Feeds

The cyber-weapons paradox: 'They're not that dangerous'

A war boffin talks to El Reg

The Essential Guide to IT Transformation

When it comes to bombs, the more powerful they are, the bigger their impact. With a cyber-weapon, the opposite is true: the more powerful it is, the more limited the damage it causes. The deeper a bug can get into any given system, the less likely it is to trouble anything else.

And that's why cyber-weapons aren't real weapons, says Thomas Rid, a reader in War Studies at Kings College London and co-author of a new paper published today in the security journal RUSI Journal.

Rid, the war boffin who brought us the theory that cyber war wouldn't actually be war because no one gets killed, has some more soothing common sense for those worried about cyber-geddon:

[Having] more destructive potential is likely to decrease the number of targets, the risk of collateral damage and the political utility of cyber-weapons.

Rid's point is that cyber weapons that can attack any web target tend to be low-level and quite crap: DDoS bots that can take a website offline temporarily or deface it, tools that cause inconvenience and sometimes embarrassment.

Bugs or malicious software threats that could cause significant damage to a system – eg, penetrating databases for specific sensitive internal data or causing particular real-world machines to malfunction – would need to be so specific to their target that they would be harmless to almost everything else and cause little to no collateral damage.

Take say, the worst of the worst – Stuxnet – the virus that allegedly set the Iranian nuclear programme back two years: it spread over 100,000 Windows computers en route to Iran's critical computer network and didn't damage any of its carriers.

Cyber-weapons with aggressive infection strategies built in, as popular argument goes, are bound to create uncontrollable collateral damage. The underlying image is that of a virus escaping from the lab to cause an unwanted pandemic. But this comparison is misleading.

What we shouldn't worry about

So while a DDoS can cause what Rid describes as "second order" damage, in itself the code doesn't harm a system, take data or cause any physical damage to a person.

Also - we don't need to fret too much about crazed warrior hackers from North Korea reducing all figures in the stock exchange to zero. Most high profile systems that provide services like the Stock Exchange have active protection and back-up systems.

Weaponised code does not come with an explosive charge. Potential physical damage will have to be created by the targeted system itself, by changing or stopping ongoing processes.

Simply knocking a site offline would alert the target to the problem immediately and probably cause a back-up to kick in. Serious damage would require an intelligent malware agent that was capable of changing ongoing processes while hiding the changes from their operators, Rid says. To our knowledge, this has not yet been created, and making something as complex would require the backing and resources of a state, he added.

But even if new smart high-power cyber weapons were created, though they "open up entirely new tactics" they also have "novel limitations".

He adds that "all publicly-known cyber-weapons have far less 'firepower' than is commonly assumed". Concluding: "At closer inspection cyber-weapons do not seem to favour the offence."

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.