It's no secret that the old world of circuit-switched networks is moving to IP-based networks, but the shift opens up opportunities for cyberwarfare, according to a new report by Gartner Inc.
The major cause of concern is that IP is less secure than old circuit-switched networks, said David Fraley, a principal analyst at Gartner and author of the report, which is titled "Cyberwarfare: VoIP and convergence increase vulnerability."
"IP was created as a simple, lightweight protocol to solve some communication issues," he said, noting that security wasn't a major concern at that time.
Fraley said that there is a notable difference between standard hacking attacks and cyberwarfare. The latter involves attacks on infrastructure that will likely affect many more people than just one company. For example, cyberwarfare targets might include systems that control the power grid, not an individual company's voice over IP system, he said.
The methods of attack, however, wouldn't be all that different. For example, a denial-of-service attack, a technique commonly used by attackers today, can be very effective against voice over IP connections.
"Just a one-quarter to one-half-a-second delay in a VoIP connection [can] be quite disruptive," Fraley said.
The move to IP-based networks also means that they are susceptible to vulnerabilities found in IP-based services and protocols. Just last week, a serious flaw was announced in H.323, a standard used for voice over IP. The flaw affected a host of voice over IP products but also Microsoft's Internet Security and Acceleration (ISA) Server 2000.
Experts say that companies shouldn't become overly concerned about cyberwarfare. "Should companies double their security spending? The answer is 'no,' but they should be aware of cyberwarfare as a possibility," Fraley said.
In other words, the risk of falling victim to cyberwarfare is still very low, so taking a lot of steps to protect oneself is probably not necessary. It should, however, be a consideration when companies assess their risks and create contingency plans to address their exposure.
More specifically, companies need to figure out what they would do if their country comes under a prolonged attack that disrupts services. Many companies already have plans in place for natural disasters, but cyberwarfare attacks require extra considerations. For example, a hurricane may knock out a company's network along the Florida coast. In such a case, the company could make arrangements for its traffic to be routed through its Arizona network.
The goal of people involved in cyberwarfare is to disrupt services across the country, so rerouting network traffic to another region wouldn't be as useful, Fraley said. But unlike a hurricane in Florida, a cyberwarfare attack is not very likely. Companies should realize they may not be able to do much to protect themselves.
"Preparation for a cyberwarfare attack must be proportional to the perceived risk," Fraley wrote in his report for Stamford, Conn.-based Gartner. "Most security technology, when used in conjunction with 'best practices,' is appropriate to the proportional risk presented by the threat of cyberwarfare."