Decoding the truth about cyberterrorism

It seems the British state needs the threat of cyberterrorism like it needs rumours of a global flu pandemic. Cue Lib-Con home secretary Theresa May who this week added her voice to those from the security services in issuing a semi-apocalyptic warning from behind her firewall.

May’s assertion that cyber warfare poses a clear and present danger came as the government unveiled its National Security Strategy white paper. In fact this threat, the document asserted, belongs alongside that staple of government fearmongering: international terrorism. Speaking on BBC Radio 4’s Today programme, May explained that while it was ‘unhelpful’ to start trying to equate bombs and binary code, both international terrorism and cyber warfare were ‘very key priority threats’. Seeming keen to avoid anything that sounded like reassurance, she continued: ‘[Cyber warfare] is a threat to government, it’s a threat to businesses and indeed to personal security. We have identified this as a new and growing threat in the UK and you just have to look at the figures… 51 per cent of the malicious software threats that have ever been identified were in 2009.’

Crikey. Lest one thinks that May has just had a bad experience with a ‘My uncle is dead and I need to wire you $10,000’ email, her dire prognosis came on the back of last week’s call to virtual arms from Iain Lobban, head of the UK’s eavesdropping and snooping services at GCHQ. ‘Cyberspace is contested every day, every hour, every minute, every second’, Lobban said. ‘I can vouch for that from the displays in our own operations centre of minute-by-minute cyber attempts to penetrate systems around the world… There are over 20,000 malicious emails on government networks each month. Cyberspace lowers the bar for entry to the espionage game for states and criminals.’ Critical parts of Britain’s infrastructure – emergency services, power grids – are facing a ‘real and credible’ threat, he continued. Quick to spot a lucrative consultancy role, former Whitehouse cyber security advisor Richard Clarke added his two cents’ worth: ‘We need in all countries to stop worrying about cyber war on the offensive and start worrying about cyber war on the defensive.’

Which all sounds very serious. But just what exactly are we talking about here? Is there really a cyber war being waged against government networks? If there is, it’s being done very quietly. In fact, it’s very difficult to recall any actual acts of cyber terrorism. Bloody, offline terrorist attacks, yes – but bloodless, online terrorist attacks? It’s not a trick question. If our use of digital technology, from the infrastructural importance of computer systems to our everyday reliance on social networks, has not only left us more vulnerable than ever before but has made it far easier for bad people to do bad things – which is the kind of sentiment underpinning the government warnings – then why have there been next to no notable cases of cyber terrorism?

Admittedly, it is alleged that Russia launched some sort of concerted attack on Estonian government websites in 2007 and then again against Georgia in 2008. But even then, no one is quite sure what really happened.

Unconfirmed reports of nation states waging web war aside, what of those stateless, rogue cyberterrorist types that haunt the government’s waking nightmares? Well, in 1999 Russian hackers apparently tried to seize control of an oil pipeline, which they did for a few hours, although to no particular end. And in 2001, an Australian called Vitek Boden took his revenge against a hotel that had recently sacked him by hacking into a water control system and flooding the hotel grounds with gallons of sewage. This may be the mark of a nerd with a grudge but it is hardly the justification for the type of fearmongering currently doing the rounds at Westminster.

Even those immersed in the online security industry seem unconvinced. Speaking to The Register, Sean Sullivan of F-Secure seemed decidedly unruffled by the unfolding cyberwar. ‘One could even argue that [Lobban’s comments] are over-hyped’, he said. ‘The sort of attacks or worms he refers to are very common and have been for some time. They are experienced by all sorts of different organisations failing to implement best security practices – not just government agencies.’ That is, the supposed threat to those vital parts of state infrastructure from cyberwarriors is actually no greater than the threat to any business or individual. If someone at GCHQ or the Home Office opens a dodgy email from Britney Spears and proceeds to look at the attachment, that is probably less an indication of imminent cybergeddon than an indictment of their recruitment procedures.

Given that cyber warfare probably poses about as much threat to national security as a loser in a pair of explosive pants, where has this sudden concern come from? The cynical explanation for the War Games angst can probably be found in the publication this week of the government’s Comprehensive Spending Review. One suspects that if there is a war going on, it is between different departments and not hackers and the burgeoning online security industry.

But there is more to this propagation of fear than GCHQ trying to justify increased investment in its IT department. Rather, just as it did with swine flu and with bird flu, not to mention with international terrorism itself, the state – regardless of the political stripe of its incumbents – tends to cultivate and exploit public anxieties and fears. This is not a cynical act, exactly. Rather, it is born from a want of purpose and legitimacy – a purpose and legitimacy governments can then find in the management of public fears and anxieties.

No doubt, there is a risk that some sort of malware could allow hackers to cause damage to a vital part of infrastructure. And in that regard, a hyperbole-free risk-assessment would surely be a sensible measure. But it seems that right now, hyperbole-rich public announcements serve the government’s needs far more than a discrete, level-headed look at the rather pathetic reality of cyberwarfare.

Tim Black is senior writer at spiked.