I'm convinced that cyber "war" is not going to happen - that is, hacking is not going to become a well-known way of killing people. However, I wouldn't be so quick to say that not a single person will ever be killed through a cyber attack. SCADA software is still largely unsecured, after all. There are still hackable pacemakers out there. Hacking won't be a weapon of war, but it could still occasionally be a weapon of murder or terrorism. After the first few such attacks, however, proper security will become widespread in life-critical systems, and that will make cyber-murder even more unlikely.
People worried about a cyber-war should calm down and stop worrying because it will never happen, a war studies academic has said. In the paper Cyber War Will Not Take Place Dr Thomas Rid confidently argues that hacking and computer viruses never actually kill people. An act of war must have the potential to be lethal, says Dr …
Thursday 20th October 2011 10:05 GMT Paul Crawford
Indeed, it is doubtful that it would ever be more useful than addition to conventional warfare (e.g. take down defence or support systems as part of an attack, etc) but probably will kill someone at some point.
Just now it looks attractive as a terrorist tactic (state or group) partly due to the fact people are so easily scared you don't have to achieve much to cause panic, but also due to the easy of covering up just who was behind it.
But hopefully we will see the bosses of key infrastructure being lead to gaol for criminal negligence for having the likes of an unpatched Windows box running buggy software linked to the Internet which made it all possible.
Not because malicious damage was possible, it always was and will be, but because they did what only a moron would in terms of known security practice and made it easy to do remotely.
Thursday 20th October 2011 14:51 GMT Rob Dobs
Myopic, and sounds like military in 1900's that had no interest in planes
As mentioned here already Stuxnet was an obvious Act of war against Iran, and Iran is claiming that it took the lives of several of their engineers so its supposedly already happened (though yet unvalidated).
Key-loggers have also ALREADY been found on the operational computers of US predator drones (because the operators were surfing bad sites - forchristssake !!) shows that these computers can be compromised and have Internet Access. Though the drones couldn't reach the US/UK from where they are deployed, they could be flown to enemy camps and landed safely for reverse engineering, or simply turned back around and strike local US/UN troops causing MASSIVE casualties.
I would think it impossible, but now that I hear that other military ordinance control systems have access to the Internet (see drones above) I am not so convinced that a War Games type situation isn't possible (where someone hacks into systems via net and launches nuclear missiles). Even if the U.S. is protected from this, are France, China, , India (where apparently monkeys steal paperwork from their parliament) or even Iran or Pakistan? All it would take is for one country to get compromised, and launch a few missiles at US/Russia to start an all-out Nuke Fest. And if not a Nuclear missile, there are patriot missile batteries that could be compromised, as well as the missiles on other crafts that could be forced launched through hacked software.
Acts of war can include taking out satellites and communications, hacking a placing compromising careering ending material on a politicians personal PC, etc etc.
Large fatalities could be realized from simply hacking and bringing down the US power grid, especially during January during a blizzard, where many would freeze, or in August during a heatwave where many would die from heat exhaustion. Naturally occurring power outage in Winter and Heat waves have killed hundreds of people in some cities, the effect would be much worse if multiple cities in the same region were all incapacitated in unison.
This doesn't even begin to touch on some of the more fringe theories, like hacking ground control systems of Airports and crashing multiple flights into nearby office buildings, or hacking transit systems to run trains off the tracks. While these are outlandish, they are by no means impossible.
There are many more real threats that I can think of, but most of the above have already been discussed in movies or the press. The ones that haven't..well I'm not going to be the idiot who gives them ideas.
-bomb of course cause W.O.P.P.E.R will kill us all.
Thursday 20th October 2011 08:30 GMT Anonymous Coward
If stuxnet can cause physical damage to iranian centrifuges by spinning them out of control, then it is clear that physical damages can be caused by hacking and viruses. It does not seem a particularly big stretch from that to conceive of attacks which could cause physical damage that could kill people - not just weapons systems themselves, but attacks on air traffic control, airplane controls, rail networks, power stations, water purification systems and so on. One might imagine nuclear centrifuges would be a far more protected target than most of those.
Thursday 20th October 2011 21:28 GMT nyelvmark
Imagine if the Russians were able to take over a car factory full of robots. They could organise the robots into an army and attack parliament. Then the robots could occupy parliament, declare themselves the government and start making cold, callous laws that fail to take human dignity into account.
It is possible that this has already happened.
Thursday 20th October 2011 08:30 GMT Anonymous Coward
Still a little worried ...
I understand what he's getting at, and it is good to see some realism for a change. However, as the last line of the article suggests, he is being a bit simplistic.
Lethality isn't a deciding factor. What matters more are impact, who is doing it and why. The term “Sabotage” generally implies one state acting against another's capabilities. If a state engages in multiple acts of digital sabotage such that another state's infrastructure is seriously impaired, then how can it be anything other than an act of war?
Perhaps the test is simply this : if the attack, no matter what form it takes, is instigated by another state and is so serious that the victim would be justified in using destructive force to curtail it, then there is implicitly a state of war between them.
Thursday 20th October 2011 10:04 GMT Arctic fox
@JustaKOS I think that the gentleman is dealing to some extent in semantics.
"if the attack, no matter what form it takes, is instigated by another state and is so serious that the victim would be justified in using destructive force to curtail it, then there is implicitly a state of war between them."
That indeed is the nub of the issue. Is a state going to launch a cyber-attack which could cause significant damage (albeit without causing human casualties in the *direct* sense) on another state who *does* have the technology to reply in kind - likely not, a sort of new style MAD scenario. However, what if state A (believing that it can conceal the source of the attack) launches an attack on state B (who whilst not having "cyber capacity" *is* in a position to respond militarily ) which causes a great deal of damage and state B *does* succeed in identifying the culprit? How will state B respond, especially if the attack is ongoing and continuing to do more and more damage? The only option state B would have to defend itself might be a military response. The fact of the matter is that one can imagine several logical scenarios (of which mine is only one) where a cyber-attack would *lead to* actual large scale casualties.
Friday 21st October 2011 16:12 GMT Rob Dobs
you assume that State A can't make a massive technological attack against State B, without being identified. This is completely possible, just look how much organized crime acts on the internet with impunity and almost never seems to be trackable, or able to be prosecuted.
Even worse If State A attacks State B and makes it appear that State C is the culprit.
I am sure for the right money Russia or Pakistan could easily lease some government associated IP address space in China from a greedy military official, ship in a few dozen servers, and launch there attack against the US from there, (with all the programs, documentation etc in Chinese language)
America goes after China, and Russia/Pakistan sits back and watched their two enemies destroy each other.
Even more likely What if State A initiating the attack isn't even a State. Say it is a terrorist organization or a hacker collective with an agenda. You don't think with 2 billion Chinese people able to steal technology to their hearts content, that a few dozen cant become prolific hackers and band together to attack foreign nations (or even their own)? History and literature is full of examples of those who would profit from or just see a warped justice in inciting another country or their own to start war.
Friday 21st October 2011 23:10 GMT Anonymous Coward
As you say, there are many ways in which attacks can be instigated by one state against another, while hiding guilt. There are many other possibilities from terrorism down to 'larking about', and it is right for the UK government to ensure that we have the best defensive capability possible - and also to have an effective offensive capability, just in case it is needed.
My post above was specifically concerned with the hypothetical case where an attack is instigated by the UK against another state.
The issue here is what constraints there are on such action. If it is semantically argued away as 'not war', then it is conceivable that action with potentially serious consequences (not just for the target, but also for us) could be instigated without the proper level of oversight and approval . That, to me, is an extremely dangerous proposition.
Call it what it is - warfare - and make sure that it is subject to the same approval and control as warfare with bombs. Then at least we might keep out of the shit and stay on the right side of international law.
Thursday 20th October 2011 08:31 GMT Anonymous Coward
Thursday 20th October 2011 08:33 GMT Will Godfrey
Thursday 20th October 2011 12:33 GMT DZ-Jay
His point is that we should put as much attention on so-called "cyber attacks" as we put on other forms of sabotage and subversion, because it is just another facet of them.
In other words, we should not worry about "cyber wars" as a brand new category; we should worry about the risk of "cyber war" in the same way that we worry about the risk of a traditional war with any antagonising state.
Wednesday 26th October 2011 08:33 GMT veti
I for one find it refreshing
It's good to see a "subject expert" who *isn't* making a pitch for himself to be given a budget of billions and a staff of hundreds to spend the next 20 years countering some threat that he's just pulled out of his arse.
Compare and contrast:
Thursday 20th October 2011 08:35 GMT jubtastic1
Duck and cover
There was a first time for every new technology used in warfare, to argue that because X hasn't happened yet it never will seems remarkably reckless, especially in these days of Stuxnet, daily intrusions by the PLA and rumours that the US considered hacking Gaddafi's air defences.
At this point I think it's a given that most if not all industrialised nations have cyber warfare divisions, that the Yanks are better than the Chinese because they don't get caught as often (and when they do pretty sophisticated code is uncovered), I'd also posit that the civilian systems that ensure humans around the globe are fed, watered, warm and happy are riddled with bugs that the aforementioned agencies have spent the last 5 years discovering, weaponising and filing away for a rainy day.
This guy is on crack, we will certainly see SoftWar cause human casualties at some point, agree that there's no sense worrying about it though.
Thursday 20th October 2011 10:08 GMT amanfromMars 1
Prize Bull still Stinks to High Heaven even whenever it is Claimed as Academic Produce
Good Morning, Anna Leach and El Regers,
Regarding ….." People worried about a cyber-war should calm down and stop worrying because it will never happen, a war studies academic has said. In the paper Cyber War Will Not Take Place Dr Thomas Rid confidently argues that hacking and computer viruses never actually kill people.
An act of war must have the potential to be lethal, says Dr Rid, of King's College London, writing in The Journal of Strategic Studies, but hacking and cyber-attacks have much more in common with spying than, say, nuclear bombs." …. what is one to make the credibility of war studies academic, Dr Thomas Rid, whenever one can also read here ….. http://www.raytheon.com/technology_today/2010_i1/feature_1.html the following seemingly polar opposite view …… "Referring to cyberattacks, Air Force Gen. Kevin P. Chilton, the commander of U.S. Strategic Command, told reporters on May 7, 2009, “The Law of Armed Conflict will apply to this domain.”"
And who doesn't know that the US are the principle war-mongers on the planet and are ready willing and able to sacrifice American lives and collapse capitalistic, military industrial complex dependent economies, on any fanciful pretext and dodgy dossier they can dream up and present to the dumb media as a reality to pursue/fabrication to wage war on?
People kill people surely, but there are many stupid idiots who will kill and many other stupid idiots who will give others orders to kill and go to war, because of a simple hack or computer virus that exposes their systems secrets to view and derision or whatever.
The Doc couldn't be more wrong in the real world and his assertion there is dangerously misleading and in need of retraction, and to argue that he was not referring to people action because of a hack or a computer virus attack on a command and control system isn't going to hack it.
You gotta get out more, Doc, you aint living in the real world even if it is controlled by IT and therefore extraordinarily rendered a Virtual Reality Playground for AI and Programmmers in and into Live Operational Virtual Environments. ….. Really SMART Applications ProgramMING.
Thursday 20th October 2011 10:13 GMT Anonymous Coward
nah, it's never gonna happen
I think I have seen this argument in history books before, and spoken confidently by people more famous than Dr Rid. Like that one, that the man will never be able to take to the skies, or that the machine gun would cause such unthinkable slaughter on the battlefield, that no-one would dare use it. Ouch. There was also something about cloning, etc. etc.
Dr Rid seems to follow this silly notion that if something hasn't been done before, it won't be. Yet he forgets we're talking those 6 billion (and counting) clever bi-pods with grey matter between their ears, generating those wonderful ideas all the time, a lot of them revolving around how to find a new way to kill other bi-pods, quickly, painlessly - or otherwise. Give them enough technology and they will a way, sooner than later.
Thursday 20th October 2011 10:13 GMT LucasNorth
Dr Rid seems to assume that as it would just be our gadgets that get taken out then it wouldn't be lethal and thus not a real act of war. Well I would like to know how many people would die if GPS was taken out and the ambulance service couldn't get directions. Or the traffic signal controls were taken out and they got stuck in traffic. They are not much more than gadgets but people would certainly die. Not saying it is going to happen but it is a lot more plausible than the Dr makes out
Thursday 20th October 2011 10:14 GMT Anonymous Coward
Thursday 20th October 2011 11:24 GMT stucs201
Thursday 20th October 2011 14:49 GMT amanfromMars 1
Thank God for Pirate Bays and Torrent Streams
Some would say that you are more likely to be as extras to a "Colossus, the Forbin Project " type scenario.
And should you Google that and end up watching a YouTube offering, please be warned that film length is around the usual 90 mins. One video shows you only around 65 minutes and that is a tad frustrating, for it ends when you are hooked on what is going to happen. :-)
Thursday 20th October 2011 10:35 GMT Anonymous Coward
Thursday 20th October 2011 11:12 GMT Eddie Edwards
The possibility of a hacked control system causing a reactor meltdown seems plausible enough to me that it would take more than some hand-waving to convince me it's completely 100% impossible under all circumstances.
In fact, can people stop saying things are impossible? The only impossible thing I know of is to prove a negative outside of a carefully delineated mathematical model. I mean, as far as logical impossibilities go, God might still exist, and I bet God could start a fucking cyberwar.
Thursday 20th October 2011 11:27 GMT Vladimir Plouzhnikov
No need to worry about hackers
"Almost everybody has an iPhone"
There, he said it. A much more realistic scenario - Apple's CEO gets pissed one day and instructs bricking of all iPhones and eyeBads unless he is declared the Supreme President of the Whole World.
They have all the means to do it and they can do it at any time and it will be perfectly legal.
Also, Gabe Newel, can easily take crowbar to Steam servers when he realises that he will never be able to finish Episode 3.
Also, Sony can brick all PS3s.
Also, BDLA can brick all BD players.
Also... the list can go on and on.
The danger is coming not from some PFY hackers but from the inside of our society. I could say that fanboys of all kinds are the carriers of the disease, but I won't :-)
Thursday 20th October 2011 11:45 GMT Edward Clarke
Thursday 20th October 2011 12:24 GMT Anonymous Coward
Worry about financial "warfare" instead...
It has been predicted around the 1990's already; "In the near future military might will become less important than financial might. Be weary of the growing financial powers and their influences in the world" (roughly translated).
And when you look around you now I'd say it holds much truth. With the current recessions going on in the US (which is heading for a MAJOR problem IMO) and Europe (which has a hard time keeping the pact together) there is a laughing 3rd party: Asia. Which slowly has build quite a few financial ties into both the US and Europe.
Don't get me wrong... I think cyberwar fare can be very lethal if done right, and it is an important factor to keep in mind (just look at what happened to Estonia; a country which has fully adopted the Internet. Its being used by the politicians to communicate, by the news agencies to bring out the stories and all at a scale some of the modern Western countries can't even dream off). And when they suffered from a cyber attack it actually did result in chaos and had a very lethal aspect to it.
But having said that; I'd worry more about the financial aspects here.
Thursday 20th October 2011 14:35 GMT Anonymous Coward
beg to differ
I've worked in a hospital before when a virus (can't remember the name of it now, a good 7 years back if not longer, the one that targeted SVCHOST and shut your pc down after 20 seconds) completely ransacked the systems.
The helpdesk were getting smashed by callers not being able to use their PC, and then all went quiet as word got out there was nothing IT could do.
Two hours later and the calls started coming in again. If the systems weren't back online in the next few hour’s patients were going to start dying as nurses needed to access drug allocation systems.
I'm not sure if patients did actually cop it, if they did the trust did a bloody good job of keeping it quiet as it would have most certainly have made the local if not national news.
Whilst one may not directly be able to kill someone through the use of cyber warfare you can knock off a shit load of more people quicker than you could through the use of germ warfare.
Thursday 20th October 2011 14:37 GMT Eradicate all BB entrants
He watched the wrong movie
He should have watched Die Hard 2 for a clear example of a hack being directly responsible for a number of deaths. Knocking the ILS off by a few hundred feet to destroy a whole plane full of people with bad british accents.
And he should also know anything featuring Officer John McLane is a 100% factual documentary and not a fictional movie.
Thursday 20th October 2011 14:43 GMT sisk
In a simulated attack (run by the US government), hackers were able to shut down the entire US power grid and huge chunk of the rest of the utilities in three days. Doubtless in that situation some people will die. And it would be even easier to induce a panic which leads to rioting and mob violence. I agree it's unlikely that it will ever actually happen, but it very well could.
Thursday 20th October 2011 14:48 GMT A J Stiles
If you have a piece of obscure, proprietary technology connected to the public Internet and which, by its failure, could cause loss of life, then there is the potential for a lethal cyber-attack.
And when you have people in charge who like "shiny" and who don't know why "obscure and proprietary" is bad, the above scenario begins looking a lot less far-fetched.
Thursday 20th October 2011 14:48 GMT sixstringartist
How Naive can you be?
Clearly cyber attacks can kill. Software errors have caused deaths in a number of reported cases, the only difference between these and an attack is the intentions of the creators. Hackable automatic insulin pump are already being used and the manufacturer refused to fix the vulnerability.
Imagine an attack that disrupted all air traffic control communications, or worse, created false readings and misinformation for the controllers. Imagine an attack on a water treatment facility that pumped contaminated water in the main supply.
You, Dr. Rid, are exactly the type of small minded individual that would prevent us from preparing against such attacks. It only takes one well placed bullet to start a war, and cyber attacks can do more damage than a bullet.
Friday 21st October 2011 12:23 GMT Tom 13
The problem isn't the water supply*,
or the air traffic control system, or the electric grid, or the chemical plants (including ga/petrol). The problem is what happens when they hit all of the above in a coordinated attack. I can come up with other nightmare scenarios that have a significant chance of killing people, but frankly see no need to provide the enemies of civilization with more fodder than is already out there.
*and of the list I expect the water supply is the least problematic. The water treatment is usually upstream of the sewage treatment, so you are only dealing with natural contaminants. While you would get some level of sickness and possible death from that, it's western society going after the last 5% of the danger, not taking on the noticeable 30% problem the rest of the world is usually facing.
Thursday 20th October 2011 14:50 GMT Christoph Hechl
OMG how could this happen?
No, i don't mean that FUD about Cyberterorrism, that clearly doesn't exist.
I mean the fact htat amanfromMars 1 made an easily readable comment, and even more worrying: The only comment that made any sense.
I'm not sure if this is an omen, but if so, we can only hope it's a good one.
Friday 21st October 2011 14:40 GMT amanfromMars 1
Calling a spade, a spade, and asking after SpAds in the Cyber Field.
Thank you for that support, and the omens are good for all who are not bad and deserving of, well, let us just leave that hanging there, for it is not a good plan to ever reveal what surprises are on the way, for then is the element of advantage dulled and the fun of supplying just desserts to worthy customers diminished and too easily deflected onto others.
And there is another very informative and revealing comment to be found replying to this El Reg article ..... http://www.theregister.co.uk/2011/10/20/cabinet_office_it_plan/ .... but try as I might, and at the time of this writing are there 6 advertised for reading, do the comments fail to appear.
Maybe the grapevine will not energise itself and El Reg/Kelly Fiveash can fix whatever gremlin is in the works there. Granted the alienated comment is scathing of many who are failing us, but that is no reason for all who exercise their programming here on El Reg not to know of things that they should know about, or at least know of that others are about and have been about and been sharing with government services for more than just a while .... but apparently it has been with petrified puppets unable to respond either with an answer on matters raised or a question on matters proposed.
And whether that be because of ignorance or arrogance or a tall measure of both, matters not really a jot to any who would be free and able to deliver whatever may be, for IT invariably finds its way to wherever IT is needed, and those who would be stuck in the past end up wasting their time and resources on matters of the past, as Future Builders fly way ahead and just leave them behind to their fate and endless struggles in ITs wake.
Thursday 20th October 2011 15:30 GMT Malmesbury
Cyber warfare has already happened -
The Israelis switched off (parts of) the Syrian air defense network, then bombed the hell out of the Syrian copy of the North Korean plutonium producing reactor... According to rumour they switched the systems back on as they left Syrian airspace...
The point being that it will be one of the weapons used in future conflicts. A "cyber only" war is unlikely.
Thursday 20th October 2011 16:38 GMT itzman
Depends on what you mean by war..
As long as the net is only the way you read remote data, them it's at worst an intelligence leak. The moment you use it for remote control, its a potentially subvertible weapon, limited only by the nature of the beast its controlling.
I would expect people who do this routinely, to asses the impact of such subversion, and use at least a strong VPN, or another authentication technology.
Staggeringly enough I imagine that thousands of apps do not.
Thursday 20th October 2011 16:38 GMT Anonymous Coward
until it happens
and then this guy can continue getting paid for having a completely shitty track record. This is like the pundits who went around before Desert Storm saying American Apaches could not operate in the desert because they'd ingest sand in the intakes-made plenty of press from those who wanted an excuse to make the military look stupid. It also gave confidence to the enemy to crawl out of their holes and be easy targets when the simple filters (even partially-in-the-know civilians knew about years ago) were snapped on and Apaches flew with the same success rate as they did elsewhere in the world and slaughtered the Red Guard on the highways.
Either this "expert" has interests (or is being controlled by those who do) in other methods that wants the money that's instead being diverted to cyberwarfare research, is out to convince the populace that "there's nothing to see here", is talking out his @rse, or has worse nefarious reasons.
I've been an "information security enthusiast" since the mid 80's. I can not think of a single "impossible to hack" system or organization that has not fallen-*every* hacker holy grail from the police, to the military, to credit card companies-ALL have been broken into regardless of experts claiming "imperviousness". This was even before everything was web or wireless connected using commodity (and often foreign manufactured) commodity hardware.
Networked, self driving cars are coming. Radio station transmitters are remote controlled. Dams, industrial systems with hazardous chemicals, and more are made vulnerable by their insistence on convenience and remote access. Hospital life support and monitoring systems on wireless systems that don't need physical nearby access. ATC can and *will* be hacked. Power grids too. We've seen in San Bruno what can happen when even a single safety valve is delayed for a second or two from acting. And with the demand for greater convenience, more complex soft systems driving more physical devices, only a fool fails to see the potential threat and fails to work to prevent it.
Makes as much sense as saying the Japanese would never take such a dangerous risk as to launch an attack fleet at Pearl Harbor because they don't have enough troop transports to allow a successful amphibious assault.
Friday 21st October 2011 13:22 GMT El Cid Campeador
To use the aviation analogy-- with "cyberwarfare" (I hate the term, but oh well) we're still in 1914: buzzing around, mostly doing recon, and heaving the occasional brick and/or hand grenade.
That being said, if we persist in keeping our fingers in our ears and singing "LALALALALA--I CAN'T HEAR YOU" and continue connection every stinking thing we own to the Internet, we're setting ourselves up for real disaster, and the longer before it happens, the worse it will be. Unfortunately, I am not optimistic. Mention security to otherwise informed and intelligent people, whether in industry or academia, and you get classified with people who believe in mind rays. Not promising if we're going to fix anything....
Thursday 20th October 2011 18:02 GMT Tom 13
Another fine paper to join a list of famous quotes
Another popular fallacy is to suppose that flying machines could be used to drop dynamite on an enemy in time of war.
— William H. Pickering, Aeronautics, 1908.
To affirm that the aeroplane is going to 'revolutionize' navel warfare of the future is to be guilty of the wildest exaggeration.
— Scientific American, 16 July 1910.
Aviation is fine as a sport. But as an instrument of war, it is worthless.
— General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.
It is not possible . . . to concentrate enough military planes with military loads over a modern city to destroy that city.
— US Colonel John W. Thomason Jr., November 1937.
Thursday 20th October 2011 18:03 GMT Anonymous Coward
The article is flawed
More and more we are living in an age where machinery is "on-line".
Google and others are experimenting with some measure of success with self-driving cars. These vehicles will have 2-way communications systems both for the computing component and also for media consumption and the passenger's convnience for communicating with others.
In Vancouver here and in other places, self-driving trains. They have a communications component.
Aircraft more and more are taking off, landing and cruising by themselves.
Others have pointed out pacemakers that can be remotely (albeit closely) reprogrammed. How long before they are monitored remotely for malfunction etc... It will happen.
Does anyone really seriously doubt that at some time in the future, some of these systems will fall to some kind of cyber attack if someone seriously wants it to happen? As in all terrorism, it is not constant vigilance that stops more attacks happening. It is the fact that the VAST majority of people would not consider doing it in the first place where life and limb are involved.
Seriously, it will become a bigger and bigger problem as time goes by.