OECD’s Report on Cyber Attack a Call to Heed, Deloitte Says

Lucas Gilmore, “Big 4″ observer
January 17, 2011 /

The Organisation for Economic Co-operation and Development’s (OECD) study released January 17 watered down the likelihood of massive risks from cyber attack onto the national systems following the Stuxnet computer worm that infested the nuclear program of Iran, saying governments still ought to focus attention on malware and espionage.

Graeme Matthews, cybersecurity partner at Deloitte, said the report is “right to take a balanced view of the consequences of cyber incidents” He added that using an “exaggerated language” like cyber attack to describe this online phenomenon “rolls all activities from recreational hacking to a state-sponsored denial of service together” which wipes away the probability of making an analysis of the level of activity.

According to OECD’s report, the risk of cyber attack on national systems have been exaggerated because they are low levels and are not likely to cause long-term disruptions but instead an inconvenience only.

“There are many scare stories, which, when you test, don’t actually pan out,” co-author Peter Sommer of the London School of Economics said, adding that analyses of several types of malware often lead to conclusions that they are either short-term or a failure.

Sommer went on to say that sophisticated malware like Stuxnet is an exception rather than the rule.

Stuxnet, a malware that has put the Iran nuclear activities to a halt, has been revealed by intelligence officials from the US military to have been created by Israel and USA in a testing ground at Dimona, Israel where the two countries collaborated efforts to test its effectiveness by applying it on an imitated nuclear centrifuges similar to what Iran has in its base in Natanz.

The malware has been identified by the Iranian government in June 2010 that uses the Siemens Supervisory Control and Data Acquisition (SCADA).

“The issue of online identification of individuals and servers is one area where more rigorous identity management will be needed if fundamental technical security weaknesses are to be addressed. For critical national infrastructure organisations such as energy and transport, there can be a tension between the needs of the company’s shareholders and wider society where costs arise to defend against cyber threats,” Matthews said.

The challenge of who will fund the measures to be taken to boost security measures against the perceived cyber attack is of great importance, he added.

“However, for individuals and organisations, making sure that fundamental security measures are in place remains as important as ever. It is still important to cover all aspects of security including people and buildings. The report highlights the continued and growing threat of disruption.”

 

Share your opinion