The text that follows is a short statement I prepared for the press ahead of my presentation at the 'The International Conference on Cyber Conflict' (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I'd be interested to hear what others think…
In the piece that follows I will make 5 basic hypothesis, namely:
This fact is graphically illustrated by the apparent success of the Stuxnet attack against the the Iranian nuclear enrichment program at Natanz. By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation. It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $ 500,000 and $ 2 million - apparently less than what the US airforce currently spends in a day.
When it comes to securing an entire country against a well-funded and well-equipped adversary this is even more true, because governments have a dependency on systems and infrastructure for banking, administration, utilities, industry and communications that they do not control. Security in many of these industries is still very poor and, even if governments did apply themselves to improving security as a matter of national policy, I would argue that it may already be too late and that many systems are already compromised by malicious software, some of which will be too sophisticated to detect and remove on the scale required.
A simple analogy for what I'm saying here can be seen in the recent Wikileaks saga. We tend to think of the Wikileaks saga in terms of Julian Assange and the 'leak', but really what we should be considering is the fact that over 500 thousand people apparently had access to the so-called 'secret' documents that Assange ultimately released to the world. Its a problem of scope: How can a government hope to protect something that is being accessed by half a million people, and how can we begin to believe that, with that level of exposure, the security of SIPRNET hadn't already been breached multiple times before?
Now you can see why information warfare is asymmetrical and why it is almost impossible for an entire country to defend itself. This is the core element of my hypothesis this week.
If my government were to approach me and ask: "How can we defend ourselves in this new realm of cyber warfare?" I would have to answer: "We can't". So what option is left to South Africa? Either we can ignore the problem and hope it goes away, or possibly we can develop our own offensive capability to act as a deterrent to would-be attackers. I'm not sure whether this strategy would work, but I do believe that it would at least be feasible to implement, which a defensive strategy is ultimately not. If you accept our previous assertion that a capability like Stuxnet could be developed for just a few million dollars, then even South Africa could afford to get in on the cyber warfare game and potentially strike a few retaliatory blows against its enemies or would-be enemies and thereby maintain a kind of uncomfortable peace. Rather than developing such a capability, we could acquire one commercially, or possibly join a treaty to obtain one, but it strikes me as basically the same thing.
I've argued that this new reality poses a real national-security challenge to small and emerging countries like South Africa who are 'connected' but can never really be sufficiently 'protected' to defend themselves against a well funded adversary. I surmised that this is true (to a greater or lesser extent) for all countries, no matter how large or powerful.
If this analysis is accurate then it is my opinion that countries have two options going forward. Now, I am no military or political scientist so my domain of expertise is being severely stretched here, but the two options I see are:
I love this view of the future as it resonates deeply with the original hacker ethos in which I was 'raised', but I have to confess that I struggle to imagine it being real.
In the second model countries will endeavor to defend themselves by building deterrents - tools of mass cyber destruction aimed at their enemies with the threat of destructive digital force. As history has shown us during the Cold War it seems to me that this approach will ultimately reach a kind of digital stand-off where no single country can afford to unleash its weapons for fear of also destroying itself and the conflict will be reduced to an endless series of spy-vs-spy intrigues and counter-intrigues that will play off in the computers of every government, business, school and even home in the world.
There may be a third option, but if there is I fail to see it. One thing is clear: Unless governments, NGOs, thinkers like Tom Wingfield and other leaders act quickly to highlight and address these challenges then history will take its inevitable course and my colleagues and me will soon all be wearing uniforms and working for the military.