THEWORLDTODAY.

ORG DECEMBER 2010

CYBERSECURITY AND SOCIETY PAGE 19

Claire Yorke, PROGRAMME MANAGER, INTERNATIONAL SECURITY, CHATHAM HOUSE

bigsociety.com
Who is to keep cyberspace safe? Should governments bear the
burden and what can society do to protect against virtual threats?

p EOPLE AROUND THE GLOBE HAVE

benefited in some way from the
expansion of cyberspace and the
opportunities it has provided.
Whether through popular social
networking sites like Facebook,
the increase in online commerce –
apparently accounting for over eight
percent of retail sales in Britain alone – or the
advent of online banking, the internet is now a
fundamental part of everyday life in large parts
Although awareness of these threats is increasing,
much of the current debate is concentrated at the
policy or military level. How then can society as a
whole be informed and prepared to meet this threat
and how can it be encouraged to be part of a
comprehensive solution?

of the world.
The applications of cyberspace are extensive.
Information and communication technologies help
run our transport systems, energy and resource
supplies, and industrial operating systems. Yet with
growing dependency comes greater vulnerability
and risk from insidious individuals who wish to
cause harm, or seek financial or personal gain,
through their actions.
T H R EAT TO A L L
The variety and nature of threats from
cyberspace, and their potential harm, has captured
the attention of policy-makers, politicians and the
media. In cyberspace people can act with relative
impunity, under the shield of anonymity. Threats
can come equally from states, extremist or terror
groups, individual hackers, or organised criminals
– among others – who can wield power
disproportionate to the effort or resources required
in the physical world.
The British National Security Strategy (NSS)

P E T T Y O F F I C E R 2 N D C L A S S N AT H A N I E L M O G E R
THEWORLDTODAY.ORG DECEMBER 2010
PAGE 20

and the Strategic Defence and Security

Review (SDSR) published in October
recognise this and have made it a
government priority to tackle the issue.
The National Security Strategy states that
‘Government, the private sector and citizens
are under sustained cyber attack today, from
both hostile states and criminals.’ It listed
such attacks as a top priority ‘Tier One’ threat
to national security and earmarked just over
$1 billion (£650 million) to counter it; over
$240 million (£150 million) more than
previously anticipated. Over the coming
months these funds will be allocated to
government departments.
However, while work is underway in
Whitehall and the private sector to counter
the threat and devise policy responses, it is
interesting to note that the recent reviews
make little more than passing reference to
the threats to citizens and wider society,
choosing instead to concentrate on
organisational, structural and strategic produce tangible and very real consequences:
priorities. Yet it would be misguided to see cyber malicious spyware can be used to steal personal
security as the sole preserve of policy-makers, data for identity theft; computer viruses can
technologists and the military. disable or corrupt critical national
Cyber security is a universal threat, where no infrastructure, such as power supplies and
one is exempt. It is equally capable of transport networks; and individual hackers can
undermining states and disrupting industry as it hit personal bank accounts for financial gain.
is targeting, exploiting or threatening Most recently, the highly sophisticated and
individuals and their well-being. The challenge complex Stuxnet worm, which was believed to
is to incorporate ordinary people and civil have targeted nuclear facilites in Iran, was a
society into broader policy and communicate prominent example of the potential of cyber
the right information, at the right moment, to attack. And the global figure of one trillion
the wider population. dollars lost annually to cyber crime is more than
enough to make banks and governments take
note of the severity of the threat.
A L L TO O R EA L
One obstacle to this is how cyberspace is seen.
Too much coverage of cyber attacks is anecdotal BALANCE OF BLAME
and portrays cyberspace as a unique and foreign Closing this gap between security in the
environment: a law unto itself. For the most physical and virtual worlds is important not
part, this is not the case. only to find the right responses but also to
In a speech at Chatham House on November encourage a culture in which cyberspace is not
9 the Minister of State for Armed Forces Nick viewed as abstract or remote. Most people
Harvey said that: ‘Wherever he expands his would not leave home with the door unlocked or
dominance, whether it be on land, sea or air, or hand out personal information freely to a
whether it be in cyberspace, mankind carries his stranger, so why should the virtual world be any
essential nature with him.’ This rings true: far different?
from being an entirely separate and distinct The tendency to forget or relax real world
environment, although a virtual one, cyberspace caution in virtual interactions has to be tackled.
is intertwined with reality and human nature. This would become increasingly important if
Actions in the physical world can - and do - the balance of blame were to be shifted for those
translate into the complex environment of who have been targeted.
cyberspace; as demonstated by cyber crime, For example, though institutions and
cyber espionage and cyber theft. And actions industry currently shoulder the financial costs of
within and via the virtual domain can equally cyber crime, there may come a point at which

| INDEPENDENT THINKING ON INTERNATIONAL AFFAIRS

 THEWORLDTODAY.ORG DECEMBER 2010
PAGE 21

cyberspace and high-level cyber crime.

responsibility for personal data and its misuse
moves from organisations and institutions to
the public. After all, it is they who knowingly put
large amounts of their personal information
online in spite of the risks, effectively leaving
‘open doors’ for criminals to gain entry.
This poses interesting questions: if money is
stolen from an online account where there has
been little protection on a personal computer, to
what extent is the bank or the individual liable?
If a computer is unwittingly used by infected
software for broader criminal ends, can its
owner be held responsible? And, is it the
responsibility of the host site or of the individual
concerned, if information posted on social
networking sites enables someone to steal an
identity? These issues will begin to emerge with
greater frequency and should be debated.
Cyberspace is often compared to the
Wild West, yet the Wild West was
eventually tamed. Could the same be said
for cyberspace? There is no doubt it poses
new and interesting challenges and it will
take time to understand these nuances
and develop the right responses.
With the new security and defence
reviews, the government has begun to
improve and implement national
approaches to cyber security. In so doing,
it should not only deal with political and
legal regulation but also a debate social
norms and values to see whether real
world methods of oversight and control
can be applied to cyberspace. The aim
would be to make it less chaotic and
therefore more manageable, producing a
more proportionate assessment of the
threat.
If ordinary people can be included in
the cyber security effort, the task may prove
easier and free scarce government resources.
Indeed, such a step would fit neatly into the
coalition government’s big idea, creating a
virtual bigsociety.com.
INFORMATION ON THE INTERNATIONAL SECURITY
PROGRAMME’S CYBER SECURITY PROJECTS:
WWW.CHATHAMHOUSE.ORG.UK/RESEARCH/SECURITY

IMPOSING ORDER
Reliance on cyberspace is only likely to
increase while the capacity of governments and
industry to tolerate and shoulder the risk
diminishes. Promoting greater awareness and
individual responsibility is important not just
for its own sake but as part of dealing with a
much broader threat.
If certain vulnerabilities can be handled by
ordinary people, through better protected
computers, anti-virus software, and a more
cautious approach to providing personal data, it
should mean that more resources and scarce
funds can be directed at the higher and more
serious end of the threat: warlike actions in