According to the Independent this morning, the announcement of the new Cyber Security Strategy that was promised last week and that I have been calling for over the weeks (years?) will take place tomorrow. Earlier this week I chaired a seminar on “Meeting the Threats in Cyberspace”. One of the most impressive (worrying?) presentations was from Scott Borg of the US Cyber Consequences Unit. His conclusions, which spell out why a fresh approach from the UK Government is so urgent, can be summarised as follows:
“Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great. The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated. But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive. Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage. At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies. At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.
Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions. The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks. Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed. This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited. It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.”