Friday, December 18, 2009

McAfee's Virtual Criminology Report 2009

I set aside some time this week to read the McAfee Virtual Criminology Report 2009 [pdf]. It has a provocative sub-title "Virtually Here: The Age of Cyber Warfare" that caught my eye. So, what was useful in there for me?

As the foreword (by CEO of McAfee) already points out, politically motivated cyber attacks are on the rise and the term cyber crime is not fit to describe them well. The foreword also makes the important point that this report comes from a private sector perspective, unlike the usual government/military perspectives on cyber warfare. As it turns out later, however, it is more of a broad spectrum overview that doesn't really focus on any special sector or issue.

The report gives a short overview of the events in Estonia 2007, Georgia 2008 and US/South Korea 2009. The Georgian overview is based on the US Cyber Consequences Unit overview [pdf], which is the public high-level summary of a more detailed report.

Of more interest is the method for cyber attack attributes that is presented on pages 8-9. Experts will assign values to a cyber conflict in four categories to determine the severity of the event (no reference):
"Source: Was the attack carried out or supported by a nation-state?
Consequence: Did the attack cause harm?
Motivation: Was the attack politically motivated?
Sophistication: Did the attack require customized methods and/or complex planning?"
They have provided a table for assigning values and have applied the model on the three conflicts mentioned earlier, providing a bar graph. I have done similar work in my Master's studies. In retrospect, it is only of limited use, because the values are highly subjective and in the end - it does not prove anything.

The report also mentions many well known issues in cyber conflict, including:
  • many nations are preparing for cyber war, but covertly
  • criminals and politically motivated attackers use the same tools and techniques
  • criminal groups may cooperate with governments
  • financial and other critical information infrastructure is at high risk
  • sharing threat information is good
  • there is a need for a public debate about the use of cyber weapons
  • the attribution problem and a nice intro to the cyber deterrence issue
  • the need for updated legal measures
  • cyber espionage
  • etc.
On one hand, this report should bring little new information for the experts and researchers that focus on the issue. It uses little or no quality (written) references, but this issue is balanced out with the number of expert interviews and direct quotes. Therefore, I thought it was nice to read, but I found nothing really provocative in there.

On the other hand, however, I find that it does a very good job as an introduction to the whole cyber conflict issue for non-specialist readers. If you need to convince your boss or your grandmother that cyber conflicts should be studied - have them read this report.

No comments:

Post a Comment