Cyberwar report: Israel, Finland best prepared for conflict
Do GCHQ and the NSA have some catching up to do?
Analysis Israel, Finland and Sweden are more prepared than larger nations to fight a conflict in cyberspace, according to a McAfee-backed cyber-defence study.
The study, Cyber-security: The Vexed Question of Global Rules, is based on interviews with experts in the nascent field by by McAfee and Security & Defence Agenda, a defence think-tank. No metrics are involved in the study, which even McAfee admits is largely subjective. Brussels-based SDA based its conclusions on "in-depth interviews with some 80 world-leading policy-makers and cyber-security experts" in government, business and academia in 27 countries as well as an anonymous survey of 250 world leaders in 35 countries.
For the record, among the key findings of the report are the contention that the state of cyber-readiness of the US, Australia, UK, China and Germany all rank behind that of smaller countries such as Israel, Sweden and Finland. The methodology used for rating various countries’ state of cyber-readiness was developed by Robert Lentz, former US Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance.
Without knowing the capabilities of GCHQ and the NSA, and the cyber-warfare pundits quizzed by McAfee would be honour-bound not to disclose this if they did know, it is hard to even begin to understand where this conclusion comes from. Certainly the UK government's very public commitment to boost cyber-security – with an additional budget of £650m over the next four years on improved electronic defences, mostly earmarked for GCHQ and the intelligence agencies – would suggest it's no laggard when it come to repelling hacker attacks.
The UK and US, rated with four castles, are only just behind the top-ranked nations, which earn four-and-a-half castles. China and Russia get three castles, ahead of India (on two-and-a-half), and Mexico (two castles – the lowest rating of the 23 countries accessed).
Frankly the whole thing is like rating footballers after a match, which sports journalists routinely assign in a great hurry on the way to the boozer - only to find their musings are taken quite seriously by the players.
In other findings, the report found that most (57 per cent) global experts believe that an arms race is taking place in cyber-space. More than a third (36 per cent) reckon cyber-security is more important than missile defence. Nearly one half of them (43 per cent) identified damage or disruption to critical infrastructure as the greatest single threat posed by cyber-attacks. A similar percentage (45 per cent) of respondents said that "cyber-security is as important as border security" (try telling that one to border agents trying to keep Mexican drug traffickers from further encroaching into the US).
Cloud cast shadows over cyber-security picture
Experts quizzed by SDA agreed that greater use of cloud-based technologies and smartphones are complicating the already muddled cyber-security picture. The study highlights a looming skills shortage in cyber-security and a lack of private-sector involvement in cyber-security exercises as potential problems. Striking the difficult balance between maintaining security and protecting individuals' freedoms is also seen as a puzzler best achieved by "selectively reducing anonymity without sacrificing privacy rights".
The report goes on to list a series of recommendations including greater global information sharing; financial incentives for improvements in security for both private and public sectors; more powers to law enforcement in order to combat cross-border cybercrime; the formulation of best practice-led international security standards; and diplomatic efforts to resolve mediocre take-up of existing global cyber treaties. Some respondents advocated the establishment of cyber-confidence building measures as alternatives to global treaties.
Finally the report recommended the development of improved public awareness of cyber-security campaigns. Schemes such as Get Safe Online, in the UK, have enjoyed a greater push from security, financial sector firms and government over recent years so it's hard to see what more can be done in the area of eduction anytime soon.
The report's authors point to the need for improved real-time sharing of global intelligence as the single most important recommendation of the report.
"The core problem is that the cyber criminal has greater agility, given large funding streams and no legal boundaries to sharing information, and can thus choreograph well-orchestrated attacks into systems," said Phyllis Schneck, Vice President and CTO of global public sector at McAfee, in a statement. "Until we can pool our data and equip our people and machines with intelligence, we are playing chess with only half the pieces." ®
"according to a McAfee-backed cyber-defence study."
What's the point of taking it seriously? This is from a company, that for the longest time, would hand out "hacker safe" medals to websites that were vulnerable to XSS attacks and SQL injections. Their definition of "cyber defense" or "security" raises serious questions about their judgement.
For example, rating Spain, France and Germany in the same category as Denmark and Estonia? Those three alone account for about 30% of the infected machines in Europe alone, and about 20% of the global market (Germany is the worst offender in that list).
Why is Brazil rated higher than Mexico? In the entire LATAM region, Brazil has more infected hosts than Mexico by a factor of almost 20.
India should be rated a single "star", giving them 2 1/2 is way too good.
Why am I looking at infected hosts? Because what bloody good will the best external-facing firewall do you if you have a scourge within the inside, ready to strike out and do damage from within? Absolutely zero.
Make the claim that it is an end-user problem. It certainly is -- but who allows those users on? The ISPs and telcos, who help to set security policy within the country as they set and configure the infrastructure. If ISPs took a more active approach to security inside and outside, they'd be better off and ranked higher. Any entity that takes either an apathetic or ignorant view of internal security doesn't have a good policy in place.
Catch42 ..... More Powerful and Destructive than a Whole Arsenal of Kinetic Weapons
"The study highlights a looming skills shortage in cyber-security and a lack of private-sector involvement in cyber-security exercises as potential problems."
One can only defend against cyber attack if one knows how and where and what to successfully attack, and that creates somewhat of an enigmatic dilemma, for anyone worthy of being considered a cyber security expert with such sensitive attack knowledge realises that their skills in launching and mentoring and monitoring unattributable attacks are many times more valuable to a client and themselves ......... and if a client into defence of critical and strategic systems, such as a GCHQ or a NSA or a whatever, requires virtual defence expertise, then they will have to pay nothing less than a small fortune to protect their dumb SCADA systems from .......... well, what it actually is, is someone else who is considerably smarter in the field than they are.
That is all.