MPs warn the government not to underestimate the impact of e-crime and cyber attacks by hostile states. But have the risks been exaggerated?
The Home Affairs Select Committee’s new report on cyber crime warns: “The threat to national security from cyber attacks is real and growing.”
The influential cross-party group notes that Britain’s National Security Strategy makes cyber crime a top priority Tier 1 threat, on a par with international terrorism and military crisis, and a higher risk category than nuclear attack.
The committee says: “Terrorists, rogue states and cyber criminals are among those targeting computer systems in the UK.”
Cyber crime can range from low-level phishing scams where crooks target credit card details to large-scale attacks on infrastructure carried out by hostile foreign powers.
The select committee says the whole spectrum of threat is important, and warns that there is a “black hole” where petty online crime is carried out with impunity, with banks simply reimbursing fraud victims and not bothering to report crimes to the authorities.
The committee heard evidence that there are organised gangs based in about 25 countries, mostly in eastern Europe, who get most of their income from cyber fraud and predominantly target the UK.
At the other end of the scale is industrial espionage carried out by states and sabotage carried out for political purposes, which could pose a threat to UK infrastructure.
Last month the government GCHQ and MI5 officials said they are tracking about 70 acts of cyber espionage a month against UK businesses, many of them the work of foreign intelligence agencies.
The official estimate of the cost of cyber crime to the UK is £27bn, but that figure has been greeted with widespread scepticism. The internet security giant Norton puts the global cost at $388bn dollars – more than the annual value of the trade in heroin, cocaine and cannabis combined.
The intelligence community is increasingly concerned about the risk of full-blown cyber warfare, where state-sponsored hackers launch attacks against networks in hostile countries.
The line between acquisitive crime and military espionage can be blurry. While internet security experts Symantec provide a wealth of detail about attack techniques, but they stress that “proving attribution and motive are not easy, even when someone claims responsibility”.
One of the first accusations of cyber warfare came in 2007, when Estonia claimed that neighbouring Russia was behind a massive co-ordinated attack on banks, government departments and the media in the tiny Baltic state.
The campaign caused chaos but little lasting damage to the national infrastructure.
The game-changer came in 2010 when a sophisticated computer worm called Stuxnet infected the software used to control the motors of centrifuges in several Iranian nuclear plants.
The worm – widely alleged to be the work of the US, with the possible involvement of Israel – apparently made the centrifuges speed more quickly then slow down, damaging up to 1,000 moving parts.
The Stuxnet attack did not appear to significantly disrupt Iran’s efforts to produce enriched uranium, but it is thought to be the first time a cyber attack managed to cause physical harm to a country’s infrastructure.
Could similar worms be used to target power stations, the electricity grid, dams or air traffic control systems in a spectacular attack?
Many experts are sceptical, based on the sheer logistics. Analysts say the Stuxnet attack required several teams of specialists, a network of agents and top-level intelligence about the target. Even then, it failed to make much of a dent in Iran’s nuclear programme.
MI6’s former Director for Operations and Intelligence Nigel Inkster says more than 30 states have the means and the will to launch cyber attacks, but adds: “Before getting too panicked, we should recall that no one has yet died as a result of such activity in the cyber domain.
“And physical damage from cyberattacks is still rare. Stuxnet was an exception, but deployed on the back of a meticulous intelligence analysis and not easily replicated.”
The only act of cyber warfare that has ever caused physical damage was an American attack against Iran’s nuclear programme. Dr Thomas Rid
Dr Thomas Rid from King’s College London told Channel 4 News: “If you look at the potential damage there is no comparison to a nuclear attack. The worst case wouldn’t remotely come close to a nuclear attack.
“It’s actually pretty simple. The only act of cyber warfare that has ever caused physical damage was an American attack against Iran’s nuclear programme.”
The resources, expertise and intelligence needed to plan Stuxnet mean pulling off a similar attack in the UK is currently beyond the reach of terrorist groups like al-Qaeda, he added.
“At this point in time it is safe to say that it is unlikely to happen any time soon. Let’s keep this in perspective. It is actually quite difficult to do damage, even with a large-scale attack.
“And what would happen? The lights would go out for a while. Would they think that was a high-profile attack, compared to a bomb in a major city in the UK?”
Cyber warfare is increasingly a preoccupation for America’s four-star generals, but there seems little appetite on this side of the Atlantic for the militarisation of cyber space.
Under General Keith Alexander, America’s National Security Agency has grown in size and power. Alexander has openly said that he has 13 “offensive teams” ready to devise ways of attacking America’s enemies.
US Defense Secretary Leon Panetta ratched up the war rhetoric when he warned of America falling victim to a “cyber-Pearl Harbour”.
By contrast, the extra £640m the British government has pumped into cyber security will stay out of the hands of the armed forces. It will be carved up between the intelligence services and the police, with GCHQ getting nearly 60 per cent.
The cross-bench Intelligence and Security Committee, which oversees the work of MI5, MI6 and GCHQ, has talked about other countries putting “vast” resources into cyber security, with 4,000 more personnel to join the US cyber command.
But the committee acknowledged that Britain “cannot hope to match the resources of the US” and restricted itself to recommending that the government “consider whether more resources are needed”.
In its 2011/12 annual report the committee called for the British intelligence community to consider a more aggressive approach and consider using worms like Stuxnet to go on the offensive against Britain’s enemies.
In its latest report the talk of developing an offensive capability was quietly dropped. If cyber warfare really is the future, there appears to be little appetite for Britain to be seen as a combatant.