Su indicazione del nostro Jack ho dato una lettura veloce ad un documento appena diffuso dall'OCSE: "Reducing Systemic Cybersecurity Risk"
Si tratta di uno studio condotto da due ricercatori – Peter Sommer della LSE e Ian Brown dell'Oxford Internet Institute – nell'ambito di una più ampia ricerca dell'OCSE sui "futuri shock globali". Sommer e Brown hanno infatti valutato la possibilità che uno shock su scala globale possa derivare da uno o più "eventi cyber".
Non ho le competenze tecniche necessarie per poter esprimere un serio giudizio sul saggio in questione – motivo per cui lascio la valutazione a chi se ne intende – ma mi hanno colpito alcuni passaggi delle conclusioni (che riporto qui di seguito):
"The remarkable speed of change in the cyberworld – hardware, software, interconnectivity – and the ever-new social, cultural and economic structures being created – makes it essential that there is frequent re-assessment of the associated patterns of threat. Unfortunately too many published assessments have favoured sensationalism over careful analysis. To understand potential problems, particularly large-scale ones, requires more than simply identifying potential vulnerabilities. An examination of all the necessary elements of a crime, attack or catastrophe is required, in addition to consideration of the processes of prevention, mitigation and recovery. Risks have to be properly assessed and then managed.
(…) contrary to many assertions and on present information, few single foreseeable cyber-related events have the capacity to propagate onwards and become a full-scale "global shock". One would have to contemplate a hitherto unknown fundamental flaw in the critical technical protocols of the Internet and over which agreement for remedy could not be quickly reached. Or a succession of multiple cyber-attacks by perpetrators of great skill and determination who did not care if their actions cascaded beyond their control and consumed both them and the constituency from which they came. Or an exceptionally strong solar flare coupled with a failure adequately to protect key components.
(…) A pure cyberwar, that is one fought solely with cyber-weapons, is unlikely. On the other hand in nearly all future wars as well as the skirmishes that precede them policymakers must expect the use of cyberweaponry as a disrupter or force multiplier, deployed in conjunction with more conventional kinetic weaponry. Cyberweaponry of many degrees of force will also be increasingly deployed and with increasing effect by ideological activists of all persuasions and interests.
Our main reasons for reaching these conclusions are: that the Internet was designed from the start to be robust so that failures in one part are routed around; that in most cyber-events there is no loss of physical resource; that historically, solutions to discovered flaws in software and operating systems and/or the emergence of new forms of malware have been found and made available within a few days; that few single DDoS attacks have lasted more than a day; that many government departments and major businesses and organisations have ICT-related back-up and contingency plans; and many of the networks transmitting the most important data, for example about world financial transactions, are not connected to the Internet, use specialised protocols and equipment, and have reasonably strong levels of access control. Any successful compromise requires insider knowledge – and the response to that is better vetting procedures, not specialist technology.
(…) In terms of cyber attacks the one overwhelming characteristic is that most of the time it will be impossible for victims to ascertain the identity of the attacker – the problem of attribution. This means that a defence doctrine based on deterrence will not work. In effect, one has to look to resilience so that when attacks succeed, societies can absorb and recover."