My interest was stimulated in the mid-1990s when I was asked to advise solicitors
to a 16-year-old North London schoolboy accused of masterminding a global hack into
sensitive USAF, military suppliers and other websites. His co-conspirator, 19 years
old, had an obsession with Area 51, the supposed US location of alien space ships.
Their activities was the subject of US Senate hearings as an exemplar of what was
then called “Information Warfare.” This was the point at which analysts spoke of
an Electronic Pearl Harbor. The contrast between what the actual evidence showed
and the initial fears of the US authorities of attack from Eastern Europe and Korea
was vast. Later I met both the UK and US investigators.
Public interest in the topic waned until 2007 when Estonia was temporarily threatened
by a cyber attack.
Today my main research concerns are:
Problems of attribution How do you work out who is attacking you? And how much
confidence can you have in your conclusions?
Cyberweaponry capabilities What is actually required in the design and deployment
of a cyberweapon? What technical knowledge and intelligence about a target is needed
for success? Which cyberweapon scare stories can we dismiss?
Language Is it reasonable to talk about “Cyber War” when most events wouldn’t qualify
for “war”? Does the use of language mislead us into the nature of the problems?
Are we over-emphasising the role of the military as opposed to technical computer
security, contingency planning and public education?
Cyber disaster scenarios How serious and viable are the various scare stories
of projected cyber-triggered events?
Evaluation of accounts of alleged cyber attacks and cyber attack statistics The
public and politicians are much influenced by accounts of cyber attacks and statistics,
but how accurate are they? What is the evidence for the anecdote, how was the
evidence acquired and who is providing it? What are the statistics claiming to
measure? How is the data being collected? If an anti-malware product registers
and repels a virus: does that count that as an “attack”? Are the conclusions supported
by the research methodology?
Cyber Security Policy: International and National Nearly all nations countries
are evolving security policies. What do they think the problems are and how should
they be addressed? Is national cyber security a task for the military, for the
electronic intelligence agencies, for the police, for private sector critical national
infrastructure companies? Can you rely on a doctrine of deterrence if you know you’ll
have difficulty in being sure you know who is attacking you? What are the issues
of developing an offensive cyber attack capability? When and under what circumstances
would it be deployed? Is the “Internet Off Switch” a viable defence route? Can
you create a national cyber filter to repel attacks? What are the practical problems
of Public/Private Partnerships when the main duty of a privately owned company is
to produce profits for its share-holders as opposed to securing a nation state? What
is the role of public education? Is an international treaty a feasible aim or should
nation concentrate on establishing accepted norms of cyber behaviour?