Governments are increasingly dependent upon cyberspace for the delivery of public services and national defence. As a result, a cyber attack can have far-reaching consequences for both military and civilian interests. For example, in the UK, the programme of Transformational Government is moving public services into cyberspace. An emphasis on data sharing and increasing efficiencies in managing and storing public data brings great benefits to the delivery of services.

However, this systematising and consolidating of information also enhances the vulnerability of public data and systems to attack. Sophisticated criminal saboteurs are likely to target these systems if they are seen as quick routes to sensitive personal data. They are also likely to be a key target for terrorist groups and hostile states.

The US has experienced troubling cases of organised incursions into the network, most notably a case where agents from China and Russia appear to have hacked into the US electric power grid control network. In the UK, intelligence reports have pointed to an active development of such capability by Al Qa’ida affiliates. While in Israel, during the Gaza offensive in January, a targeted cyber offensive briefly brought down Israeli government websites. Israeli officials speculated that the attacks may have been perpetrated by a criminal organisation in the former Soviet Union and paid for by Hamas or Hezbollah.

This dependence on cyberspace to deliver public services extends globally as the infrastructure and systems that provide it have physical and intellectual locations around the world. With these advances come vulnerabilities that a range of actors could seek to exploit through cyber attacks.

The cyber capabilities of both the state and organised criminals are growing in sophistication. Cyber espionage has substantial, long-term consequences for national security and prosperity. A rise in the number of global internet users, increasing state vulnerabilities to attack across the public and private sectors, and inherent policing, and response difficulties require new approaches. A successful attack could be devastating. A US report to Congress in 2008 observed that China was now in a position to ‘delay or disrupt the deployment of America’s military forces around the world’.

Blurred boundaries
While we can distinguish theoretically between state cyber attacks and organised criminal or non-state political attacks, in practice the boundaries between the two can be blurred. There is contention regarding the degree of authority that some countries exert over criminal cyber capability within their borders. This presents difficulties in identifying hostile attacks and responding effectively. The three-week campaign against Estonia in May 2007 – suspected by some Estonian officials to have been sponsored by Russia – was the first example of a sustained cyber attack on the national infrastructure of a state. However, Russia has not admitted responsibility and there is little evidence that the attack was anything more than one undertaken by disgruntled, though organised, Russian nationals. This deniability is a defining characteristic of cyber attacks.

US officials have reported that US, Japanese and European states are suffering considerable intellectual property losses due to criminal and industrial espionage attacks. There is further evidence that organised criminal gangs can be ‘guns for hire’, perpetrating attacks against governments as well as commercial organisations for political and commercial gain, as indicated by the Israeli example cited on the previous page.

It is anticipated that quasi state-sponsored attacks will grow, particularly from hostile states and governments are already adapting to this. A 2009 US Pentagon assessment points to such growth and the importance of cyber capability in Chinese military doctrine. Already a mechanism through which non-military power can be exerted to great reward, it will make it an attractive option for weaker states to exert influence. Some experts have pointed to the potential for ‘cyber lawless’ states, in which criminals operate with almost complete freedom, leading to situations that are analogous to the difficulties faced by the international community in countering Somali piracy. The fact that cyber attacks on national infrastructure can be perpetrated by non-state actors and without state support demonstrates the strategic power now in the hands of non-state actors. This phenomenon requires new thinking regarding the responsibility of states for actions within their borders.

Cyber skills shortage
Unfortunately there is currently a dearth of motivated expertise in the West. US Defence Secretary Robert Gates has said, “[The Pentagon] is desperately short of people who have [the necessary] capabilities.” The US, UK and others in Europe are playing catch-up in recruiting the nextgeneration experts. The US Cyber Challenge is aiming to recruit 10,000 individuals into various cyber-security agencies. In the UK the new Cyber Security Operations Centre (CSOC) aims to take advantage of available skills in the recession to build capability and expertise. Providing the incentives to attract and develop talent remains a challenge.

While the number of experts in the West is increasing, this has been significantly overtaken by growth in China, for example. In Europe, Estonia, Germany, Italy, Latvia, Lithuania, Slovakia and Spain have established the Centre of Excellence on Cyber Defence under NATO auspices. The EU’s European Network and Information Security Agency (ENISA) is another ‘centre of excellence’ aiming to provide advice to the Commission, private sector and member states.