It seems we can't go a day without hearing something about cyber threats or cyber war in the mainstream press. But what's the reality?
The World Economic Forum (WEF) published its annual report on global risks in advance of the WEF Annual Meeting 2011 this week in Davos. Cyber security (encompassing online data and information security and critical information infrastructure breakdown) was listed as one of five "risks to watch", which "may surprise or overwhelm us" due to varying levels of confidence in the likelihood of significant impact but which "experts considered may have severe, unexpected or under appreciated consequences". The report discusses cyber theft, cyber espionage, cyber war and cyber terrorism specifically but also warns about design flaws in internet-connected smart systems. Cyber security doesn't however make it into the report's Top 10 risks by likelihood and impact combined (Table 5, page 44).
Meanwhile the Organisation for Economic Co-operation and Development (OECD) published a report Reducing Systemic Cybersecurity Risk. This is an output of the OECD Future Global Shocks project which is looking at options for governments to enhance capacity to identify, anticipate, control, contain and/or mitigate large disasters. The report is at a greater level of detail than the high-level WEF document, . The report concludes that there are very few single cyber-related events have the capacity to cause a global shock, but that governments should make detailed preparations to withstand and recover from a wide range of unwanted accidental and deliberate cyber events. Most breaches of cyber security (e.g. malware infestations, distributed denial of service, espionage, actions of criminals, recreational hackers and hacktivists) are expected to be relatively localised and short-term in impact.
Comforted? Remember that "local and short term" on a world leader's global scale might be the whole of your business or market. Assess the risks, and make decisions based on your own context.
If you want further advice on dealing with cyber security incidents, last week the European Network and Information Security Agency (ENISA) published its Good Practice Guide for Incident Management. Although it is aimed at national/governmental Computer Emergency Response Teams (CERTs), it contains good practices, practical information and guidelines for the management of network and information security incidents which are of use to a wider audience. See also the NIST Special Publications (800 Series) for more documents like this.
Posted on: 28 January 2011 at 08:46 hrs