The proliferation of the cases of cyber-attacks and their increasing sophistication have demonstrated that the Internet has become a major hub of defence and security concerns. In the space of a few short years, we moved from the era of the “hacker”, the DIY computer whiz kids motivated by more or less dubious intentions, to the age of professionals drawing on the Internet to carry out illegal operations (embezzlement, data theft, sabotage, misinformation or destabilisation). Today, we are embarking on the era of “cyber weaponry”. The solitary geek has been transformed into a team of high-level engineers whose objective is to define sophisticated attack strategies with very specific effects. The recent “Stuxnet” computer worm, of unknown origin but extremely sophisticated, is a good illustration of this latest trend.
We can predict, with little fear of contradiction, that the cyber-world will very quickly take shape as a new strategic dimension (as space was 50 years ago) where new conflicts – symmetrical or asymmetrical, low or high intensity – will make their appearance.
Furthermore, the recent Albright report places “cyber-assaults” in third position behind the risk of terrorism and the threat of missile attack in the hierarchy of threats to NATO countries between now and 2020.
In the face of the rapid growth in sophistication of such attacks, new defensive strategies need to be put in place.
From passive cyber-defence to active cyber-security
Historically, the first line of defence consists in deploying a firewall and an antivirus system. Even though these protections are still vital today, they are no longer sufficient to guarantee preservation of “critical” assets (not least because anti-virus protection is only efficient against “known” viruses, i.e. those that have already been propagated).
Another defensive mechanism consists of “isolating” networks, based on the principle that if a network was not connected to the outside world it could not be attacked. Recent events have shown this not to be true. In fact, all it takes is a USB stick carrying malicious code for the entire network – however “isolated” it may be – to be paralysed. This stems principally from the fact that practically all networks use the same technologies (Windows, TCP/IP, etc.) and are therefore all equally vulnerable.
These traditional approaches of “passive defence” are therefore proving insufficient today to guarantee the security of critical and/or governmental networks. The security of these systems – whether they are interconnected or not – now requires in-depth active defence, based on detecting cyber-attacks as early as possible.
This is at the heart of an efficient cyber-security policy. It is a point, moreover, that was underlined by the US Deputy Secretary of Defence, William J. Lynn, speaking on September 15 in Brussels, who described this notion of active defence as the second pillar of US cyber-security policy.
Vital relations between the State and trusted manufacturers
Protecting oneself against these new cyber-threats requires establishing a doctrine, defining a specific mode of organisation, setting aside dedicated capacity and identifying the skill sets needed. Even though it appears axiomatic that the State itself, with its sovereign prerogatives, should be at the heart of this mechanism, the involvement of trusted manufacturers that possess genuine technological excellence in this domain would seem equally indispensable.
Indeed, detecting the attacks, collecting and analysing in real time the events generated by the components of a system, and correlating all this information in order to obtain a perception of the risk that may need to be addressed, all require a comprehensive set of aptitudes and the capability of orchestrating them in a coherent fashion.
This observation has culminated in the creation of cyber-security operational centres. Operating 24/7, their objective is to permanently supervise critical governmental or private networks and provide a global overview of the situation. They are also, of course, in the first line of the orchestration of the defence systems when an attack takes place. Thales currently operates such a centre in France; the trend is to see more and more of this type of solution, at least at the level of each sovereign State.
Avoiding strategic surprises
The “cyber-world” is, it is plain to see, the site of numerous game-changing breakthroughs, not only technological but also strategic.
This means that, today, a cyber-attack would be extremely rapid and would no doubt cause serious real-life damage (consider the results of an attack on the railway control systems, the flight control systems or the systems for managing refineries or power stations). Furthermore, and this is another characteristic of the cyber-attack, it has always to date been impossible to formally identify the origin of a cyber-attack. This is because there is nothing to guarantee that the computers perceived as being at the source of the attack are not themselves being controlled by a third party. Also, the attack often originates not from one single source but from multiple computers in the form of “botnets”, a kind of “cyber-zombie” remotely controlled by the instigator of the action.
Strategic surprises (examples being the French military debacle in 1940 faced with the German army, or else the more recent attacks of 9/11) are often due to the inability to imagine crises outside of box of the known and mastered frameworks. The issue is not so much in detecting low-level signals as in appreciating cases of nonconformity. A cyber-attack would undoubtedly constitute a major strategic upheaval confronting States that were not on their guard and which failed to appreciate the risks of such a conflict for their economy and their freedom.