Governments should formulate a doctrine to stave off cyberattacks similar to the Cold War-era principle of nuclear deterrence, according to former US Department of Homeland Security secretary Michael Chertoff.
'Rules of the road' for dealing with cyberattacks should include agreed principles on how to react to sustained cyberattacks on critical national infrastructure, Chertoff told a press conference at RSA Conference Europe on Thursday. "[President Eisenhower's workshopping exercise] Project Solarium gave us the theory of deterrence, where rules of the road were clearly understood," he said. "An attack on the US or its allies with a nuclear weapon would be responded to with overwhelming force."
Chertoff told ZDNet UK at the conference that cyberattacks on critical national infrastructure could put thousands of people at risk. "I can envision attacks with catastrophic consequences, with serious loss of life," said Chertoff. "If someone took down an air-traffic control system, we would have devastating loss of life."
Chertoff said countries should be able to respond to cyberattacks "with overwhelming force". He conceded to ZDNet UK that ultimate attribution was difficult for cyberattacks, but said nation states should be able to act against technologies in countries being used as a platform for attack, regardless of whether that country itself is behind the attack.
"If you have a persistent series of attacks on critical national infrastructure, then you could make the argument that incapacitating the platform used to attack is something that you have to do," Chertoff told ZDNet UK. "If you take the rule that attacks against critical infrastructure enable you to take action against that proximate platform, that would give countries an incentive to take action to secure their platforms."
"[Cybersecurity] is not a theoretical problem, this is a real problem," said Chertoff. "If we don't address this, then one day we'll have an event so catastrophic that it's difficult to shrug off."
National Air Traffic Services (Nats), the UK's main air-traffic control authority, told ZDNet UK on Thursday that it regularly reviews the security of its software and systems. "We are aware of the increasing threat posed to cybersecurity and our countermeasures are reviewed accordingly," said a Nats spokeswoman.
Successful attacks on air-traffic control systems are feasible, security expert and author Ira Winkler told ZDNet UK on Thursday. "The fact is that information security was never designed into air-traffic control systems," said Winkler.
Winkler pointed out that air-traffic systems were open enough to hand data over between different air-traffic control authorities, and that in the US a number of system updates had failed. He added that it was theoretically possible to break into databases that pinpoint the position of planes, and alter the data.
"You can manipulate the background databases, and air-traffic controllers won't see anything [amiss]," said Winkler. "It's not easy, but not impossible."