The Organisation for Economic Co-operation and Development (OECD) has concluded that while cyber security is a real risk for governments around the world, the likelihood of a true cyber war to occur is low.
Detailing the risks of cyber security in a recent study, the OECD concluded cyber wars were complex to carry out with prolonged cyber attacks needing to combine, while new attack vectors would need to be created as current ones were reverse-engineered and thwarted.
A lack of control when deploying a cyber attack could also lead governments to think twice before launching a cyber war.
“The effects of cyber attacks are difficult to predict – on the one hand they may be less powerful than hoped but may also have more extensive outcomes arising from the interconnectedness of systems, resulting in unwanted damage to perpetrators and their allies,” the study reads.
While many critical government computer systems were reasonably well protected against known exploits and malware, the deployment of cyber weapons — such as hacking, viruses, worms, trojans, denial-of-service, distributed denial of service using botnets, root-kits and the use of social engineering — was already widespread and their use has been extensive.
“It is a safe prediction that the use of cyber weaponry will shortly become ubiquitous,” the study reads.
Compounding the risks around cyber attacks, the study argues that efforts to analyse national cyber security issues have been weakened by the lack of agreement on terminology and the use of exaggerated language.
“An ‘attack’ or an ‘incident’ can include anything from an easily-identified ‘phishing’ attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught,” the study reads.
“There is even greater confusion in the ways in which losses are estimated. Cyber espionage is not a ‘few keystrokes away from cyberwar’, it is one technical method of spying.
“A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.”
However, the OECD study puts forward a number of recommendations for governments in addressing cyber attacks, such as a focus on improving the resilience of networks, preventative measures and detailed contingency plans to enable rapid recovery when an attack succeeds.
According to the study, governments should also encourage the widespread ratification and use of the Convention on Cybercrime and other potential international treaties, support end-user education, and use their procurement power, standards-setting and licensing to influence computer industry suppliers to provide properly tested hardware and software.
The development of specialist police and forensic computing resources should be extended, and support for the international Computer Emergency Response Team (CERT) community increased.
“Attempts at the use of an Internet Off Switch as discussed in the US Senate and elsewhere, even if localised, are likely to have unforeseeable and unwanted consequences,” the study reads.
Follow Tim Lohman on Twitter: @tlohman
Follow Computerworld Australia on Twitter: @ComputerworldAU