Cyber-war risk is exaggerated, says OECD study

While governments need to be prepared for cyberthreats, the risk of a large-scale, long-term cyber disruption is minimal, according to an OECD study

While governments need to prepare for cyberattacks such as espionage or malware, the likelihood of a sophisticated attack like Stuxnet is small, according to a study by the Organisation for Economic Co-operation and Development.

Peter Sommer OECD

Professor Peter Sommer is the co-author of a report on cybersecurity for the OECD. Photo credit: Peter Sommer

In a cyber-warfare report released on Monday, the OECD said that the risk of a catastrophic attack on critical national systems has been exaggerated. The majority of cyberattacks are low level and cause inconvenience rather than serious or long-term disruption, according to report co-author professor Peter Sommer of the London School of Economics.

"There are many scare stories, which, when you test, don't actually pan out," Sommer said. "When you analyse malware, a lot is likely to be short term, or fail."

Sophisticated malware such as Stuxnet, which targets industrial control processes, is the exception, not the norm, according to Sommer. Stuxnet used a number of zero-day vulnerabilities to target programmable logic controllers in frequency converter drives used mainly to control motors in uranium-enrichment facilities.

Policy makers should be aware that a number of different cyber-events, disasters or physical attacks could come together to create a "perfect storm", says the report. However, a pure cyber-war would be unlikely to occur, with attacks on computer systems more likely to be used in conjunction with other, physical types of attacks.

Shades of meaning
At the root of the exaggeration problem is a lack of shades of meaning in the language used by cybersecurity bodies to describe attacks, according to the report.

"An attack or an incident can include anything from an easily identified phishing attempt to obtain passwords, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught," the authors state.

The UK government, intelligence services and military are in danger of making inaccurate analyses of the cyber-risk to critical systems if the severity of different types of malware is not taken into account, said Sommer.

The UK government is subject to thousands of cyberattacks per month, Iain Lobban, director of signals intelligence agency GCHQ, said in October. However, Lobban did not indicate the ratio of unsuccessful or crude attacks to successful or sophisticated attacks.

If you use exaggerated language, you're highly unlikely to come up with good risk analysis and management.

– Professor Peter Sommer

"He's a serious man, but what one wants to know is, are the attacks on government picked up by antivirus and email filtering?" said Sommer. "What sort of crime are you talking about? If you're just talking generally about attacks, then statistics are meaningless... If you use exaggerated language, you're highly unlikely to come up with good risk analysis and management."

Sommer said that the military in the US and the UK are keen to take part in the defence of critical national infrastructure. However, this raises the problem that most of the UK national infrastructure is in private hands, he added.

The government announced in October that the Ministry of Defence is to take on a bigger role in cybersecurity defence.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All