A ZDNet article, Cyber-war risk is exaggerated, says OECD study, points to what seems as a thorough study that concluded with the stated result. I never read this study, but from the article one can point one point in which it is probably right and one point in which it is probably wrong.
The article starts by saying:
“While governments need to prepare for cyberattacks such as espionage or malware, the likelihood of a sophisticated attack like Stuxnet is small, according to a study by the Organisation for Economic Co-operation and Development.”
Some explanation follows:
“Sophisticated malware such as Stuxnet, […] is the exception, not the norm, according to Sommer. Stuxnet used a number of zero-day vulnerabilities to target programmable logic controllers […]”
I hope the full report holds a more convincing explanation on why Stuxnet shall be considered as a singular non-repeating incident, rather than the mark of a new era. The likelihood of a Stuxnet-like attack was never small, even before Stuxnet emerged. It is certainly not small once we saw it can be done in practice. Given that some entities have both the motivation and the capability, as Stuxnet demonstrated for one entity (or a group of), stating that the recurrence of this attack is of a small likelihood, raises questions. If someone knows how to do it once, he will know how to do it again, and others probably know too. Of course Stuxnet is an exception rather than a norm, but isn’t this the case for essentially everything new?
The fact that Stuxnet used a few zero-day exploits does not make it less likely to recur. There are two things to keep in mind in this respect. First, the supply of zero-day exploits is constantly refreshing itself. As our systems grow more and more complex and as there is no clear commercial incentive to make them any safer, zero-days will be out there. If there are no zero-days for this release today, there may be for the next release. Second, the utilization of several zero-day exploits was a strong bonus for the stealth of Stuxnet, but it was never a prerequisite. Even vulnerabilities that are known are often left un-patched, especially in unconnected industrial systems which usually run old versions of code, for the sake of stability and certification.
On the other hand, Professor Peter Sommer did come up with an accurate phrase pointing out a phenomenon. When referring to the statistical measurements that fuel the cyber-security hype, he said:
“If you use exaggerated language, you’re highly unlikely to come up with good risk analysis and management.”
This could not have been worded better. In an attempt to raise awareness to the subject, so-called empirical evidence is shown by which cyber warfare is here everyday. Reports that claim that a government is being subject to thousands of cyber-attacks per month usually count every simple attempt, likely made by an unattended tool or bot, as a cyber-attack taking place. Send a certain packet to the firewall of a government agency, the firewall will just drop it immediately, as it does for something every other minute, but you just counted yourself as a cyber-attacker, a cyber-terrorist, or any other cyber-bad-guy, depending on the agency that presents the statistics.
Truth is, cyber-war needs to be considered as a threat, and protection measures need to be funded, today. Yet, no empirical results can show that we are in cyber-wars today; because we are not. A bunch of script-generated attacks against the Internet-facing web server of a ministry or of the army, having no implication on national resilience, is not cyber-war. A plain vanilla denial-of-service attack against a bank, from which the bank recovers in a day, is not cyber-war either. If there is cyber-war, then it started either with Stuxnet, or with other activities the implication of which we are still to learn.
Cyber-war is real, and has to be demonstrated and treated seriously, in a qualitative (rather than quantitative) approach; by analyzing the impacts we yet cannot see, not by misusing the term so that all visible evils of the Internet map onto it.
Maybe the risk of cyber-war is not exaggerated, but the means to demonstrate it certainly are.