picture and the knowledge how to deal with information security strategically.