Governments and large organisations have shored-up infrastructure and talent in preparation for cyber attacks but warfare may be all talk according to an Australian academic and industry veteran.
The grounds for what constitutes an act of war were murky. The US Government said in 2004 that it could answer a cyber attack on its Domain Name Servers with bombs, and the British Government had spoken of its intention to build offensive network capabilities.
But offensive hacking-back capabilities were unwise, not only because it was difficult to attribute attacks, but because cyberwar was unprofitable, Macquarie University lecturer Milton Bar said.
“There is a conceptual problem here,” he said. “Consider if for instance the Chinese were conducting state-based cyberwarfare against the US and it overflowed into the commercial area -- the last thing they want is the US to be rendered unable to trade. That would be totally counter-productive.”
Yet while governments may be disinclined to wage cyberwar, the industrial military complex was growing. Many defence contractors had acquired IT security companies, a trend which some have warned is leeching talent from defensive research into offensive tool development.
Meanwhile, Bar said businesses faced with attack would not lie down.
“They can’t call on [CERT Australia], so they need to take some other action, and they need to consider what this might be,” Bar said. He was not suggesting businesses launch retaliatory black ops intelligence attacks, but rather look to the sorts of strategies employed in the corporate world to undercut rivals.
Bar cited another example of economics driving information security agendas. In the early 1990s, a decade after he helped install early security measures for automatic teller machines across NSW, he noticed banks were cracking down on increased instances of fraud.
He speculated that fraud may have been the catalyst for the crack-down because it was both uncontrollable and had begun exceeding the profit made from merchant fees.
Even if cyberwar was off the agenda, controlling offensives by the public would prove difficult. The public now had access to more capable attack tools and vulnerabilities that were weaponised as exploits faster than ever.
“Perhaps it will be difficult to control individuals with these tools who are offensively inclined,” Bar said. “It may become a problem to control patriotic hackers who could decide to take down a trading exchange for what they see is the good of the country”.
But the problem of overly ambitious and inconvenient patriot hacker was not new: They had jumped around the bulletin boards of the 1970s since the birth of ARPANET. Movements such as Anonymous exhibit the same behaviour, Bar said, though they use different tactics.
He said it was likely these groups could not be eradicated, but their impact on national interests could be minimised.
Bar will chair a roundtable discussion at the 2011 Cyber War conference in Canberra today.