As Jason Healey, senior fellow at the Atlantic Council, put it, “cyber deterrence is working. They (hostile nation states) haven’t attacked our cyber systems for many of the same reason they haven’t sent nuclear-tipped missiles: They have no reason to unless the world is in a serious crisis, not least because they know there would be a dangerous counterattack from the U.S.”
Indeed, there is general agreement that destructive cyber attacks are unlikely unless hostile nations are heading into war – an armed conflict.
Jason Healey, senior fellow, the Atlantic Council
“If any large country truly becomes a national security threat to another large country it may well be far more likely than it would be in today's climate,” Di Bello said. “Barring that, it would be unlikely.”
For that reason, major cyber attacks are much more likely in areas where there is already armed conflict, or the potential for it. Robert M. Lee, cofounder of Dragos Security and a former U.S Air Force cyber warfare operations officer, noted that the attack on Ukraine’s grid, widely attributed to Russia, was, “simply an extension of what was going on with the military.
That, he said, would increase the likelihood of attacks between countries like North and South Korea, or between Iran and Israel – “traditional conflict areas,” as he put it.
Of course that leaves out terrorist organizations that don’t represent any nation state and which give no indication that it would trouble them at all to take down the world economy.
But Lee and other experts said this week that smaller organizations – even lethal terrorist groups like ISIS – don't have the same capability as nation states. They say while the U.S. grid and other industrial control systems (ICS) have significant weaknesses – and U.S. adversaries are constantly probing those weaknesses – launching an effective, sustained attack is not as easy as some people, including high government officials, suggest.
“It is significantly more difficult to do a high-confidence attack on ICS than people think,” Lee said “It doesn’t just involve the cyber component – it’s the engineering piece as well.”
Al Berman, president of Disaster Recovery Institute, agreed. He said one reason is that, over the past decade, there has been “tremendous sharing” about threat information among utility companies. The ICS ISAC (Information Sharing and Analysis Center) is “enormously strong,” he said.
A second is that most ICSs are not completely automated. “The big ones still require manual intervention,” he said. “There are manual bypasses occurring all the time – people are manning centers around the clock.”
That, he said, makes it more difficult for attackers to get control of a system remotely.
Sign up for CIO Asia eNewsletters.