Thursday, January 05, 2012

2011: The Year Of Domestic Cyber Threat


Stuxnet demonstrated that weaponised cyber exploits could physically destroy critical infrastructure [GALLO/GETTY]


Any State With A Civilian Cyber Infrastructure Faces A Clear and Present Threat To Its Critical Infrastructure. 

By Eddie Walsh 
Last Modified: 01 Jan 2012 12:12 
Courtesy Of "Al-Jazeera"


Washington, DC - Since September 11, terrorism has dominated the domestic security agenda, especially in the United States and Europe. While some in the US government attempted to link industrial control systems cyber security and radical Islamic fundamentalist terrorism soon after the 9/11 attacks, the probability of a major attack of this type by al-Qaeda was greatly discounted. Cyber attacks against critical infrastructure thereafter took a backseat to more pressing national security priorities and garnered relatively little attention outside the national security establishment and industry. Generally speaking, the rest of the world followed the US' lead.

Last decade, few public policy stakeholders appear to have realised the existential threat posed by such capabilities to domestic critical infrastructure or, when they did, the urgency with which governments needed to act. As a consequence, many governments implemented limited or modest increases in government regulation and oversight over critical infrastructure cyber security. They instead placed great faith in the private sector to manage the risk on their behalf out of the public view.

It therefore should not be a surprise that it took so long for cyber warfare to challenge terrorism as a top domestic security concern. The world apparently needed to bear witness to a high-profile, targeted use of an industrial control system cyber attack to shift global perceptions on the domestic risk posed by such capabilities. In the end, Stuxnet, a computer worm, delivered where policymakers could not; it demonstrated that weaponised cyber exploits could physically destroy (not just disable) critical infrastructure in the wild.

From the perspective of the domestic security agenda, Stuxnet thus served as a game-changer. It showed that any state with a civilian cyber infrastructure faces a clear and present threat to its critical infrastructure. This challenged most public domestic security assessments around the world; putting internal pressure on governments to more urgently tackle cyber threats to critical infrastructure. It also brought into question some countries' reliance on Cold War-era deterrence strategies which had not been expanded to account for this new class of high-end threats.

Most importantly, Stuxnet appreciably pulled back the veil of secrecy on the cyber warfare domain. Media coverage of Stuxnet provided the international community with a much fuller understanding of the threat posed by modern cyber warfare. This placed government cyber security policies under greater public scrutiny and served as impetus for new dialogue on how state and non-state actors could better manage such threats.

While many Western publications lauded 2011 the year of the "you", "the people", or "the protester", one could argue that the "cyber attack" deserved serious consideration as well. And, no one would have been more deserving of this honour than Stuxnet.

Even though Stuxnet emerged in 2010, it can be said that Stuxnet really didn't have its coming out party until 2011. To be sure, derivative protégées (ex. Duqu) kept its name in the headlines. It also helped that Stuxnet was directly linked to one of 2011's top international security issues (Iranian nuclear proliferation). These serve as interesting subtexts to the feature story.

But, last year's sustained interest in Stuxnet reflected something more important that should not escape our collective attention. Even without another attack in 2011, Stuxnet probably would have endured as a major topic of interest last year. Why? Because it served as an inflection point in the history of cyberspace and public policy that broadly, radically, and permanently altered how society conceptualises modern national security threats.

If it had not been for Stuxnet, 2011 would have been far less exciting for national security stakeholders. It is unlikely that computer experts would have so profoundly exposed the vulnerability exploited by Stuxnet's creators. The news of a - as yet unsubstantiated - claim of a cyber attack on an American water utility provider probably would not have garnered worldwide headlines. (Such interest certainly was not a result of the Maroochy Shire Incident.) Nor would we likely have experienced the worldwide explosion in SCADA security events in 2011.

It is equally unlikely that the Department of Homeland Security's new advisory on Siemens industrial control systems security vulnerabilities would have received mainstream coverage. Major American broadcast news correspondents probably would not have gone on-the-record to predict that cyber security may emerge as the US' top domestic security concern in 2012. And, cyber proliferation may not have been a top policy issue at a well-known American think tank.

But, above all else, the true threat posed by cyber attacks against critical infrastructure probably would have remained the purview of but a few in the national security establishment and industry.

Stuxnet therefore should get credit for making 2011 the year of the cyber attack - even if it has to share that honour with others. After such a breakout year, the world's newest high-end asymmetric threat needs some public recognition for all that it has accomplished.

Eddie Walsh is a foreign correspondent who covers Africa and Asia-Pacific.

No comments: