Risks of cyber war 'over-hyped' says OECD study Published duration 17 January 2011

image caption A huge solar flare could give rise to a global cyber shock, warns the report

The vast majority of hi-tech attacks described as acts of cyber war do not deserve the name, says a report.

The Organisation for Economic Cooperation and Development study is part of a series considering incidents that could cause global disruption.

While pandemics and financial instability could cause problems, cyber attacks are unlikely to, it says.

Instead, trouble caused by cyber attacks is likely to be localised and short-lived.

However, it warns that governments need to plan for how it could mitigate the effects of both accidental and deliberate events.

'Great confusion'

Attempts to quantify the potential damage that hi-tech attacks could cause and develop appropriate responses are not helped by the hyperbolic language used to describe these incidents, said the OECD report.

"We don't help ourselves using 'cyberwar' to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks," said Professor Peter Sommer, visiting professor at LSE who co-wrote the report with Dr Ian Brown of the Oxford Internet Institute.

"Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure," added Prof Sommer.

The report acknowledged the risk of a catastrophic cyber incident, such as a solar flare that could knock out satellites, base stations and net hardware, but said that the vast majority of incidents seen today were almost trivial in comparison as they did not last long and only hit a few people or organisations.

Attempts to decide how to deal with the wide variety of potential attacks and attackers were being hampered because words used to describe incidents meant different things to different groups.

For instance, it said, an "attack" could mean phishing e-mails trying to steal passwords, a virus outbreak or a concerted stealthy attempt to break into a computer system.

"Rolling all these activities into a single statistic leads to grossly misleading conclusions," said the report. "There is even greater confusion in the ways in which losses are estimated."

The report also played down the risk of a conflict between nation states being played out over the net.

"It is unlikely that there will ever be a true cyberwar," said the report, most likely because no aggressor would stick to one class of weaponry. Also, it said, existing defences and the unpredictable effects of such an attack could limit its effectiveness.

However, it noted, that even if a cyberwar is unlikely to ever happen, there was no doubt that the weapons used in such a theatre of war were becoming ubiquitous and would likely be used in the future alongside conventional weapons as "force multipliers".

Under the heading of cyber weapons the report included viruses, worms, trojans, distributed-denial-of-service using botnets and unauthorised access to computers ie hacking.

Finally, it said, while the net may be a vector for attack it might also help in the event of a large-scale event.

"If appropriate contingency plans are in place, information systems can support the management of other systemic risks," it said.