Cybersecurity isn't a border-based threat, it's a viral threat

Much like Moore's Law has provided a reliable pattern to chart the steady growth of computing capacity and decline in prices, the same precept could apply to the tools of weaponry in the digital age.

So argued Ben Hammersley, an editor at large with Wired UK magazine and the U.K. prime minister's ambassador to East London Tech City, the main technology hub in the English capital.

In a presentation that touched on the evolving nature of cyber threats here at the Brookings Institution, Hammersley contended that the traditional notion of warfare among nation-states is rapidly becoming obsolete as acts of kinetic aggression are being replaced by online crimes and other disruptions that can be perpetrated by individuals or small groups.

Moreover, high-end technologies that originate in government labs or the military eventually become commodities, a process of democratization that figures to significantly broaden access to tools like drones or biological synthesis applications, just as the code to launch a denial of service attack can easily be downloaded online.

The result of this Moore's Law progression, Hammersley said, will be a "constant state of asymmetric warfare."

Cutting by half the price of technologies that can be used for destructive purposes every 12 to 18 months, as Moore's Law would have it, will demand that policymakers rethink the core principles of national security, which would entail a reassessment of both the likely perpetrators and targets of an attack. A sober assessment of the changing threat landscape would shift some of the national security focus away from acts of war emanating from nation-states toward criminal activity and scammers, Hammersley said.

"And yet we seem to spend an awful lot [more] time thinking about China, for example, turning off the power grid and rolling their tanks ...westwards across the Mongolian steppe, than we worry about the mafia stealing blueprints or Nigerian banks phishing for credit cards," he said. "One of those is very, very present, and very damaging and the other one is an entertaining reason to spend billions of dollars."

Too often, though, the response from senior government officials is rooted in the traditional military model, recalling the old saying about generals continually fighting the last war while ignoring the strategic implications of new technological advances.

Applied to cybersecurity, Hammersley said, that thinking is "based on entirely the wrong metaphor, entirely the wrong framing. It's not a border-based threat, it's a viral threat."

As a viral issue, the corrective approach should be "epidemiological," and we should start thinking of "botnets as bird flu," he argued.

That approach would necessitate an address of the causes of the attacks, rather than confining the focus to hardening defenses and preparing for counterattacks. After all, if the threat is ambient, simply angling to shore up perimeter defenses is a losing strategy.

To a great extent, Hammersley argued, that will require social-justice initiatives that address the underlying challenges of inequality and the sense, embodied in the "Occupy" movement, that the game is rigged against the individual of modest means.

Asked about the emerging profile, to the extent that one can be drawn, of the future cyberattacker, Hammersley identified "the incredibly annoyed middle class white guy."

"The people I'm most scared of over the next few years will be the computer engineer in the suburbs who can't pay his mortgage anymore and freaks out," he said.

"If you're going to spend your entire time chasing the technological possibilities of something bad happening, you're missing the point," he said. "The point is it's the social causes of those bad things happening that are things that we can fix. That's what government can do."

For Hammersley, that encompasses effective oversight of large corporate institutions. He pointed to the recent revelations about Barclays bank having manipulated the Libor, the benchmark interest rate of London's interbank market, provocatively suggesting that it could be considered the "greatest piece of cyberwarfare ever."

"It isn't hyperbole at all I don't think to say that Barclays fixing the Libor was a form of warfare. Whether it counts as warfare under the Geneva Convention is effectively irrelevant," he said. "The effect was much the same -- they did a thing that made life radically worse for millions of people. And they did it on purpose."

He added, "Now if that had been done by Iran, say, rather than by Barclays bank, it would have been considered a major act of war."

In keeping with his thesis about the waning power of the traditional nation-state, defined by a central government and clear territorial borders, Hammersley suggested that countries consider designating ambassadors to sprawling global companies like Google, Facebook and Wal-Mart. After all, for a country with a limited budget for fielding diplomatic missions, does it make more sense to forge a close relationship with the Maldives or ExxonMobil?

"The fact that one is a nation-state and the other one is a multinational corporation is really just a matter of definition," he said.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGenevaGoogleWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place