On Monday, the UK government published its new national security strategy (PDF). This outlines the current and emerging security threats to the UK national interests, ranked by priority based on likelihood and impact. What caught my attention was the fact that the Tier 1 (highest priority) threats include:
'Hostile attacks on UK cyber space by other states and large scale cyber crime'
Until fairly recently, the threat of cyberwarfare has mainly been discussed in defence and security journals (see 'Evaluating Cyber Security', Digital Battlespace, Aug 2009), but there has been a growing focus on this in the mainstream media (although whether this is due to an increasing threat or an increasing media appetite is subjective).
However, recent events have shown that it is now possible for cyberwarfare attacks to be directed at specific targets, rather than being undirected and indiscriminate. This has been illustrated by the Stuxnet worm incident, which has been alleged to be a a state directed cyber attack ('Stuxnet worm heralds new era of global cyberwar', The Guardian).
Cyberwarfare provides the the potential to bypass a nation's conventional forces and strike at specific targets including critical national infrastructure whilst remaining invisible and providing the prospect of plausible deniability. The types of cyberwarfare threats were discussed by Iain Lobban, Director of the UK's GCHQ security agency in an unusual public speech.
The UK government's response will be to invest £500m in cyber defences to bolster the UK's critical national infrastructure. At present, few details have emerged on how this will be implemented or how the security of systems will be evaluated. However, if you're using a system which has undergone a security evaluation under conditions which assume that it's connected to a benign network, then you might as well shutdown and pull out your network card now. Instead, we should be basing our critical national infrastructure systems on platforms which are designed to achieve the highest levels of assurance with real-world protection profiles and be resilient against network-based attacks.