If you’re looking for evidence in the public domain that any government has admitted to targeting another government’s civilian or military digital infrastructure - you won’t find much, for obvious reasons.
To date, almost all official rhetoric has been about defending citizens and infrastructure against foreign states, but that is changing. In 2017 I believe we will see more nations move the narrative from one of passive defence, to one of a more active stance.
For some time now there have been stories of state-sanctioned cyber-attacks - threats that have been uncovered by the security industry hinted at potential ‘unofficial’ cyber-attacks - but nothing has ever been proven and acknowledged by any nation state.
It’s hardly surprising that a state would not officially attribute an attack on a foreign power to their own security agencies. But, we do regularly hear of a state highlighting that their infrastructure is under attack – and that they are being forced to act defensively as a result. This is akin to a passive defence model. And, of course, no indications are given as to how the state has defended itself, just that the defences are called upon when required. Nothing more.
You only have to look at the recent accusations of cyber involvement of Russia in the 2016 US elections to see the story with which we’ve become familiar: no matter what the truth is, the accusations are plentiful, but clearly denied by the Russian state.
But the narrative is shifting - former President Barack Obama’s official response to those attacks was hinting at what is to come when he stated: ”We need to take action, and we will at a time and place of our choosing.” Aside from the politics here, this is a clear break from the traditional rhetoric; should we now begin to accept that, to defend ourselves, we sometimes need to strike?
This acknowledgement is not unique to the US Government, either. In 2016 the UK Government also started to change its tone when detailed plans emerged to move the UK to "active cyber-defence”, to better protect Government networks and improve the UK’s overall security.
Similarly, last year we also witnessed an update to NATO’s defensive mandate, stating that ”Cyber defence is part of NATO’s core task of collective defence”, and that NATO ”Recognises cyber-space as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea.“ (See paragraphs 70 and 71 here for more)
With governments across the globe seemingly willing to state that they will act to combat cyber-attacks, how long it will be before we see the obvious effects on critical national infrastructure is anyone’s guess. When will we witness the first confirmation that a government’s cyber-security teams have deliberately targeted another state’s networks?
It seems we are now in an era where this is no longer considered taboo: the networks and data systems that all form part of the fabric of a nation’s critical infrastructure present a viable, and visible target to an aggressor.
In September 1941, US President Roosevelt delivered a famous speech in a ‘fireside chat’ to the nation in which he said ”When you see a rattlesnake poised to strike, you do not wait until he has struck to crush him,“ and that ”The time for active defence is now.“ Just 3 months later the US was fully involved in World War II. This is a perfect example from history of political rhetoric then becoming proactive action to defend a nation.
The rhetoric is changing now, as well, and it is therefore prudent to ensure that we take the appropriate steps to defend our businesses, infrastructure, and even our livelihoods, beyond what we have to date.
All this is happening at a time of great change in the computing models we use today, so we need to take advantage of this opportunity. We won’t be able to bolt on solutions afterwards. It will be too late, too cumbersome, too complex to implement. We need to embed security into the networks of the future, ensuring that automated, intelligent security is a fundamental part of building the critical infrastructure of the future. We may very well depend upon it.
Are you attending InfoSec in London (6th – 8th June)? Please visit us on stand C105 and meet our security specialists for more information.
If you enjoyed reading this blog and would like to read related security blogs, please visit here.